Re: Help needed - JPA probem - No connection specified with project

2017-09-22 Thread Karen Goh 
Hi all,

My apologies, my Tomcat server version is Apache Tomcat 8.0.29 Server.
The JDK is 1.8

Hope to get some advice what went wrong in regards to the No connection 
specified with project.

Tks & rgds,
Karen

On Fri, 9/22/17, Konstantin Kolinko  wrote:

 Subject: Re: Help needed - JPA probem - No connection specified with project
 To: "Tomcat Users List" , "Karen Goh" 

 Date: Friday, September 22, 2017, 10:00 PM
 
 2017-09-22 13:35 GMT+03:00 Karen
 Goh :
 > Hi expert,
 >
 > I have been trying very hard to nail the
 above problem including asking various forums like
 CodeRanch, dream in code etc but to no avail.
 >
 > As such, I am hoping
 to get help from the Apache Tomcat user support.
 >
 > Tools and setting :
 Eclipse Mars, Tomcat 1.8, MySQL, OS : Windows 7, Maven, Java
 JPA with Hibernate framework 5.1.0
 
 There is no such version as "Tomcat
 1.8". I assume that you meant some
 version of Tomcat 8.0.x.
 
 
 > The MySQL setting is
 confirmed correct, as I have managed to insert the data via
 single JDBC connection.
 >
 > Project summary : J2ee servlet with JSP,
 Java JPA in Hibernate framework. (Hibernate is for pure
 insertion of data - many to many relationship)
 >
 > My purpose is to get
 the JNDI datasource working but till now I can't just
 get it work.
 >
 >
 Here's my context.xml :
 >
 > 
 >
 
 >
 
 > 
 >   
  name="jdbc/hi5"
 >    
 auth="Container"
 >    
 type="javax.sql.DataSource"
 > 
    maxTotal="8"
 >    
 maxActive="100"
 >    
 maxIdle="30"
 >    
 maxWait="-1"
 >    
 username="root"
 >    
 singleton="true"
 >    
 override="true"
 >    
 factory="org.apache.tomcat.jdbc.pool.DataSourceFactory"
 >     password="password"
 >      
 alternateUsernameAllowed="true"
 >    
 driverClassName="com.mysql.jdbc.Driver"
 >    
 url="jdbc:mysql://localhost:3306/hi5" />
 >   
 >   
 
 The META-INF/context.xml file of a web
 application must have only one
 of
  elements with the same value
 of "name"
 attribute.
 
 
 If you have a
 ResourceLink in context.xml, it means that your Resource
 element must go into GlobalNamingResources
 element of conf/server.xml
 file.
 http://tomcat.apache.org/tomcat-8.5-doc/config/globalresources.html
 
 
 BTW, you
 should not modify conf/context.xml file. It is the
 defaults
 file shared by all web
 applications. (Modifying it is a common
 configuration mistake).
 
 
 Best regards,
 Konstantin Kolinko
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
 

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

publishing tomcat server as maven artifact

2017-09-22 Thread Alex O'Ree 
In light of the recent security issues, has the tomcat dev's ever
consider publishing the tomcat server as a maven artifact?

I just tomcat as a base server for Apache jUDDI and for several other
projects whereby I create preconfigured tomcat instance. It's also
super useful for integration testing. Anyhow, just food for thought

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: tomcat ssl setup

2017-09-22 Thread John Ellis 
I used the keytool command, then submitted the CSR to the cacert.org site, then 
put root and main certificates in place and referenced them in the server.xml 
file.

John Ellis

405.285.2500 office




http://biz-e.io


-Original Message-
From: Mark Thomas [mailto:ma...@apache.org] 
Sent: Friday, September 22, 2017 2:20 PM
To: Tomcat Users List 
Subject: Re: tomcat ssl setup

On 22/09/17 16:44, John Ellis wrote:
> I have installed Tomcat 9.0.0.M27 on this test server but I still get the 
> same result; when I try to connect to Tomcat on the secure port of 8443 it 
> just sits there and has a spinner up at the top of the browser window but if 
> I try to connect to it back on the non-secure port of 8080 it works fine. 
> Here is a Dropbox link to the server.xml file that I edited-
> 
> https://www.dropbox.com/s/rdjjjxn6lzrucs0/server.xml?dl=0
> 
> Here is a Dropbox link to the Catalina log file-
> 
> https://www.dropbox.com/s/c0x8svk4neqp5xo/catalina.2017-09-22.log?dl=0
> 
> Thanks,
> 
> John Ellis

How did you generate the key and certificate files?

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: tomcat ssl setup

2017-09-22 Thread Mark Thomas 
On 22/09/17 16:44, John Ellis wrote:
> I have installed Tomcat 9.0.0.M27 on this test server but I still get the 
> same result; when I try to connect to Tomcat on the secure port of 8443 it 
> just sits there and has a spinner up at the top of the browser window but if 
> I try to connect to it back on the non-secure port of 8080 it works fine. 
> Here is a Dropbox link to the server.xml file that I edited-
> 
> https://www.dropbox.com/s/rdjjjxn6lzrucs0/server.xml?dl=0
> 
> Here is a Dropbox link to the Catalina log file-
> 
> https://www.dropbox.com/s/c0x8svk4neqp5xo/catalina.2017-09-22.log?dl=0
> 
> Thanks,
> 
> John Ellis

How did you generate the key and certificate files?

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: "Cannot store non-PrivateKeys" exception moving from 8.0.37 to 8.5.20 - Linux

2017-09-22 Thread Sean Dawson 
Ok thank you for the replies. It may take me some time to be able to test
rev21 on the production server with its keystore (but maybe I can test it
locally too - if it at least starts up). Any other info you need from me to
help identify the issues needing resolution?


On Fri, Sep 22, 2017 at 1:46 AM, Mark Thomas  wrote:

> On 22 September 2017 00:41:04 BST, "André Warnier (tomcat)" 
> wrote:
> >Hi.
> >
> >Could this also be the problem on the other thread "tomcat ssl setup"
> >(tomcat 9) ?
>
> Could be, yes. It looks like there are still some problems to iron out
> with the fix for keystrokes that contain keys with different passwords.
>
> Mark
>
>
> >
> >log :
> >
> >08-Sep-2017 15:24:36.300 SEVERE [main]
> >org.apache.catalina.util.LifecycleBase.handleSubClassException Failed
> >to initialize
> >component [Connector[HTTP/1.1-8443]]
> >org.apache.catalina.LifecycleException: Protocol handler initialization
> >failed
> >...
> >Caused by: java.lang.IllegalArgumentException:
> >java.security.KeyStoreException: Cannot
> >store non-PrivateKeys
> > at
> >org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(
> AbstractJsseEndpoint.java:113)
> >
> >
> >
> >
> >
> > Forwarded Message 
> >Subject: Re: "Cannot store non-PrivateKeys" exception moving from
> >8.0.37 to 8.5.20 - Linux
> >Date: Thu, 21 Sep 2017 23:39:09 +0100
> >From: Mark Thomas 
> >Reply-To: Tomcat Users List 
> >To: Tomcat Users List 
> >
> >On 21/09/17 17:19, Sean Dawson wrote:
> >> Hello,
> >>
> >> We migrated our application that was running fine on 8.0.37 to 8.5.20
> >and
> >> on startup we receive:
> >>
> >> java.lang.IllegalArgumentException: java.security.KeyStoreException:
> >Cannot
> >> store non-PrivateKeys
> >
> >Try 8.5.21. It is on the mirrors but you'll need to follow the browse
> >link on the download page to find it.
> >
> >Mark
> >
> >>
> >> I unfortunately deleted the logs and under time pressure we had to go
> >back
> >> to 8.0.37 so I don't have the full stacktrace. But I didn't see
> >anything
> >> else in them that looked helpful.
> >>
> >> I've googled and couldn't really get any good answers that applied to
> >> us.This seemed a bit similar but we do have sslEnabled set (and the
> >issue
> >> is apparently fixed)...
> >>
> >> http://tomcat.10.x6.nabble.com/SSL-inconsistency-td5052956.html
> >>
> >> I've tried modifying the connector based off the current 8.5
> >> documentation.  But always get the above.
> >>
> >> We're on: CentOS release 6.9 (Final),
> >> Java version "1.8.0_144"
> >>
> >>  >protocol="org.apache.coyote.http11.Http11NioProtocol"
> >>maxThreads="150" SSLEnabled="true"
> >asyncTimeout="6"
> >> compression="on"
> >> scheme="https" secure="true" >
> >>  >> sslEnabledProtocols="TLSv1,TSLv1.1,TLSv1.2"
> >> sslProtocol="TLS"
> >> certificateVerification="false" >
> >>  >> certificateKeystorePassword="masked"
> >>  type="RSA" />
> >> 
> >> 
> >>
> >
> >
> >-
> >To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >
> >
> >
> >-
> >To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

RE: tomcat ssl setup

2017-09-22 Thread John Ellis 
I have installed Tomcat 9.0.0.M27 on this test server but I still get the same 
result; when I try to connect to Tomcat on the secure port of 8443 it just sits 
there and has a spinner up at the top of the browser window but if I try to 
connect to it back on the non-secure port of 8080 it works fine. Here is a 
Dropbox link to the server.xml file that I edited-

https://www.dropbox.com/s/rdjjjxn6lzrucs0/server.xml?dl=0

Here is a Dropbox link to the Catalina log file-

https://www.dropbox.com/s/c0x8svk4neqp5xo/catalina.2017-09-22.log?dl=0

Thanks,

John Ellis

405.285.2500 office




http://biz-e.io

-Original Message-
From: Mark Thomas [mailto:ma...@apache.org] 
Sent: Friday, September 22, 2017 9:17 AM
To: Tomcat Users List 
Subject: Re: tomcat ssl setup

On 22/09/17 15:05, John Ellis wrote:
> Andre I saw where you asked Mark Thomas, on another thread, if the 
> issue on that thread might be causing the SSL issue that I am having. 
> On the server that I have been using for the testing of Tomcat 9 
> version 8 was already installed on it. It's just that my boss said to 
> download, install and work with version 9. I wonder if it might work on with 
> version 8?

Try with 9.0.0.M27. You'll need to follow the browse link on the download page 
and then up a directory to find it. (It has been released but CVE-2017-12617 
happened and we decided not to announce it as the next 9.0.x release will be 
following shortly.)

Note there is still a regression in the keystore handling but it affects fewer 
configurations (just FIPS as far as I know).

Mark


> 
> John Ellis
> 
> 405.285.2500 office
> 
> 
> 
> 
> http://biz-e.io
> 
> 
> -Original Message-
> From: André Warnier (tomcat) [mailto:a...@ice-sa.com]
> Sent: Thursday, September 21, 2017 4:40 PM
> To: users@tomcat.apache.org
> Subject: Re: tomcat ssl setup
> 
> Hi.
> 
> I just downloaded tomcat 9 myself (the windows zip version, but it 
> should be the same), to look at the standard server.xml.
> 
> There is something which does not quite fit in all of this.
> I can also not see, in the snippets of server.xml that you pasted, any 
> obvious XML errors or imbricated comments.
> Yet the logfile points to these lines..
> Somehow the logfile which you uploaded to drop-box, does not seem to 
> match the server.xml lines that you pasted here.
> 
> Ooooh, wait.
> I know why it did not fit.
> 
> After looking again, more carefully, at the logfile that you posted, I 
> see what was confusing : that logfile shows several starts and stops of 
> tomcat.
> It just accumulates. I was looking just at the beginning, the first 
> error that I found.
> You have for example this :
> 
> 08-Sep-2017 11:10:32.131 INFO [main]
> org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler 
> ["http-nio-8080"]
> 08-Sep-2017 11:10:32.136 INFO [main]
> org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler 
> ["ajp-nio-8009"]
> 08-Sep-2017 11:10:32.137 INFO [main]
> org.apache.catalina.startup.Catalina.start Server startup in 18916 ms
> 
> Just before the error message that I was mentioning, which was :
> 08-Sep-2017 11:31:21.952 SEVERE [main] 
> org.apache.tomcat.util.digester.Digester.fatalError
> Parse Fatal Error at line 87 column 6: The content of elements must 
> consist of well-formed character data or markup.
>   org.xml.sax.SAXParseException; systemId: 
> file:/home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml; 
> lineNumber: 87;
> columnNumber: 
> 6; The content of elements must consist of well-formed character data 
> or markup.
> 
> But that was like 21 minutes later, after tomcat had been running for 
> 21 minutes.
> 
> Then after that there are a few more starts and stops, and a the 
> lastest attempt, the problem is different :
> 
> 08-Sep-2017 15:24:35.920 INFO [main] 
> org.apache.coyote.AbstractProtocol.init
> Initializing ProtocolHandler ["https-jsse-nio-8443"]
> 08-Sep-2017 15:24:36.300 SEVERE [main] 
> org.apache.catalina.util.LifecycleBase.handleSubClassException Failed 
> to initialize component [Connector[HTTP/1.1-8443]]
>   org.apache.catalina.LifecycleException: Protocol handler 
> initialization failed ...
> Caused by: java.lang.IllegalArgumentException:
> java.security.KeyStoreException: Cannot store non-PrivateKeys
>   at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Abstr
> actJss
> eEndpoint.java:113)
> 
> 
> So, here is what happened :
> 
> - when you first started tomcat (timestamp 08-Sep-2017 10:05:02.807), 
> it started fine, ending in the line
> 08-Sep-2017 10:05:03.371 INFO [main]
> org.apache.catalina.startup.Catalina.start Server startup in 482 ms
> 
> but then, you did not have the connector for port 8443 enabled yet.
> 
> - then you stopped tomcat, and you started it again at
> 08-Sep-2017 11:10:13.141 INFO [main]
> org.apache.catalina.startup.VersionLoggerListener.log 
> Server version:Apache Tomcat/9.0.0.M26
> 
> - and then you had this :
>

RE: tomcat ssl setup

2017-09-22 Thread John Ellis 
OK I will try to find, download and try that version.
Thanks!

John Ellis

405.285.2500 office




http://biz-e.io


-Original Message-
From: Mark Thomas [mailto:ma...@apache.org] 
Sent: Friday, September 22, 2017 9:17 AM
To: Tomcat Users List 
Subject: Re: tomcat ssl setup

On 22/09/17 15:05, John Ellis wrote:
> Andre I saw where you asked Mark Thomas, on another thread, if the 
> issue on that thread might be causing the SSL issue that I am having. 
> On the server that I have been using for the testing of Tomcat 9 
> version 8 was already installed on it. It's just that my boss said to 
> download, install and work with version 9. I wonder if it might work on with 
> version 8?

Try with 9.0.0.M27. You'll need to follow the browse link on the download page 
and then up a directory to find it. (It has been released but CVE-2017-12617 
happened and we decided not to announce it as the next 9.0.x release will be 
following shortly.)

Note there is still a regression in the keystore handling but it affects fewer 
configurations (just FIPS as far as I know).

Mark


> 
> John Ellis
> 
> 405.285.2500 office
> 
> 
> 
> 
> http://biz-e.io
> 
> 
> -Original Message-
> From: André Warnier (tomcat) [mailto:a...@ice-sa.com]
> Sent: Thursday, September 21, 2017 4:40 PM
> To: users@tomcat.apache.org
> Subject: Re: tomcat ssl setup
> 
> Hi.
> 
> I just downloaded tomcat 9 myself (the windows zip version, but it 
> should be the same), to look at the standard server.xml.
> 
> There is something which does not quite fit in all of this.
> I can also not see, in the snippets of server.xml that you pasted, any 
> obvious XML errors or imbricated comments.
> Yet the logfile points to these lines..
> Somehow the logfile which you uploaded to drop-box, does not seem to 
> match the server.xml lines that you pasted here.
> 
> Ooooh, wait.
> I know why it did not fit.
> 
> After looking again, more carefully, at the logfile that you posted, I 
> see what was confusing : that logfile shows several starts and stops of 
> tomcat.
> It just accumulates. I was looking just at the beginning, the first 
> error that I found.
> You have for example this :
> 
> 08-Sep-2017 11:10:32.131 INFO [main]
> org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler 
> ["http-nio-8080"]
> 08-Sep-2017 11:10:32.136 INFO [main]
> org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler 
> ["ajp-nio-8009"]
> 08-Sep-2017 11:10:32.137 INFO [main]
> org.apache.catalina.startup.Catalina.start Server startup in 18916 ms
> 
> Just before the error message that I was mentioning, which was :
> 08-Sep-2017 11:31:21.952 SEVERE [main] 
> org.apache.tomcat.util.digester.Digester.fatalError
> Parse Fatal Error at line 87 column 6: The content of elements must 
> consist of well-formed character data or markup.
>   org.xml.sax.SAXParseException; systemId: 
> file:/home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml; 
> lineNumber: 87;
> columnNumber: 
> 6; The content of elements must consist of well-formed character data 
> or markup.
> 
> But that was like 21 minutes later, after tomcat had been running for 
> 21 minutes.
> 
> Then after that there are a few more starts and stops, and a the 
> lastest attempt, the problem is different :
> 
> 08-Sep-2017 15:24:35.920 INFO [main] 
> org.apache.coyote.AbstractProtocol.init
> Initializing ProtocolHandler ["https-jsse-nio-8443"]
> 08-Sep-2017 15:24:36.300 SEVERE [main] 
> org.apache.catalina.util.LifecycleBase.handleSubClassException Failed 
> to initialize component [Connector[HTTP/1.1-8443]]
>   org.apache.catalina.LifecycleException: Protocol handler 
> initialization failed ...
> Caused by: java.lang.IllegalArgumentException:
> java.security.KeyStoreException: Cannot store non-PrivateKeys
>   at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Abstr
> actJss
> eEndpoint.java:113)
> 
> 
> So, here is what happened :
> 
> - when you first started tomcat (timestamp 08-Sep-2017 10:05:02.807), 
> it started fine, ending in the line
> 08-Sep-2017 10:05:03.371 INFO [main]
> org.apache.catalina.startup.Catalina.start Server startup in 482 ms
> 
> but then, you did not have the connector for port 8443 enabled yet.
> 
> - then you stopped tomcat, and you started it again at
> 08-Sep-2017 11:10:13.141 INFO [main]
> org.apache.catalina.startup.VersionLoggerListener.log 
> Server version:Apache Tomcat/9.0.0.M26
> 
> - and then you had this :
> 08-Sep-2017 11:31:21.952 SEVERE [main] 
> org.apache.tomcat.util.digester.Digester.fatalError
> Parse Fatal Error at line 87 column 6: The content of elements must 
> consist of well-formed character data or markup.
> 
> so my guess is that you modified the server.xml, while tomcat was 
> still running, and then you did a "shutdown.sh", to prepare to restart tomcat.
> 
> - And then there was that parse error.
> 
> And the reason is that the shutdown command, in fact starts another 
>

Re: tomcat ssl setup

2017-09-22 Thread Mark Thomas 
On 22/09/17 15:05, John Ellis wrote:
> Andre I saw where you asked Mark Thomas, on another thread, if the issue on
> that thread might be causing the SSL issue that I am having. On the server
> that I have been using for the testing of Tomcat 9 version 8 was already
> installed on it. It's just that my boss said to download, install and work
> with version 9. I wonder if it might work on with version 8?

Try with 9.0.0.M27. You'll need to follow the browse link on the
download page and then up a directory to find it. (It has been released
but CVE-2017-12617 happened and we decided not to announce it as the
next 9.0.x release will be following shortly.)

Note there is still a regression in the keystore handling but it affects
fewer configurations (just FIPS as far as I know).

Mark


> 
> John Ellis
> 
> 405.285.2500 office
> 
> 
>     
> 
> http://biz-e.io
> 
> 
> -Original Message-
> From: André Warnier (tomcat) [mailto:a...@ice-sa.com] 
> Sent: Thursday, September 21, 2017 4:40 PM
> To: users@tomcat.apache.org
> Subject: Re: tomcat ssl setup
> 
> Hi.
> 
> I just downloaded tomcat 9 myself (the windows zip version, but it should be
> the same), to look at the standard server.xml.
> 
> There is something which does not quite fit in all of this.
> I can also not see, in the snippets of server.xml that you pasted, any
> obvious XML errors or imbricated comments.
> Yet the logfile points to these lines..
> Somehow the logfile which you uploaded to drop-box, does not seem to match
> the server.xml lines that you pasted here.
> 
> Ooooh, wait.
> I know why it did not fit.
> 
> After looking again, more carefully, at the logfile that you posted, I see
> what was confusing : that logfile shows several starts and stops of tomcat.
> It just accumulates. I was looking just at the beginning, the first error
> that I found.
> You have for example this :
> 
> 08-Sep-2017 11:10:32.131 INFO [main]
> org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler
> ["http-nio-8080"]
> 08-Sep-2017 11:10:32.136 INFO [main]
> org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler
> ["ajp-nio-8009"]
> 08-Sep-2017 11:10:32.137 INFO [main]
> org.apache.catalina.startup.Catalina.start Server startup in 18916 ms
> 
> Just before the error message that I was mentioning, which was :
> 08-Sep-2017 11:31:21.952 SEVERE [main]
> org.apache.tomcat.util.digester.Digester.fatalError
> Parse Fatal Error at line 87 column 6: The content of elements must consist
> of well-formed character data or markup.
>   org.xml.sax.SAXParseException; systemId: 
> file:/home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml; lineNumber: 87;
> columnNumber: 
> 6; The content of elements must consist of well-formed character data or
> markup.
> 
> But that was like 21 minutes later, after tomcat had been running for 21
> minutes.
> 
> Then after that there are a few more starts and stops, and a the lastest
> attempt, the problem is different :
> 
> 08-Sep-2017 15:24:35.920 INFO [main] org.apache.coyote.AbstractProtocol.init
> Initializing ProtocolHandler ["https-jsse-nio-8443"]
> 08-Sep-2017 15:24:36.300 SEVERE [main]
> org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to
> initialize component [Connector[HTTP/1.1-8443]]
>   org.apache.catalina.LifecycleException: Protocol handler initialization
> failed ...
> Caused by: java.lang.IllegalArgumentException:
> java.security.KeyStoreException: Cannot store non-PrivateKeys
>   at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJss
> eEndpoint.java:113)
> 
> 
> So, here is what happened :
> 
> - when you first started tomcat (timestamp 08-Sep-2017 10:05:02.807), it
> started fine, ending in the line
> 08-Sep-2017 10:05:03.371 INFO [main]
> org.apache.catalina.startup.Catalina.start Server startup in 482 ms
> 
> but then, you did not have the connector for port 8443 enabled yet.
> 
> - then you stopped tomcat, and you started it again at
> 08-Sep-2017 11:10:13.141 INFO [main]
> org.apache.catalina.startup.VersionLoggerListener.log 
> Server version:Apache Tomcat/9.0.0.M26
> 
> - and then you had this :
> 08-Sep-2017 11:31:21.952 SEVERE [main]
> org.apache.tomcat.util.digester.Digester.fatalError
> Parse Fatal Error at line 87 column 6: The content of elements must consist
> of well-formed character data or markup.
> 
> so my guess is that you modified the server.xml, while tomcat was still
> running, and then you did a "shutdown.sh", to prepare to restart tomcat.
> 
> - And then there was that parse error.
> 
> And the reason is that the shutdown command, in fact starts another (small)
> instance of tomcat, to issue the shutdown command to the running instance.
> But that shutdown instance also reads server.xml, and at that time you /did/
> have a syntax error in it. So that is where this syntax error came from.
> 
> Later you apparently corrected the syntax, and restarted tomcat :
> 
> 08-Sep-2017 15:24:34.889 INFO [main]
>

RE: tomcat ssl setup

2017-09-22 Thread John Ellis 
Andre I saw where you asked Mark Thomas, on another thread, if the issue on
that thread might be causing the SSL issue that I am having. On the server
that I have been using for the testing of Tomcat 9 version 8 was already
installed on it. It's just that my boss said to download, install and work
with version 9. I wonder if it might work on with version 8?

John Ellis

405.285.2500 office


    

http://biz-e.io


-Original Message-
From: André Warnier (tomcat) [mailto:a...@ice-sa.com] 
Sent: Thursday, September 21, 2017 4:40 PM
To: users@tomcat.apache.org
Subject: Re: tomcat ssl setup

Hi.

I just downloaded tomcat 9 myself (the windows zip version, but it should be
the same), to look at the standard server.xml.

There is something which does not quite fit in all of this.
I can also not see, in the snippets of server.xml that you pasted, any
obvious XML errors or imbricated comments.
Yet the logfile points to these lines..
Somehow the logfile which you uploaded to drop-box, does not seem to match
the server.xml lines that you pasted here.

Ooooh, wait.
I know why it did not fit.

After looking again, more carefully, at the logfile that you posted, I see
what was confusing : that logfile shows several starts and stops of tomcat.
It just accumulates. I was looking just at the beginning, the first error
that I found.
You have for example this :

08-Sep-2017 11:10:32.131 INFO [main]
org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler
["http-nio-8080"]
08-Sep-2017 11:10:32.136 INFO [main]
org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler
["ajp-nio-8009"]
08-Sep-2017 11:10:32.137 INFO [main]
org.apache.catalina.startup.Catalina.start Server startup in 18916 ms

Just before the error message that I was mentioning, which was :
08-Sep-2017 11:31:21.952 SEVERE [main]
org.apache.tomcat.util.digester.Digester.fatalError
Parse Fatal Error at line 87 column 6: The content of elements must consist
of well-formed character data or markup.
  org.xml.sax.SAXParseException; systemId: 
file:/home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml; lineNumber: 87;
columnNumber: 
6; The content of elements must consist of well-formed character data or
markup.

But that was like 21 minutes later, after tomcat had been running for 21
minutes.

Then after that there are a few more starts and stops, and a the lastest
attempt, the problem is different :

08-Sep-2017 15:24:35.920 INFO [main] org.apache.coyote.AbstractProtocol.init
Initializing ProtocolHandler ["https-jsse-nio-8443"]
08-Sep-2017 15:24:36.300 SEVERE [main]
org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to
initialize component [Connector[HTTP/1.1-8443]]
  org.apache.catalina.LifecycleException: Protocol handler initialization
failed ...
Caused by: java.lang.IllegalArgumentException:
java.security.KeyStoreException: Cannot store non-PrivateKeys
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJss
eEndpoint.java:113)


So, here is what happened :

- when you first started tomcat (timestamp 08-Sep-2017 10:05:02.807), it
started fine, ending in the line
08-Sep-2017 10:05:03.371 INFO [main]
org.apache.catalina.startup.Catalina.start Server startup in 482 ms

but then, you did not have the connector for port 8443 enabled yet.

- then you stopped tomcat, and you started it again at
08-Sep-2017 11:10:13.141 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log 
Server version:Apache Tomcat/9.0.0.M26

- and then you had this :
08-Sep-2017 11:31:21.952 SEVERE [main]
org.apache.tomcat.util.digester.Digester.fatalError
Parse Fatal Error at line 87 column 6: The content of elements must consist
of well-formed character data or markup.

so my guess is that you modified the server.xml, while tomcat was still
running, and then you did a "shutdown.sh", to prepare to restart tomcat.

- And then there was that parse error.

And the reason is that the shutdown command, in fact starts another (small)
instance of tomcat, to issue the shutdown command to the running instance.
But that shutdown instance also reads server.xml, and at that time you /did/
have a syntax error in it. So that is where this syntax error came from.

Later you apparently corrected the syntax, and restarted tomcat :

08-Sep-2017 15:24:34.889 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log 
Server version:Apache Tomcat/9.0.0.M26

and this time, there was no syntax error anymore in server.xml, but then
there is this other problem :

08-Sep-2017 15:24:35.920 INFO [main] org.apache.coyote.AbstractProtocol.init
Initializing ProtocolHandler ["https-jsse-nio-8443"]
08-Sep-2017 15:24:36.300 SEVERE [main]
org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to
initialize component [Connector[HTTP/1.1-8443]]
  org.apache.catalina.LifecycleException: Protocol handler initialization
failed ...
Caused by: java.lang.IllegalArgumentException:
java.security.KeyStoreException:

Re: Help needed - JPA probem - No connection specified with project

2017-09-22 Thread Konstantin Kolinko 
2017-09-22 13:35 GMT+03:00 Karen Goh :
> Hi expert,
>
> I have been trying very hard to nail the above problem including asking 
> various forums like CodeRanch, dream in code etc but to no avail.
>
> As such, I am hoping to get help from the Apache Tomcat user support.
>
> Tools and setting : Eclipse Mars, Tomcat 1.8, MySQL, OS : Windows 7, Maven, 
> Java JPA with Hibernate framework 5.1.0

There is no such version as "Tomcat 1.8". I assume that you meant some
version of Tomcat 8.0.x.


> The MySQL setting is confirmed correct, as I have managed to insert the data 
> via single JDBC connection.
>
> Project summary : J2ee servlet with JSP, Java JPA in Hibernate framework. 
> (Hibernate is for pure insertion of data - many to many relationship)
>
> My purpose is to get the JNDI datasource working but till now I can't just 
> get it work.
>
> Here's my context.xml :
>
> 
>  antiResourceLocking="true" debug="1">
> 
> 
> name="jdbc/hi5"
> auth="Container"
> type="javax.sql.DataSource"
> maxTotal="8"
> maxActive="100"
> maxIdle="30"
> maxWait="-1"
> username="root"
> singleton="true"
> override="true"
> factory="org.apache.tomcat.jdbc.pool.DataSourceFactory"
> password="password"
>   alternateUsernameAllowed="true"
> driverClassName="com.mysql.jdbc.Driver"
> url="jdbc:mysql://localhost:3306/hi5" />
>   
>   

The META-INF/context.xml file of a web application must have only one
of  elements with the same value of "name"
attribute.


If you have a ResourceLink in context.xml, it means that your Resource
element must go into GlobalNamingResources element of conf/server.xml
file.
http://tomcat.apache.org/tomcat-8.5-doc/config/globalresources.html


BTW, you should not modify conf/context.xml file. It is the defaults
file shared by all web applications. (Modifying it is a common
configuration mistake).


Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Fwd: [SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP upload

2017-09-22 Thread Mark Thomas 
On 22/09/17 10:36, Maarten van Hulsentop wrote:
> I have tried to reproduce this issue on a fresh tomcat 7.0.78 installation.
> The issue can indeed easily be reproduced on the default servlet by setting
> the readonly property to false. After that, it is possible to PUT the jsp
> and the GET request will execute.
> 
> When i change the default servlet to be the WebDAV servlet, it can not
> longer PUT the JSP because of 409 errors.
> Adjusting the servlet mapping from / to /* resolves the 409. But doing so
> seems to prevent the JSP execution; the GET request will just yield the
> contents of the JSP.
> What do i need to do to get it reproduced for the WebDAV servlet as well?
> Or is this a theoretical thing and can we consider the WebDAV servlet
> configured in scenario 3 as not vulnerable in the real world?

I haven't seen a PoC for exploiting this via Tomcat's WebDAV
implementation. The original advisory was based on an understanding of
the Default servlet PoC and a quick look at Tomcat's WebDAV code. A
closer inspection shows that the Default servlet PoC won't work with
Tomcat's WebDAV implementation.

It looks to be unlikely that Tomcat's WebDAV implementation is
exploitable but as far as I am aware there hasn't been a great deal of
investigation in that direction. At this point it seems prudent to
assume that WebDAV could be vulnerable and mitigate accordingly.

> Does this
> also apply for individual web applications configuring a similar web.xml or
> is it only reproducable on the global default servlet?

CVE-2017-12615 applies in either of the above scenarios.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Help needed - JPA probem - No connection specified with project

2017-09-22 Thread Karen Goh 
Hi expert,

I have been trying very hard to nail the above problem including asking various 
forums like CodeRanch, dream in code etc but to no avail.

As such, I am hoping to get help from the Apache Tomcat user support.

Tools and setting : Eclipse Mars, Tomcat 1.8, MySQL, OS : Windows 7, Maven, 
Java JPA with Hibernate framework 5.1.0

The MySQL setting is confirmed correct, as I have managed to insert the data 
via single JDBC connection.

Project summary : J2ee servlet with JSP, Java JPA in Hibernate framework. 
(Hibernate is for pure insertion of data - many to many relationship)

My purpose is to get the JNDI datasource working but till now I can't just get 
it work.

Here's my context.xml :





name="jdbc/hi5"
auth="Container" 
type="javax.sql.DataSource"
maxTotal="8" 
maxActive="100" 
maxIdle="30" 
maxWait="-1"
username="root"
singleton="true" 
override="true"
factory="org.apache.tomcat.jdbc.pool.DataSourceFactory"
password="password" 
  alternateUsernameAllowed="true"
driverClassName="com.mysql.jdbc.Driver" 
url="jdbc:mysql://localhost:3306/hi5" />  
  


Here's my web.xml:


http://www.w3.org/2001/XMLSchema-instance; 
xmlns="http://xmlns.jcp.org/xml/ns/javaee; 
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee 
http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd; version="3.1">
  Hi5S
  
Index.jsp
  
  
MySQL Datasource
jdbc/hi5
javax.sql.DataSource
Container
  
  


And my singletonDatasource class:

package util;


import java.sql.Connection;
import java.sql.SQLException;

import javax.annotation.Resource;
import javax.naming.Context;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import javax.sql.DataSource;


@Resource(name = "jdbc/hi5")
public class SingletonDBConnection{

private static SingletonDBConnection singleInstance;
private static DataSource dataSource;
private static Connection dbConnect;

private SingletonDBConnection() {
try {
Context initContext = new InitialContext();
Context envContext = (Context) initContext.lookup("java:/comp/env");
dataSource = (DataSource) envContext.lookup("jdbc/hi5");

try {
dbConnect = dataSource.getConnection();
} catch (SQLException e) {
e.printStackTrace();
}
} catch (NamingException e) {
e.printStackTrace();
}
}


public static DataSource getMySQLDataSource() { // using apacheDBCP
if (singleInstance == null) {
synchronized (SingletonDBConnection.class) {
if (singleInstance == null) {
singleInstance = new SingletonDBConnection();
}
}
}

return (DataSource) singleInstance;
}

public static DataSource getConnInst() {
try {
dbConnect = dataSource.getConnection();
} catch (SQLException e1) {
e1.printStackTrace();
}

if (dbConnect == null) {
try {
Context initContext = new InitialContext();
Context envContext = (Context) 
initContext.lookup("java:/comp/env");
dataSource = (DataSource) envContext.lookup("jdbc/hi5");

try {
dbConnect = dataSource.getConnection();
} catch (SQLException e) {
e.printStackTrace();
}
} catch (NamingException e) {
e.printStackTrace();
}
}

return dataSource;
}

}


And the persistence.xml ;


http://xmlns.jcp.org/xml/ns/persistence; 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; 
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/persistence 
http://xmlns.jcp.org/xml/ns/persistence/persistence_2_1.xsd;>

model.Subject
model.Tutor


  

  





As the mailing list does not allow large error attachment, therefore, I am 
appending the error below :

Sep 22, 2017 5:59:46 PM org.apache.tomcat.util.digester.SetPropertiesRule begin
WARNING: [SetPropertiesRule]{Server/Service/Engine/Host/Context} Setting 
property 'debug' to '1' did not find a matching property.
Sep 22, 2017 5:59:46 PM org.apache.tomcat.util.digester.SetPropertiesRule begin
WARNING: [SetPropertiesRule]{Server/Service/Engine/Host/Context} Setting 
property 'source' to 'org.eclipse.jst.jee.server:Hi5S' did not find a matching 
property.
Sep 22, 2017 5:59:46 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: Server version:Apache Tomcat/8.0.29
Sep 22, 2017 5:59:46 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: Server built:  Nov 20 2015 09:18:00 UTC
Sep 22, 2017 5:59:46 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: Server number: 8.0.29.0
Sep 22, 2017 5:59:46 PM

Re: Fwd: [SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP upload

2017-09-22 Thread Maarten van Hulsentop 
Hello,

Op wo 20 sep. 2017 om 09:27 schreef Mark Thomas :

> On 19/09/17 14:10, Mark Thomas wrote:
> > On 19/09/17 14:00, André Warnier (tomcat) wrote:
> >> Hello.
> >>
> >> Did the issue below also affect the DAV application ?
> >
> > Yes, as the WebDAV servlet also processes HTTP PUT requests.
> >
> > The WebDAV servlet extends the Default servlet so they actually share
> > the implementation.
>
> Thinking about this a little more, it will depend on how the WebDAV
> servlet is mapped. While there is a configuration where this would be an
> issue for WebDAV, I don't think it is one that would normally be used.
>
> I have tried to reproduce this issue on a fresh tomcat 7.0.78 installation.
The issue can indeed easily be reproduced on the default servlet by setting
the readonly property to false. After that, it is possible to PUT the jsp
and the GET request will execute.

When i change the default servlet to be the WebDAV servlet, it can not
longer PUT the JSP because of 409 errors.
Adjusting the servlet mapping from / to /* resolves the 409. But doing so
seems to prevent the JSP execution; the GET request will just yield the
contents of the JSP.
What do i need to do to get it reproduced for the WebDAV servlet as well?
Or is this a theoretical thing and can we consider the WebDAV servlet
configured in scenario 3 as not vulnerable in the real world? Does this
also apply for individual web applications configuring a similar web.xml or
is it only reproducable on the global default servlet?

For clarity, my scenarios are;
1. == Default servlet reproduction
- [fresh installation Tomcat 7.0.78]
- Modify [tomcat]/conf/web.xml,
add 
readonlyfalse
to default
- PUT possible
- GET executes JSP -> vulnerable!

2. == WebDAV servlet reproduction with mapping on '/'
- [fresh installation Tomcat 7.0.78]
- Modify [tomcat]/conf/web.xml, change
to  org.apache.catalina.servlets.WebdavServlet
for default
- Modify [tomcat]/conf/web.xml,
add 
readonlyfalse
to default
- PUT fails with 409 message -> not vulnerable?

3. == WebDAV servlet reproduction with mapping on '/*'
- [fresh installation Tomcat 7.0.78]
- Modify [tomcat]/conf/web.xml, change to
org.apache.catalina.servlets.WebdavServlet
for default
- Modify [tomcat]/conf/web.xml,
add 
readonlyfalse
to default
- Modify [tomcat]/conf/web.xml, change url pattern
/ to /*
(for default)
- PUT possible
- GET retrieves the content for the JSP -> not vulnerable right now?

Thank you for your feedback,

Regards,

Maarten van Hulsentop

Re: [SECURITY] CVE-2017-12617 Apache Tomcat Possible additional RCE via JSP upload

2017-09-22 Thread Mark Thomas 
Update:

The review did not identify any further security concerns but it did
identify a handful of places where the code could benefit from some
clean-up. This clean-up makes the purpose of the code clearer and eases
future maintenance in this security-relevant area of the code base.

The clean-up has been implemented and reviewed. Back-ports have been
completed for 8.5.x and 8.0.x. 7.0.x is in progress but requires a
little more time as 7.0.x uses the JNDI based resources implementation
that was replaced in 8.0.x onwards.

The current expectation is that the releases will be tagged and votes
started later today.

Mark


On 20/09/17 17:37, Mark Thomas wrote:
> Update:
> 
> We believe we have a set of patches [1],[2] that addresses this for
> 9.0.x. The plan is to give folks ~12 hours to review the proposed
> patches and then back-port the patches, tag and release.
> 
> Further analysis has not identified any additional attack vectors or
> risks associated with this vulnerability.
> 
> The recommended mitigations remain unchanged.
> 
> Mark
> 
> 
> [1] http://svn.apache.org/viewvc?rev=1809011=rev
> [2] http://svn.apache.org/viewvc?rev=1809025=rev
> 
> 
> On 20/09/17 13:20, Mark Thomas wrote:
>> Update:
>>
>> The issue has been confirmed.
>>
>> CVE-2017-12617 has been allocated.
>>
>> The issue is not limited to PUT requests. For the Default servlet,
>> DELETE is known to be affected. For the WebDAV servlet DELETE, MOVE and
>> COPY are believed to be affected.
>>
>> The RCE via JSP upload using PUT is still believed to be the most severe
>> impact of this vulnerability.
>>
>> The recommended mitigations remain unchanged.
>>
>> Mark
>>
>>
>> On 20/09/17 09:25, Mark Thomas wrote:
>>> All,
>>>
>>> Following the announcement of CVE-2017-12615 [1], the Apache Tomcat
>>> Security Team has received multiple reports that a similar vulnerability
>>> exists in all current Tomcat versions and affects all operating systems.
>>>
>>> Unfortunately, one of these reports was made via the public bug tracker
>>> [2] rather than responsibly via the Tomcat Security Team's private
>>> mailing list [3].
>>>
>>> We have not yet completed our investigation of these reports but, based
>>> on the volume, and our initial investigation they appear to be valid.
>>>
>>> From an initial analysis of the reports received, the vulnerability only
>>> affects the following configurations:
>>>
>>> Default Servlet
>>> - Default Servlet configured with readonly="false"
>>>   AND
>>> - Untrusted users are permitted to perform HTTP PUT requests
>>>
>>> WebDAV Servlet
>>> - WebDAV Servlet configured with readonly="false"
>>>   AND
>>> - Untrusted users are permitted to perform HTTP PUT requests
>>>   AND
>>> - The documented advice not to map the WebDAV servlet as the Default
>>>   servlet has been ignored
>>>
>>> Please note that:
>>>  - The WebDAV servlet is disabled by default
>>>  - The default value for the readonly parameter is true for both the
>>>Default servlet and the WebDAV servlet
>>>
>>> Therefore, a default Tomcat installation is not affected by this
>>> potential vulnerability.
>>>
>>> Based on our understanding to date, the potential vulnerability may be
>>> mitigated by any of the following:
>>> - setting readonly to true for the Default servlet and WebDAV servlet
>>> - blocking HTTP methods that permit resource modification for untrusted
>>>   users
>>>
>>> We will provide updates to the community as our investigation of these
>>> reports continues.
>>>
>>> Mark
>>> on behalf of the Apache Tomcat Security Team
>>>
>>>
>>> [1] http://markmail.org/message/xqfchebiy6fjmvjz
>>> [2] https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
>>> [3] http://tomcat.apache.org/security.html
>>>
>>> -
>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>
>>
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org