Re: security headers

2017-11-03 Thread Alejandro Vargas M.

You can help with an example of this url-rewrite to add this header,

Please,

Thanks in advance.


On 11/01/2017 02:03 PM, Christopher Schultz wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Alejandro,

On 11/1/17 3:37 PM, Alejandro Vargas M. wrote:

Hello,

I recently used on web.xml

 httpHeaderSecurity
org.apache.catalina.filters.HttpHeaderSecurityFilter
lter-class>

  true 

 httpHeaderSecurity
/* 

to enable some security headers, but it won't enable Content
Security Policy header. Is there anyway to enable Content Security
Policy at top server level???

What were you expecting that Filter to generate for you? A header
which disables everything? Not terribly useful.

My recommendation would be to use something like url-rewrite[1] to add
headers to every outgoing response. url-rewrite has very similar
capabilities to httpd's mod_headers (and much more, of course).

- -chris

[1] http://tuckey.org/urlrewrite/
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAln6KJkACgkQHPApP6U8
pFjuWRAAilRKahVEge71VBJrhragUyZuKR/uqEwfwpYj9Zq5DzI3I0JT6jwD8kwE
//iuxBgDroVH/Xedn9oiMen9u1wSpf4p4fCQY0xcP99l6QnlgReimEM7Aoi24hTc
WFgYlA2DVsKvmU0qjaI8HQoBrN+n8A+4Qhxu4fj5knNT1Sk1KppYDl/l6bkaI3Lc
oPAvbYJbR2OV9SwCBoKFNjEPZwK9kTZhAr74gbErS/OZHcQAynZjHPcYl4+2K6Uj
98T3VKu6NIif5g3ry6TA9YYe5Dn3DyqBkY6wlAI91gRn7KjESDcJPcCiYglYDHqP
37ZdcP6LPmySFlBaug5E9811lyKIHnkpv/0OTaFM3AH0sulazBvLu38Ea5yeZQFC
CofoYTMAY8KAlfwzKn+3RhTTQA8lmKHF/dVxQBRqP3vbN/+KU1KzqZmn2Q6KoYH+
Lf+gMJjeLE/0/8X9CnTaFPkmg7VbYgGmhGzgFkD85YTswT962L8M5evG1xdHaNiM
ZZDEeYLWC/Cjdqvht3zQ0gvmI35pI1q2K/fnYb+mrV0eIi/rcosz99GQVpTTqS58
wCtIAKLChLuxuWoGp0+1+sI0ugwn9RmsIft34QBM1Us/FxGYc0Ou5VpBHE0JeYG8
G8RjZ+9eonM5ScwPrAZKZ7pd6qfCHY24/OvK6vT4HbRdqJbvWT8=
=j1H+
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




--




Alejandro Vargas Mayorga
/*Gerente Desarrollo C.A. & C.*/
*Tel. 506- 7232-3366*
*Email:**alejandro.var...@kymsolutions.com* 
*

**www.kymsolutions.com* *
Visite nuestra aula virtual! *



Fw: TomCat 8.5.23 application not responding

2017-11-03 Thread DBolken
From:   Christopher Schultz 
To: users@tomcat.apache.org
Date:   11/02/2017 02:28 PM
Subject:Re: TomCat 8.5.23 application not responding



-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Darin,

On 11/2/17 12:55 PM, dbol...@dsginc.biz wrote:
> I have a TomCat 8.5.23 service running on a Windows 2008 R2.  It is
>  currently running a third party web commerce application.  It will
> run great until randomly one day the application will stop
> responding.  When you try to go to the application URL it sits and
> spins.  I look at the catalina log and found the below errors at
> the time it stop responding. Is this a tomcat configuration issue
> or application related.
> 
> I see three specific warning/severe messages in Tomcat.
> 
> Error one: 02-Nov-2017 10:03:23.787 WARNING
> [http-nio-9080-exec-402] 
> com.sun.faces.renderkit.html_basic.HtmlBasicRenderer.getForComponent
>  Unable to find component with ID searchPattern in view.
> 
> Then right after there is a severe message error 2:
> 
> 02-Nov-2017 10:03:23.896 SEVERE [http-nio-9080-exec-455] 
> org.restlet.engine.http.adapter.ServerAdapter.commit An exception
> occured writing the response entity 
> org.apache.catalina.connector.ClientAbortException:
> java.io.IOException: An established connection was aborted by the
> software in your host machine
> 
> Then the warning messages constant all the way down until this all
> the way down until we had to reboot the service because of no
> response.
> 
> 02-Nov-2017 10:03:23.896 WARNING [http-nio-9080-exec-455] 
> org.restlet.engine.http.HttpServerHelper.handle Error while
> handling an HTTP server call: 02-Nov-2017 10:03:23.896 INFO
> [http-nio-9080-exec-455] 
> org.restlet.engine.http.HttpServerHelper.handle Error while
> handling an HTTP server call java.lang.IllegalStateException:
> Cannot call sendError() after the response has been committed

Can you take some thread dumps to show what the Tomcat threads are
doing? One thread dump will probably be very long, but go ahead and
post the whole thing to the list.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAln7ckIdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFh8og/8CataalwbNgVBl+uK
f3q1W5JEOZbXBR2dA3UuR/mtZxHa6azH7UMSiydRpcRVoRvP7z0aeDyGoW/u70MT
23RlkNFDVG5HP6Z6AIBKrDisQDwHYRM9iq2o3vPYW56mgDLC56yxUKnKUATHGpgB
MYk0vzicWawt1+zF/GE7qshTtubt5HgqmFFckhFPWWTRqsvkiyYIbkq9o6iUNHZZ
MMPwe9ppeKOVew2c5csqLaSS9MUdbYerEblvho7WfQSW8YjtL6UO2h523jQ1ZOUh
Efju4cy9hEQdeEFcxEaBPKR3q6MMWW5frDB/UrUfopFnD/krdXcbYkTWO9DTjbJj
EW+uMWfJzDGMBQDvRqprNrdYrLETgnAEv5ut7XSgyuu32+Atq/uot6fZmZ1XcfIQ
RA45INBmXbt4YWhJ2cGJ3Zjzfzc8t7omIfWVgziSOMBi7gEnvEbCtj9E3X1ywltl
+iNhsRfdfa8O65dJT+yOQZuQnJ0RGKJxAJFhlkO0dtl4ahjusE8M/0CqiX8nfJ4U
xwEUBTdztukczgKRhj660f/wycGzUGz071LjygQ8kxqqLlUyXWGs3WigvBXxBNW1
lWqyBBOk61LoiQ4TCLFh5mowSPA81u3rdlYLwK723+RgRwv5jAeMNb5XoF8JcAIs
4RcbK5PHnVvv5gZRauiO4lhYAZY=
=L4hB
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

I have been unable to post the thread dump because of size no matter how 
much I send under the 1 MB rule.  Is there another way I can send it to 
you.  Thanks.


I do see a lot of Blocked messages, see example.  I was not able to post 
the whole dump.


"http-nio-9080-exec-305" #3888 daemon prio=5 os_prio=0 
tid=0x1f445000 nid=0x230 waiting for monitor entry 
[0x4341d000]
   java.lang.Thread.State: BLOCKED (on object monitor)
at 
com.mincron.api.restlet.dm.ProductDM.getCategoryItemList(Unknown Source)
- waiting to lock <0x000696269dc0> (a java.lang.Class for 
com.mincron.api.restlet.dm.ProductDM)
at 
com.mincron.api.restlet.resource.CategoryItemListResource.retrieve(Unknown 
Source)



- Darin

Re: TomCat 8.5.23 application not responding

2017-11-03 Thread DBolken
From:   Christopher Schultz 
To: users@tomcat.apache.org
Date:   11/02/2017 02:28 PM
Subject:Re: TomCat 8.5.23 application not responding



-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Darin,

On 11/2/17 12:55 PM, dbol...@dsginc.biz wrote:
> I have a TomCat 8.5.23 service running on a Windows 2008 R2.  It is
>  currently running a third party web commerce application.  It will
> run great until randomly one day the application will stop
> responding.  When you try to go to the application URL it sits and
> spins.  I look at the catalina log and found the below errors at
> the time it stop responding. Is this a tomcat configuration issue
> or application related.
> 
> I see three specific warning/severe messages in Tomcat.
> 
> Error one: 02-Nov-2017 10:03:23.787 WARNING
> [http-nio-9080-exec-402] 
> com.sun.faces.renderkit.html_basic.HtmlBasicRenderer.getForComponent
>  Unable to find component with ID searchPattern in view.
> 
> Then right after there is a severe message error 2:
> 
> 02-Nov-2017 10:03:23.896 SEVERE [http-nio-9080-exec-455] 
> org.restlet.engine.http.adapter.ServerAdapter.commit An exception
> occured writing the response entity 
> org.apache.catalina.connector.ClientAbortException:
> java.io.IOException: An established connection was aborted by the
> software in your host machine
> 
> Then the warning messages constant all the way down until this all
> the way down until we had to reboot the service because of no
> response.
> 
> 02-Nov-2017 10:03:23.896 WARNING [http-nio-9080-exec-455] 
> org.restlet.engine.http.HttpServerHelper.handle Error while
> handling an HTTP server call: 02-Nov-2017 10:03:23.896 INFO
> [http-nio-9080-exec-455] 
> org.restlet.engine.http.HttpServerHelper.handle Error while
> handling an HTTP server call java.lang.IllegalStateException:
> Cannot call sendError() after the response has been committed

Can you take some thread dumps to show what the Tomcat threads are
doing? One thread dump will probably be very long, but go ahead and
post the whole thing to the list.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAln7ckIdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFh8og/8CataalwbNgVBl+uK
f3q1W5JEOZbXBR2dA3UuR/mtZxHa6azH7UMSiydRpcRVoRvP7z0aeDyGoW/u70MT
23RlkNFDVG5HP6Z6AIBKrDisQDwHYRM9iq2o3vPYW56mgDLC56yxUKnKUATHGpgB
MYk0vzicWawt1+zF/GE7qshTtubt5HgqmFFckhFPWWTRqsvkiyYIbkq9o6iUNHZZ
MMPwe9ppeKOVew2c5csqLaSS9MUdbYerEblvho7WfQSW8YjtL6UO2h523jQ1ZOUh
Efju4cy9hEQdeEFcxEaBPKR3q6MMWW5frDB/UrUfopFnD/krdXcbYkTWO9DTjbJj
EW+uMWfJzDGMBQDvRqprNrdYrLETgnAEv5ut7XSgyuu32+Atq/uot6fZmZ1XcfIQ
RA45INBmXbt4YWhJ2cGJ3Zjzfzc8t7omIfWVgziSOMBi7gEnvEbCtj9E3X1ywltl
+iNhsRfdfa8O65dJT+yOQZuQnJ0RGKJxAJFhlkO0dtl4ahjusE8M/0CqiX8nfJ4U
xwEUBTdztukczgKRhj660f/wycGzUGz071LjygQ8kxqqLlUyXWGs3WigvBXxBNW1
lWqyBBOk61LoiQ4TCLFh5mowSPA81u3rdlYLwK723+RgRwv5jAeMNb5XoF8JcAIs
4RcbK5PHnVvv5gZRauiO4lhYAZY=
=L4hB
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

I have been unable to post the thread dump because of size no matter how 
much I send under the 1 MB rule.  Is there another way I can send it to 
you.  Thanks.


The case of disappearing JARs

2017-11-03 Thread David Morris

I've got a case of disappearing JARs from my webapps lib folder which I can't 
seem to solve, hopefully someone on the list can provide some pointers.

We've got a number of webapps which are deployed by an installer already 
exploded (The war is exploded and wrapped by the installer) without the WAR 
been deployed.  We are using tomcat 8.0 running as multiple instances, all 
configured with them running as windows services.

The environment is a virtualised environment running on Windows Server 2012 
with the VMs stored and running from a SAN.  Generally everything works as 
expected, we can start and stop the services, restart the VMs with no problems. 
 However whenever there has been a power failure (I don't know what would shut 
down first the SAN or the VM hosts when the UPS runs out) on restart, when the 
services start back, up some or all of the JARs from the deployed apps have 
gone.

In the latest instance of this happening,  the VM it occurred on had 5 
instances of Tomcat running, however only 1 tomcat instance had missing JARs.  
Within this was two webapps, 1 was missing 1 library the other was missing all 
80 which obviously caused them not to work.  None of the other files within the 
webapp are effected and it's happened with different webapps on different VMs 
but configured the same way (explored WAR from an installer)

My question is, can this be caused by Tomcat at all, eg is it trying to 
undeploy for some reason or is the answer somewhere else in the environment?

Many thanks,

Dave



HttpServletRequest in AsyncContext does not handle X-Forwarded-For (RemoteIpValve)

2017-11-03 Thread Enrico Olivelli
Hi,
I am running a servlet and I get strange result for
HttpServletRequest#getRemoteAddr().

I have configured RemoteIpValve which handles the X-Forwarded-For header
and replaces the original IP address with the value contains in such header.

I have an HttpServlet which dispacts the execution to a custom threadpool
and uses request.startAsync()

It seems that if I call getRemoteAddr on the original HttpServletRequest
the value for getRemoteAddr() is correct, it contains the value of
X-Forwarded-For header.
When I call getRemoteAddr after calling startAsync() the result is the
original IP address of the request.

A workaround is to capture the IP Address early but I wonder if I am
missing something, if it is an expected behavior or if I should file an
issue.

I am using tomcat 8.5.15


Thanks
Enrico


Re: Start embedded Tomcat 9.0.1 server from java code

2017-11-03 Thread Maxim Solodovnik
I'm OK to add missing code to my tests,
but I'm not sure what need to be added :(

On Fri, Nov 3, 2017 at 3:24 PM, Maxim Solodovnik 
wrote:

> I see no errors,
> Using debugger I can see tomcat.server.state == STARTED
>
> Everything works as expected if I'm switching back to 8.5.23 without any
> other changes
>
> nestat reports:
> *netstat -an |grep 8080*
> tcp6   0  0 :::8080 :::*LISTEN
>
> for 8.5.23
>
>
> On Fri, Nov 3, 2017 at 3:08 PM, Mark Thomas  wrote:
>
>> On 03/11/17 04:51, Maxim Solodovnik wrote:
>> > Hello,
>> >
>> > I recently migrated from Tomcat 8.5.23 to Tomcat 9.0.1
>> > Everything works as expected except tests :(
>> >
>> > I'm using following code to start embedded Tomcat and test CXF web
>> services [1].
>> > With Tomcat 9.0.1 tests failed, netstat -an displays port 8080 is not
>> > being listened
>> > What need to be changed?
>>
>> If Tomcat isn't listening then there should be an exception or error
>> message reported at some point. Do you see anything in the logs?
>>
>> Mark
>>
>>
>> >
>> >
>> > [1] https://github.com/apache/openmeetings/blob/master/openmeeti
>> ngs-web/src/test/java/org/apache/openmeetings/webservice
>> /AbstractWebServiceTest.java#L98
>> >
>>
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
>
>
> --
> WBR
> Maxim aka solomax
>



-- 
WBR
Maxim aka solomax


Re: Start embedded Tomcat 9.0.1 server from java code

2017-11-03 Thread Maxim Solodovnik
I see no errors,
Using debugger I can see tomcat.server.state == STARTED

Everything works as expected if I'm switching back to 8.5.23 without any
other changes

nestat reports:
*netstat -an |grep 8080*
tcp6   0  0 :::8080 :::*LISTEN

for 8.5.23


On Fri, Nov 3, 2017 at 3:08 PM, Mark Thomas  wrote:

> On 03/11/17 04:51, Maxim Solodovnik wrote:
> > Hello,
> >
> > I recently migrated from Tomcat 8.5.23 to Tomcat 9.0.1
> > Everything works as expected except tests :(
> >
> > I'm using following code to start embedded Tomcat and test CXF web
> services [1].
> > With Tomcat 9.0.1 tests failed, netstat -an displays port 8080 is not
> > being listened
> > What need to be changed?
>
> If Tomcat isn't listening then there should be an exception or error
> message reported at some point. Do you see anything in the logs?
>
> Mark
>
>
> >
> >
> > [1] https://github.com/apache/openmeetings/blob/master/
> openmeetings-web/src/test/java/org/apache/openmeetings/webservice/
> AbstractWebServiceTest.java#L98
> >
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>


-- 
WBR
Maxim aka solomax


Re: Start embedded Tomcat 9.0.1 server from java code

2017-11-03 Thread Mark Thomas
On 03/11/17 04:51, Maxim Solodovnik wrote:
> Hello,
> 
> I recently migrated from Tomcat 8.5.23 to Tomcat 9.0.1
> Everything works as expected except tests :(
> 
> I'm using following code to start embedded Tomcat and test CXF web services 
> [1].
> With Tomcat 9.0.1 tests failed, netstat -an displays port 8080 is not
> being listened
> What need to be changed?

If Tomcat isn't listening then there should be an exception or error
message reported at some point. Do you see anything in the logs?

Mark


> 
> 
> [1] 
> https://github.com/apache/openmeetings/blob/master/openmeetings-web/src/test/java/org/apache/openmeetings/webservice/AbstractWebServiceTest.java#L98
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org