Re: Modify JspServlet config in application web.xml?

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Richárd,

On 1/24/18 4:31 PM, Richárd Olivér Legéndi wrote:
> Yy! I'm sending a tech mail to an open source community after
> years! You can't believe what a relief it is :-)

Welcome to the community!

> Anyway, I would like to ask your help about some config topic.
> 
> I would need the following configuration *only *for my webapp:
> 
>  jsp 
> org.apache.jasper.servlet.JspServlet
>
> 

> mappedfile 
> false   
> trimSpaces 
> true  
> 3
> 
> So far I thought this is a setting which is global for Tomcat
> (i.e., it can only be configured in Tomcat's *web.xml*). This is
> something I am not allowed to do, because the Tomcat has other apps
> too.
> 
> I have made some experiments and for me it seems when I run the app
> locally on my developer machine these settings take place even when
> it is only in the *web.xml* of my own application.
> 
> Could someone enlighten me what is the exact mechanism here?

When Tomcat deploys your context ("webapp"), it merges the global
conf/web.xml and the application's WEB-INF/web.xml with the
application's configuration overriding anything in the global
configuration. Therefore, if you replace the "jsp" servlet
configuration in WEB-INF/web.xml, it will (a) work and (b) only affect
that single application.

> The docs 
> also say *"The servlet which implements Jasper is configured using
> init parameters in your global $CATALINA_BASE/conf/web.xml"* so I'm
> confused if this is an expected behaviour, only a "developer
> setting" or it could work in a more restrictive production
> environment too. What I can think of is that the servlet generator
> has different contexts for all the applications, and if there is no
> specific setting then it inherits the one defined in the global
> *web.xml*.

You can also use  in WEB-INF/web.xml for the JSP servlet.
You will probably have to copy those settings you want from the JSP
configuration in conf/web.xml because I don't think Tomcat will merge
init-param between the two files.

Hope that helps,
- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlppajUACgkQHPApP6U8
pFjeyw//Zg07qWt1IJV9i2UvEJqkd7fcWXo/1XMwIvJPKXSBYU6r4HzSw5o8O2WQ
SNDpFhGE08YLTVQ86h8rQk9CgT1xLbuFcJixuxC/CoLB4MfiECpVZJyDukilt9j6
JUgGOEAmxmqetkb9y/5dkUe34KxjNC1nTx3MQTSCw3vCk2W4JL8WT1w/XU1XOGtB
mgtZm8eu5WQU1baUkUN5du35TxnpXSJ51PnI9XWEhto3gZ0PvPNKSnqYK1OMJPn7
FBGDrTv050+OocIDC4TPyh+V0zt3f67zvyYk4SIwDXE++9dJ0UYtjnS2zzlerAug
F5PUhbWYBdMUivirGP8wZ3cfRGxzvXRnZA29+u6e57PaCTBeec2C/oc8pyuBSlkD
dQVgc9/MdrVm+I1ukfYwiuQwD7NEUNAPe83e/lQerpJQ5MwWlMtH9EI0Tdo1c6AC
JwYgDRICvDhdBhJS6JrbrsmAbT3TAgHxoCTduktFHKsqPj5Ujc+9+4C9sU9PB1Ch
3/CoXT1H0pEZkxeCOK6C+J7pIOvO5tPOmu1z9BpVc80q9YXkjrJCGLWAhj82iCrA
KoKHhPQpp4AoviUBO+Gi/cBh18OOLeyIb4UIza+lec64OERerIgHqZo7HX4Z/cT5
LbG1mquwAdpIzjIWCYvoTRgsepZCwu0WgV2xYcP6YvP4/6NJ+Dg=
=uEFM
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Mysql vs Postgress

[loai.abdallatif]

Thanks Andy 


Sent from my Samsung Galaxy smartphone.
 Original message From: Andy Susanto  
Date: 1/25/18  12:33 AM  (GMT+02:00) To: Tomcat Users List 
 Subject: Re: Mysql vs Postgress 
Hi Loai,

here  a link article that do comparison DB, it will help to make a choose.

https://medium.com/@yangforbig/sqlite-vs-mysql-vs-postgresql-a-comparison-of-relational-database-management-systems-afd5afd6566


Regards,

Andy Susanto

On Thu, Jan 25, 2018 at 4:54 AM, Enrico Olivelli 
wrote:

> Hi,
> If you are looking for replication maybe you can out my project, it is
> HerdDB, you can find it on github or check the website http://herddb.org
> It has a jdbc driver and natively supports replication, using Apache
> BookKeeper and Apache Zookeeper.
> It is 100% free and opensource, ASL v2 licensed.
>
> I am an happy user of postgres and mysql and Hbase but HerdDB talks
> natively SQL like Mysql and PG and it is natively distributed like Hbase.
> It can run in Embedded mode, so that you do not need an external set of
> machines.
>
> Hope that helps
> Ping me of you need help or use github issue tracker or subscribe to the
> mailing list
>
> Pg vs mysqlfor complex applications with heavy usage of complex queries
> PG is surely better from my experience
>
>
> Cheers
> Enrico
>
> Il mer 24 gen 2018, 22:38 Loai Abdallatif  ha
> scritto:
>
> > Dear  all
> >
> > I have project that is based on Tomcat/apache Servers , any one can help
> > regarding the best DB engine  * mysql or Postgress ) keeping in mind that
> > I'm interested in DB clustering/Replication feature ?
> >
> > Kind Regards,
> >
> --
>
>
> -- Enrico Olivelli
>

Re: Mysql vs Postgress

[loai.abdallatif]

Thanks Igal


Sent from my Samsung Galaxy smartphone.
 Original message From: "Igal @ Lucee.org"  
Date: 1/24/18  11:44 PM  (GMT+02:00) To: users@tomcat.apache.org Subject: Re: 
Mysql vs Postgress 
On 1/24/2018 1:37 PM, Loai Abdallatif wrote:
> Dear  all
>
> I have project that is based on Tomcat/apache Servers , any one can help
> regarding the best DB engine  * mysql or Postgress ) keeping in mind that
> I'm interested in DB clustering/Replication feature ?
>
> Kind Regards,
>
Very opinionated question, but in my opinion Postgres is better than any 
DBMS out there including MySQL and the commercial options.  In modern 
versions of Postgres replication and clustering are baked in to a large 
extent.

You should really check with the Postgres mailing list though.

Best,

Igal Sapir
Lucee Core Developer
Lucee.org 

Re: Fw: No movement at Debug mode

[Karen Goh]

On Tue, 1/23/18, Christopher Schultz  wrote:

 Subject: Re: Fw: No movement at Debug mode
 To: users@tomcat.apache.org
 Date: Tuesday, January 23, 2018, 11:58 PM
 
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256
 
 Karen,
 
 On 1/21/18 10:49 AM, Karen Goh wrote:
 > I want to add in additional infor
 :
 > 
 > After I stopped the server, the
 console has the following error
 > message which beats me.
 > 
 > WARNING: The web application
 [Hi5S] appears to have started a
 > thread named [Abandoned connection
 cleanup thread] but has failed
 > to stop it. This is very likely to
 create a memory leak. Stack
 > trace of thread:
 java.io.WinNTFileSystem.canonicalize0(Native
 > Method) 
 >
 java.io.WinNTFileSystem.canonicalize(WinNTFileSystem.java:428)
 
 >
 java.io.File.getCanonicalPath(File.java:618) 
 >
 org.apache.catalina.webresources.AbstractFileResourceSet.file(Abstract
 FileResourceSet.java:90)
 >
 > 
 org.apache.catalina.webresources.DirResourceSet.getResource(DirResourceS
 et.java:101)
 >
 org.apache.catalina.webresources.StandardRoot.getResourceInternal(Stan
 dardRoot.java:281)
 >
 > 
 org.apache.catalina.webresources.CachedResource.validateResource(CachedR
 esource.java:97)
 >
 org.apache.catalina.webresources.Cache.getResource(Cache.java:69)
 
 >
 org.apache.catalina.webresources.StandardRoot.getResource(StandardRoot
 .java:216)
 >
 > 
 org.apache.catalina.webresources.StandardRoot.getClassLoaderResource(Sta
 ndardRoot.java:225)
 >
 org.apache.catalina.loader.WebappClassLoaderBase.findResource(WebappCl
 assLoaderBase.java:884)
 >
 > 
 org.apache.catalina.loader.WebappClassLoaderBase.getResource(WebappClass
 LoaderBase.java:1005)
 >
 com.mysql.jdbc.AbandonedConnectionCleanupThread.checkContextClassLoade
 rs(AbandonedConnectionCleanupThread.java:90)
 >
 > 
 com.mysql.jdbc.AbandonedConnectionCleanupThread.run(AbandonedConnectionC
 leanupThread.java:63)
 >
 java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.j
 ava:1149)
 >
 > 
 java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.ja
 va:624)
 >
 java.lang.Thread.run(Thread.java:748)
 > 
 > I hope with the new infor, this
 group will be able to help me
 > resolve the error.
 
 The MySQL Connector/J simply has a bug.
 Upgrade to the latest version
 to see if they have fixed it.
 
 I gave up trying to convince them that
 it was a problem and that they
 needed to fix it, because I guess they
 fundamentally don't understand
 what it means to want to be able to
 "completely deregister the driver
 and shutdown all threads".
 
 - -chris

Hi Chris,

I added the MYSQL J connector 5.1.45.bin.jar to the build path but the thing is 
that it seems not able to work with Tomcat 9.0.4.

There is a copy of 5.1.45.bin.jar that pasted in my Tomcat server location.

The Mysql connection in my workbench MYSQL 6.3 is tested ok.

I did a test connection in Eclipse and it gives me the following error :

java.lang.ClassNotFoundException: com.mysql.jdbc.Driver
at java.net.URLClassLoader.findClass(URLClassLoader.java:381)
at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
at java.net.FactoryURLClassLoader.loadClass(URLClassLoader.java:814)
at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
at 
org.eclipse.datatools.connectivity.drivers.jdbc.JDBCConnection.createConnection(JDBCConnection.java:327)
at 
org.eclipse.datatools.connectivity.drivers.jdbc.JDBCConnection.internalCreateConnection(JDBCConnection.java:229)
at 
org.eclipse.datatools.connectivity.drivers.jdbc.JDBCConnection.open(JDBCConnection.java:120)
at 
org.eclipse.datatools.enablement.internal.mysql.connection.JDBCMySQLConnectionFactory.createConnection(JDBCMySQLConnectionFactory.java:28)
at 
org.eclipse.datatools.connectivity.internal.ConnectionFactoryProvider.createConnection(ConnectionFactoryProvider.java:83)
at 
org.eclipse.datatools.connectivity.internal.ConnectionProfile.createConnection(ConnectionProfile.java:359)
at 
org.eclipse.datatools.connectivity.ui.PingJob.createTestConnection(PingJob.java:76)
at org.eclipse.datatools.connectivity.ui.PingJob.run(PingJob.java:59)
at org.eclipse.core.internal.jobs.Worker.run(Worker.java:55)

Here's what in my pom.xml which I hope will help to give further insight into 
my problem :

 4.0.0
  Hi5S
  Hi5S
  0.0.1-SNAPSHOT
  war
  
UTF-8
1.8
1.8
  
  

  org.apache.maven.plugins
  maven-war-plugin
  3.1.0
  provided


  org.apache.tomcat
  tomcat-jdbc
  9.0.2
  compile


  org.apache.logging.log4j
  log4j-api
  2.10.0
  compile


  org.apache.logging.log4j
  log4j-core
  2.10.0
  compile


  javax.servlet
  jstl
  1.2
  compile


  commons-digester
  commons-digester
  2.1
  compile


  commons-logging
  commons-logging
   

Re: Mysql vs Postgress

[loai.abdallatif]

Thanks Enrico 


Sent from my Samsung Galaxy smartphone.
 Original message From: Enrico Olivelli  
Date: 1/24/18  11:54 PM  (GMT+02:00) To: Tomcat Users List 
 Subject: Re: Mysql vs Postgress 
Hi,
If you are looking for replication maybe you can out my project, it is
HerdDB, you can find it on github or check the website http://herddb.org
It has a jdbc driver and natively supports replication, using Apache
BookKeeper and Apache Zookeeper.
It is 100% free and opensource, ASL v2 licensed.

I am an happy user of postgres and mysql and Hbase but HerdDB talks
natively SQL like Mysql and PG and it is natively distributed like Hbase.
It can run in Embedded mode, so that you do not need an external set of
machines.

Hope that helps
Ping me of you need help or use github issue tracker or subscribe to the
mailing list

Pg vs mysqlfor complex applications with heavy usage of complex queries
PG is surely better from my experience


Cheers
Enrico

Il mer 24 gen 2018, 22:38 Loai Abdallatif  ha
scritto:

> Dear  all
>
> I have project that is based on Tomcat/apache Servers , any one can help
> regarding the best DB engine  * mysql or Postgress ) keeping in mind that
> I'm interested in DB clustering/Replication feature ?
>
> Kind Regards,
>
-- 


-- Enrico Olivelli

Re: Mysql vs Postgress

[loai.abdallatif]

 thanks Hassan 


Sent from my Samsung Galaxy smartphone.
 Original message From: Hassan Schroeder 
 Date: 1/25/18  1:33 AM  (GMT+02:00) To: Tomcat 
Users List  Subject: Re: Mysql vs Postgress 
On Wed, Jan 24, 2018 at 1:37 PM, Loai Abdallatif
 wrote:

> I have project that is based on Tomcat/apache Servers , any one can help
> regarding the best DB engine  * mysql or Postgress ) keeping in mind that
> I'm interested in DB clustering/Replication feature ?

Aside from personal preferences -- I am not a Postgres fanboy --
why not try them both out and see which you prefer?

As long as you write DB-agnostic SQL you can spin up AWS RDS
instances, one of each, and test-drive for a couple of dollars.

And if you stick with AWS you get replication, hot standby, etc. built in.
(Note: all that might be true of other cloud providers.)

FWIW!
-- 
Hassan Schroeder  hassan.schroe...@gmail.com
twitter: @hassan
Consulting Availability : Silicon Valley or remote

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Mysql vs Postgress

[Hassan Schroeder]

On Wed, Jan 24, 2018 at 1:37 PM, Loai Abdallatif
 wrote:

> I have project that is based on Tomcat/apache Servers , any one can help
> regarding the best DB engine  * mysql or Postgress ) keeping in mind that
> I'm interested in DB clustering/Replication feature ?

Aside from personal preferences -- I am not a Postgres fanboy --
why not try them both out and see which you prefer?

As long as you write DB-agnostic SQL you can spin up AWS RDS
instances, one of each, and test-drive for a couple of dollars.

And if you stick with AWS you get replication, hot standby, etc. built in.
(Note: all that might be true of other cloud providers.)

FWIW!
-- 
Hassan Schroeder  hassan.schroe...@gmail.com
twitter: @hassan
Consulting Availability : Silicon Valley or remote

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: roles stripped when using login() in tomcat 8.5 but not 8.0

[Robert J. Carr]

On Tue, Jan 23, 2018 at 1:03 PM, Robert J. Carr  wrote:

> On Tue, Jan 23, 2018 at 9:54 AM, Konstantin Kolinko <
> knst.koli...@gmail.com> wrote:
>
>> 2018-01-22 11:25 GMT+03:00 Robert J. Carr :
>> > Hi Mark, everyone-
>> >
>> > I've constructed a sample app of ~5 files.  The code is bundled in the
>> jar
>> > file in the WEB-INF/lib directory.  Here's a public url for the
>> application
>> > (test.war; 8K):
>> >
>> >
>> > https://drive.google.com/file/d/1mZRXrm90F4WN3mizqoqrWYmQ1HH
>> frSS4/view?usp=sharing
>> >
>>
>> Thank you for the sample application! It is easy to reproduce the issue.
>>
>> I filed it into Bugzilla:
>> https://bz.apache.org/bugzilla/show_bug.cgi?id=62036
>>
>> I went on to upload your test.war there (I fixed some typos in web.xml
>> and repacked). I hope that you do not mind.
>>
>>
>> Best regards,
>> Konstantin Kolinko
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
> Hi Konstantin-
>
> Thanks for looking into this, and yes, it's fine to share the example
> application.
>
> It looks like you've already done some research.  I'll follow the defect
> ticket and see what happens.  I was hoping there was just some
> configuration I was missing, so I'll still hold out for that.
>
> Thanks again for the time, and a special thanks for confirming I'm not
> crazy! :)
>
> Robert
>
>
Hi Mark, Konstantin-

I looked in on that defect ticket and it appears you found and fixed a
problem.  Great!  But I also noticed you said the same problems were
happening for you in 8 and 8.5 and even happening in the same version of 8
I was testing against.

So I went and grabbed a clean version of 8.0.43 and sure enough, you're
right, I'm seeing the same problems there as well.  But this is good news,
as it means there's a config that can likely fix the problem.

I was in the process of writing this long email, hoping you could help me
find the config that makes the difference, and *finally* I found it.  Turns
out if you turn on single sign-on then this bug doesn't present itself.  I
had forgot I had turned that on in my test server.

So, although you fixed the bug, I thought you'd like to have that
information.  And to say thanks for indirectly helping me to find a
solution!

Cheers-
Robert

Re: Mysql vs Postgress

[Andy Susanto]

Hi Loai,

here  a link article that do comparison DB, it will help to make a choose.

https://medium.com/@yangforbig/sqlite-vs-mysql-vs-postgresql-a-comparison-of-relational-database-management-systems-afd5afd6566


Regards,

Andy Susanto

On Thu, Jan 25, 2018 at 4:54 AM, Enrico Olivelli 
wrote:

> Hi,
> If you are looking for replication maybe you can out my project, it is
> HerdDB, you can find it on github or check the website http://herddb.org
> It has a jdbc driver and natively supports replication, using Apache
> BookKeeper and Apache Zookeeper.
> It is 100% free and opensource, ASL v2 licensed.
>
> I am an happy user of postgres and mysql and Hbase but HerdDB talks
> natively SQL like Mysql and PG and it is natively distributed like Hbase.
> It can run in Embedded mode, so that you do not need an external set of
> machines.
>
> Hope that helps
> Ping me of you need help or use github issue tracker or subscribe to the
> mailing list
>
> Pg vs mysqlfor complex applications with heavy usage of complex queries
> PG is surely better from my experience
>
>
> Cheers
> Enrico
>
> Il mer 24 gen 2018, 22:38 Loai Abdallatif  ha
> scritto:
>
> > Dear  all
> >
> > I have project that is based on Tomcat/apache Servers , any one can help
> > regarding the best DB engine  * mysql or Postgress ) keeping in mind that
> > I'm interested in DB clustering/Replication feature ?
> >
> > Kind Regards,
> >
> --
>
>
> -- Enrico Olivelli
>

Re: Mysql vs Postgress

[Enrico Olivelli]

Hi,
If you are looking for replication maybe you can out my project, it is
HerdDB, you can find it on github or check the website http://herddb.org
It has a jdbc driver and natively supports replication, using Apache
BookKeeper and Apache Zookeeper.
It is 100% free and opensource, ASL v2 licensed.

I am an happy user of postgres and mysql and Hbase but HerdDB talks
natively SQL like Mysql and PG and it is natively distributed like Hbase.
It can run in Embedded mode, so that you do not need an external set of
machines.

Hope that helps
Ping me of you need help or use github issue tracker or subscribe to the
mailing list

Pg vs mysqlfor complex applications with heavy usage of complex queries
PG is surely better from my experience


Cheers
Enrico

Il mer 24 gen 2018, 22:38 Loai Abdallatif  ha
scritto:

> Dear  all
>
> I have project that is based on Tomcat/apache Servers , any one can help
> regarding the best DB engine  * mysql or Postgress ) keeping in mind that
> I'm interested in DB clustering/Replication feature ?
>
> Kind Regards,
>
-- 


-- Enrico Olivelli

Re: Mysql vs Postgress

[Igal @ Lucee.org]

On 1/24/2018 1:37 PM, Loai Abdallatif wrote:

Dear  all

I have project that is based on Tomcat/apache Servers , any one can help
regarding the best DB engine  * mysql or Postgress ) keeping in mind that
I'm interested in DB clustering/Replication feature ?

Kind Regards,

Very opinionated question, but in my opinion Postgres is better than any 
DBMS out there including MySQL and the commercial options.  In modern 
versions of Postgres replication and clustering are baked in to a large 
extent.


You should really check with the Postgres mailing list though.

Best,

Igal Sapir
Lucee Core Developer
Lucee.org 

Mysql vs Postgress

[Loai Abdallatif]

Dear  all

I have project that is based on Tomcat/apache Servers , any one can help
regarding the best DB engine  * mysql or Postgress ) keeping in mind that
I'm interested in DB clustering/Replication feature ?

Kind Regards,

Modify JspServlet config in application web.xml?

[Richárd Olivér Legéndi]

Hi All,

Yy! I'm sending a tech mail to an open source community after years!
You can't believe what a relief it is :-)

Anyaway, I would like to ask your help about some config topic.

I would need the following configuration *only *for my webapp:


jsp
org.apache.jasper.servlet.JspServlet

mappedfile
false


trimSpaces
true

3

So far I thought this is a setting which is global for Tomcat (i.e., it can
only be configured in Tomcat's *web.xml*). This is something I am not
allowed to do, beceause the Tomcat has other apps too.

I have made some experiments and for me it seems when I run the app locally
on my developer machine these settings take place even when it is only in
the *web.xml* of my own application.

Could someone enlighten me what is the exact mechanism here?

The docs  also
say *"The servlet which implements Jasper is configured using init
parameters in your global $CATALINA_BASE/conf/web.xml"* so I'm confused if
this is an expected behaviour, only a "developer setting" or it could work
in a more restrictive production environment too. What I can think of is
that the servlet generator has different contexts for all the applications,
and if there is no specific setting then it inherits the one defined in the
global *web.xml*.

Any links / pointers / suggestions would be more than welcome!

Thanks a lot in advance, guys!

Best,
Richard

Re: Questions about JSSEUtil#getKeyManagers

[Nitkalya Wiriyanuparb (Ing)]

On 24 Jan 2018, 9:45 PM +1300, Mark Thomas , wrote:
> On 23/01/18 02:57, Nitkalya (Ing) Wiriyanuparb wrote:
> > Hi all,
> >
> > I'm on Java 8 and Tomcat 8.5.26 (built from tag) moving from 7.0.41.
> >
> > I have a little problem with how JSSEUtil#getKeyManagers creates key
> > managers. This essentially causes Tomcat to sometimes serves an incorrect
> > server certificate chain during ServerHello.
> > -Djavax.net.debug=all gave me a clue as it printed out multiple "matching
> > alias", so I believe it's because the key manager (and key store) returned
> > from that method doesn't contain only one key. From what I see, when
> > switching to in-memory key store getKeyManagers creates a new key store of
> > the configured type, calls setKeyEntry and expects the new key store to
> > have only this one key in it.
> >
> > Note that we have our own implementation of the key store, but please bear
> > with me.
> >
> > I'm also aware of this following bit of documentation and I suspect that
> > the second sentence is very much related to my problem here. I'm also sure
> > the certificateKeyAlias is set correctly and SSLHostConfigCertificate has
> > all the expected values when I checked in debug mode.
> >
> > > The alias used for the server key and certificate in the keystore. If not
> > specified, the first key read from the keystore will be used. The order in
> > which keys are read from the keystore is implementation dependent.
> >
> > We didn't have this problem in 7.0.41 because it's doing something less
> > complex and eventually just creates a JSSEKeyManager with the expected key
> > alias with the key store as a delegate – see
> > https://github.com/apache/tomcat70/blob/TOMCAT_7_0_41/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java#L563
> >
> > But in 8.5,
> > https://github.com/apache/tomcat85/blob/TOMCAT_8_5_26/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java#L267
> > the identity comparison "ksUsed == ks" looks kind of weird to me as
> > KeyStore.getInstance (at least in Oracle Java 8) always returns a new
> > instance of KeyStore, so the checks will never be true (or will it?).
>
> Yes they will. As per the comment at line 255, non-PKCS#8 keystores will
> use the original key store.
>
> > Ideally, I'd want to find a way to get into that if block so the end state
> > is like in 7.0.41.
> >
> > As I mentioned, we have our own key store implementation and it always
> > loads all keys it's supposed to know about so reassigning "ksUsed =
> > KeyStore.getInstance..." doesn't make a difference for us – it actually
> > makes it worse as without it "ksUsed == ks" would have been true.
>
> And there is the problem.
>
> Tomcat is jumping through quite a few hoops to handle various use cases:
> - PEM encoded keys
> - keystores with multiple keys each with their own password
>
> That last one is the cause of most of the trouble. Key stores allow this
> but the KeyManagerFactory API doesn't. This is why we now always create
> the in-memory key store. When we do this, we can't just use JKS for the
> in-memory key store type as that creates issues like BZ 61557.
>
> > We technically can just modify or introduce a new key store implementation
> > to cater for Tomcat implementation – locally patching Tomcat to remove the
> > identity check would work for us as well.
> >
> > Before doing that, am I missing something obvious? is reimplementing our
> > key store the way to go here?
>
> I don't think you are missing anything obvious. We could look at adding
> (even more) configuration options to separately control the type and
> provider for the in-memory key store (assuming using JKS here would work
> for you) but I'm a little concerned about how complex that code is getting.
>
I guess that’s another option. JKS would work for us. We have our own 
implementation of in-memory key store that would also (almost) work if Tomcat 
let us pick a different key store type for the in-memory store. But that sounds 
a bit yucky as it's exposing an option for internal Tomcat implementation.

> I think I'd look at modifying your key store implementation but if that
> is a lot of work, we can explore some additional configuration options
> in Tomcat.
The current easiest workaround for us is patching Tomcat internally as 
mentioned (our application stack is pretty strict so we’re sure nothing will be 
using a different key store). But if the current Tomcat implementation is here 
to stay, I would prefer doing the right thing. I’ll discuss this with my team 
and try creating another key store type for Tomcat as well.
>
> Cheers,
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

Cheers,
Ing

Re: Questions about JSSEUtil#getKeyManagers

[Mark Thomas]

On 23/01/18 02:57, Nitkalya (Ing) Wiriyanuparb wrote:
> Hi all,
> 
> I'm on Java 8 and Tomcat 8.5.26 (built from tag) moving from 7.0.41.
> 
> I have a little problem with how JSSEUtil#getKeyManagers creates key
> managers. This essentially causes Tomcat to sometimes serves an incorrect
> server certificate chain during ServerHello.
> -Djavax.net.debug=all gave me a clue as it printed out multiple "matching
> alias", so I believe it's because the key manager (and key store) returned
> from that method doesn't contain only one key. From what I see, when
> switching to in-memory key store getKeyManagers creates a new key store of
> the configured type, calls setKeyEntry and expects the new key store to
> have only this one key in it.
> 
> Note that we have our own implementation of the key store, but please bear
> with me.
> 
> I'm also aware of this following bit of documentation and I suspect that
> the second sentence is very much related to my problem here. I'm also sure
> the certificateKeyAlias is set correctly and SSLHostConfigCertificate has
> all the expected values when I checked in debug mode.
> 
>> The alias used for the server key and certificate in the keystore. If not
> specified, the first key read from the keystore will be used. The order in
> which keys are read from the keystore is implementation dependent.
> 
> We didn't have this problem in 7.0.41 because it's doing something less
> complex and eventually just creates a JSSEKeyManager with the expected key
> alias with the key store as a delegate – see
> https://github.com/apache/tomcat70/blob/TOMCAT_7_0_41/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java#L563
> 
> But in 8.5,
> https://github.com/apache/tomcat85/blob/TOMCAT_8_5_26/java/org/apache/tomcat/util/net/jsse/JSSEUtil.java#L267
> the identity comparison "ksUsed == ks" looks kind of weird to me as
> KeyStore.getInstance (at least in Oracle Java 8) always returns a new
> instance of KeyStore, so the checks will never be true (or will it?).

Yes they will. As per the comment at line 255, non-PKCS#8 keystores will
use the original key store.

> Ideally, I'd want to find a way to get into that if block so the end state
> is like in 7.0.41.
> 
> As I mentioned, we have our own key store implementation and it always
> loads all keys it's supposed to know about so reassigning "ksUsed =
> KeyStore.getInstance..." doesn't make a difference for us – it actually
> makes it worse as without it "ksUsed == ks" would have been true.

And there is the problem.

Tomcat is jumping through quite a few hoops to handle various use cases:
- PEM encoded keys
- keystores with multiple keys each with their own password

That last one is the cause of most of the trouble. Key stores allow this
but the KeyManagerFactory API doesn't. This is why we now always create
the in-memory key store. When we do this, we can't just use JKS for the
in-memory key store type as that creates issues like BZ 61557.

> We technically can just modify or introduce a new key store implementation
> to cater for Tomcat implementation – locally patching Tomcat to remove the
> identity check would work for us as well.
> 
> Before doing that, am I missing something obvious? is reimplementing our
> key store the way to go here?

I don't think you are missing anything obvious. We could look at adding
(even more) configuration options to separately control the type and
provider for the in-memory key store (assuming using JKS here would work
for you) but I'm a little concerned about how complex that code is getting.

I think I'd look at modifying your key store implementation but if that
is a lot of work, we can explore some additional configuration options
in Tomcat.

Cheers,

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org