Re: Resource leak for WebSockets closed with NOT_CONSISTENT reason
Hello Mark,
Please see the test case and Tomcat JVM heap dump screenshot attached.
For sake of simplicity I do Thread.sleep() in client code instead of
reading bytes from server.
Test configuration is the following:
Server version:Apache Tomcat/8.5.3
Server built: Jun 9 2016 11:16:29 UTC
Server number: 8.5.3.0
OS Name: Mac OS X
OS Version:10.14.5
Architecture: x86_64
JVM Version: 1.8.0_112-b16
JVM Vendor:Oracle Corporation
The APR based Apache Tomcat Native library which allows optimal performance
in production environments was not found on the java.library.path: ...
Thank you,
Kirill
On Tue, 30 Jul 2019 at 02:15, Mark Thomas wrote:
> On 26/07/2019 10:33, Kirill Ilyukhin wrote:
> > Hello,
> >
> > When Tomcat receives WebSocket text message with invalid UTF-8, it closes
> > this connection with NOT_CONSISTENT reason. But after that some objects
> > (WsSession, UpgradeHandler, etc) stay in heap forever. They are
> referenced
> > from AbstractProtocol's connections map.
> >
> > This leak consistently happens with Tomcat 8.5.3 and 8.5.43, both on Mac
> OS
> > and Windows, with or without Tomcat native.
> >
> > I have created a very simple WebSocket Endpoint which does nothing except
> > logging its events and incoming messages, please see the code below. Also
> > you will need a WebSocket client which sends broken UTF-8 in text message
> > right after connecting to the server.
>
> I can't repeat this with either 9.0.x nor 8.5.x. I've repeated the steps
> described above and checked the resulting state with a profiler. No
> references are retained to WsSession objects nor WsHttpUpgradeHandler
> objects.
>
> You'll need to provide the simplest possible test case (single class
> client, simplest possible WAR) that demonstrates the issue.
>
> Mark
>
>
> >
> > Thank you,
> > Kirill
> >
> > ---
> > package com.example.wstest;
> >
> > import org.apache.log4j.Logger;
> > import javax.websocket.*;
> >
> > public class WSEndpoint extends Endpoint {
> > private static final Logger logger =
> Logger.getLogger(WSEndpoint.class);
> > private WSConnection connection;
> >
> > @Override
> > public void onOpen(Session session, EndpointConfig config) {
> > connection = new WSConnection(session);
> > logger.info("Opened WebSocket session-" + session.getId());
> > }
> >
> > @Override
> > public void onClose(Session session, CloseReason closeReason) {
> > logger.info("Closed WebSocket session-" + session.getId() + ",
> > reason: " + closeReason.getCloseCode() + " (" +
> > closeReason.getReasonPhrase() + ")");
> > connection.destroy();
> > connection = null;
> > }
> >
> > @Override
> > public void onError(Session session, Throwable throwable) {
> > logger.info("Error on WebSocket session-" + session.getId(),
> > throwable);
> > connection.destroy();
> > connection = null;
> > }
> >
> > static class WSConnection implements MessageHandler.Whole {
> > private final Session session;
> >
> > WSConnection(Session session) {
> > this.session = session;
> > session.addMessageHandler(this);
> > }
> >
> > public void destroy() {
> > session.removeMessageHandler(this);
> > }
> >
> > @Override
> > public void onMessage(String message) {
> > logger.info("Session-" + session.getId() + " onMessage(" +
> > message +")");
> > }
> > }
> > }
> > ---
> >
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
<>
<>
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Can Tomcat log handshake failures, and where?
We're using Tomcat 8.5 + Java 8. When I do something like openssl s_client -cipher ECDHE-RSA-NULL-SHA -connect :443 (where obviously ECDHE-RSA-NULL-SHA is not specified in my cipher list on the Tomcat server) the message on the client side is 140701349295768:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 139 bytes --- New, (NONE), Cipher is (NONE) But I don't see anything logged by Tomcat on the server side. Not to stdout, not to catalina,out or any other log file we have. Apparently for compliance reasons we're required to log any failed connection attempt. So I'd like to know if and how I can get Tomcat to emit such information. I can pass in -Djavax.net.debug=ssl:handshake but that seems rather overkill. The output for failed handshakes is OK, but for successful handshakes it's enormous. I would actually have expected something to be logged in the access log we have specified in the AccessLogValve specification in server.xml. But it seems that only reports access events after a successful SSL handshake has taken place. Does anyone know any other method? Thanks, in advance. Mark Boon
Re: Password is not working properly
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Konstantin,
On 7/29/19 08:36, Konstantin Kolinko wrote:
> чт, 25 июл. 2019 г. в 17:23, Support :
>>
>> Hi Sir,
>>
>> I am using tomcat 9 for my application. For my admin page, I have
>> a username and password in conf/tomcat-user.xml. Using digest.sh,
>> I encrypted my password(sha-256).
>>
>> password: Password encrypted:
>> 5er5akakfkd556546adnfjbkklndkfgbjdb
>
> Even though everyone now knows your password,
Do we? Unless the password shown above is NOT hashed in any way, I
think we are out of luck. It is definitely NOT the output of any hash
function I know of.
> but nobody knows what you actually did (step-by-step), nor what
> exact version of Tomcat 9.0.xx you are using, nor how your Realm is
> configured.
>
> Your "encrypted" value does not look like a correct password
> digest, which has format "{salt}${iterations}${digest}"
+1
It's possible to get a non-iterated "digested" password from Tomcat
these days, but you have to try pretty hard.
The old digest capability Tomcat had for many years has been replaced
with a properly-salted, iterated hash algorithm.
If you are starting from scratch, you are better off using the default
which is now PBKDF2WithHmacSHA1. It's better than trying to determine
your own salt length and iteration count.
- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl0/U/IACgkQHPApP6U8
pFguKA//WwpjskdDqin8DkWuVq50sdIFeSdDLOIp364+KgoEOHkxjgtoqbc/IBIU
Iegcr0X272Cu/4F2RmPO9uVV2/ms+Za3PBa2amTVotIe6Lw4lv3xdK5qGGLKzhv5
aN1x1Q7VBueW4qstYDUcgpGs++Y/G1CHLVoofTbDytsGYt3KojsHFT6KkyHLzgbd
u1wCLa/zU3WbRbExmHKeiwTrB+emzlAzMirU+CWlyW49E9aTeyfASO0KPxGXRIgg
jCVNeG02y1MiKuJUwa2HaoP5ojUZxydQoYucSVBskzaqhHgjIjX2zikn5Z1EEpau
Cd8DABmxAjyBszgParJVP0EcxhZQeWDsJ2D3xkquEhUbVAL7IB0Fv7jEB+oJAXmK
X7DRvYjFsqPBP5MR7XF3FVZcmiF1Q6a1aqfL3xmuxSTSDIvEJr6YxCz6z/c8M3d7
CUzkwMQikcj9AZL3iArJDqbgLuXN+a546r3clwDl5W/22G1+d3KN1H2hIwhQBcXj
+fIJS2OJvVeIZrdlgYRqHxBqhvnhemzXm4gW3CloxYaq3kcNA40Y5S6f+rwlVIwn
6S2EKpkdXadEWDJFz9MXWADQIv9NRv5d78sqx6yyjkvDhwwC/bu69pxtPXHnmB0G
DO2/It69ELFTyAONXwRuO1gtoiV4kTiGYOmAXKsLTac0u34W7qs=
=rW/r
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat manager keystore reload
> Joseph, > > On 7/25/19 11:53, Joseph Dornisch wrote: > > Hello, > > > > I have a CRL configured in my tomcat server configuration. If I > > update it and want to have Tomcat refresh it, I can login into > > https://127.0.0.1/manager/html and click the "Re-read" button > > under "Configuration->Re-read TLS configuration files" and this > > causes my CRL to be reread. It works great. > > > > However,I have read here, " > > https://people.apache.org/~schultz/ApacheCon%20NA%202018/Let's%20Encry > pt%20Apache%20Tomcat.pdf" > > > > > on page 34 you can do basically the same thing with a command something > > like: > > https://localhost/manager/jmxproxy?invoke=Catalina%3Atype%3DProtocolHa > ndler%2Cport%3D8443%2Caddress%3D%22127.0.0.1%22&op=reloadSslHostConfigs > > > > When I do this, I get back: > > > > Error - java.lang.NullPointerException > > java.lang.NullPointerException at > > org.apache.catalina.manager.JMXProxyServlet.invokeOperationInternal(JM > XProxyServlet.java:264) > > What > > > is the port number and bind-address of your protocol handler? Is this different than the web server. I directed it to use 443, as I am running tomcat https out of 443. I also just specified the local machine name. I think I tried a few things here. Is there a good way to look up what these should be if they are different than how you access tomcat in genera.? > > > Is this command supposed to work in Tomcat 8.5.43? Is there a > > different command. Short of this, the only way to force reload > > without manual intervention seems to be to login to the manager > > from code, and then execute > > https://127.0.0.1/manager/html/sslReload?org.apache.catalina.filters.C > SRF_NONCE= > > > > > > > The URL you have above (if correct) is using the manager to do the > same thing using the JMX proxy that you are doing with the manager GUI. It's only incorrect in that I changed the 'NONCE' to text for the purpose of hopefully making it more readable here. It does work to reload the configuration (and specifically reread my CRL files). > > > I've seen that I might also write some code that Tomcat itself > > would run periodically to refresh the SSL configuration. Could > > anyone provide any ideas here? > > You can do it, but IMO it's better to trigger it externally, assuming > that you are already deploying the manager app and the JMX proxy servlet Apparently we might have security issues if we run the manager application in production so right now I am planning on extending the Http11NioProtocol class to periodically refresh as is done in: https://serverfault.com/questions/328533/can-tomcat-reload-its-ssl-certificate-without-being-restarted Thank you for responding Chris, if you have any additional advice, I'd be very happy to read it. (or if anyone else wants to add advice, I'd be happy to read that as well). > . > > - -chris
Re: Resource leak for WebSockets closed with NOT_CONSISTENT reason
On 26/07/2019 10:33, Kirill Ilyukhin wrote:
> Hello,
>
> When Tomcat receives WebSocket text message with invalid UTF-8, it closes
> this connection with NOT_CONSISTENT reason. But after that some objects
> (WsSession, UpgradeHandler, etc) stay in heap forever. They are referenced
> from AbstractProtocol's connections map.
>
> This leak consistently happens with Tomcat 8.5.3 and 8.5.43, both on Mac OS
> and Windows, with or without Tomcat native.
>
> I have created a very simple WebSocket Endpoint which does nothing except
> logging its events and incoming messages, please see the code below. Also
> you will need a WebSocket client which sends broken UTF-8 in text message
> right after connecting to the server.
I can't repeat this with either 9.0.x nor 8.5.x. I've repeated the steps
described above and checked the resulting state with a profiler. No
references are retained to WsSession objects nor WsHttpUpgradeHandler
objects.
You'll need to provide the simplest possible test case (single class
client, simplest possible WAR) that demonstrates the issue.
Mark
>
> Thank you,
> Kirill
>
> ---
> package com.example.wstest;
>
> import org.apache.log4j.Logger;
> import javax.websocket.*;
>
> public class WSEndpoint extends Endpoint {
> private static final Logger logger = Logger.getLogger(WSEndpoint.class);
> private WSConnection connection;
>
> @Override
> public void onOpen(Session session, EndpointConfig config) {
> connection = new WSConnection(session);
> logger.info("Opened WebSocket session-" + session.getId());
> }
>
> @Override
> public void onClose(Session session, CloseReason closeReason) {
> logger.info("Closed WebSocket session-" + session.getId() + ",
> reason: " + closeReason.getCloseCode() + " (" +
> closeReason.getReasonPhrase() + ")");
> connection.destroy();
> connection = null;
> }
>
> @Override
> public void onError(Session session, Throwable throwable) {
> logger.info("Error on WebSocket session-" + session.getId(),
> throwable);
> connection.destroy();
> connection = null;
> }
>
> static class WSConnection implements MessageHandler.Whole {
> private final Session session;
>
> WSConnection(Session session) {
> this.session = session;
> session.addMessageHandler(this);
> }
>
> public void destroy() {
> session.removeMessageHandler(this);
> }
>
> @Override
> public void onMessage(String message) {
> logger.info("Session-" + session.getId() + " onMessage(" +
> message +")");
> }
> }
> }
> ---
>
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Can Tomcat ignore overridden jar
Thanks Konstantin Kolinko for feature refernce, We are uploading jar(s) only, is it still relevant? On Mon, Jul 29, 2019 at 4:06 PM Konstantin Kolinko wrote: > вс, 28 июл. 2019 г. в 09:26, Jmeter Tea : > > > > We are using Tomcat 8.5 *without any hot deploy*, > > > > I assume that classes are loaded to memory and for example if class > change > > in jar it will ignore (not hot deploy) > > Mark have already answered your question. > > Adding to that: I think you should consider using the "parallel > deployment" feature. You can deploy a new version of your application > in parallel with the old one. > > > http://tomcat.apache.org/tomcat-8.5-doc/config/context.html#Parallel_deployment > > Best regards, > Konstantin Kolinko > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: Can Tomcat ignore overridden jar
вс, 28 июл. 2019 г. в 09:26, Jmeter Tea : > > We are using Tomcat 8.5 *without any hot deploy*, > > I assume that classes are loaded to memory and for example if class change > in jar it will ignore (not hot deploy) Mark have already answered your question. Adding to that: I think you should consider using the "parallel deployment" feature. You can deploy a new version of your application in parallel with the old one. http://tomcat.apache.org/tomcat-8.5-doc/config/context.html#Parallel_deployment Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Password is not working properly
чт, 25 июл. 2019 г. в 17:23, Support :
>
> Hi Sir,
>
> I am using tomcat 9 for my application. For my admin page, I have a
> username and password in conf/tomcat-user.xml.
> Using digest.sh, I encrypted my password(sha-256).
>
> password: Password
> encrypted: 5er5akakfkd556546adnfjbkklndkfgbjdb
Even though everyone now knows your password,
but nobody knows what you actually did (step-by-step),
nor what exact version of Tomcat 9.0.xx you are using,
nor how your Realm is configured.
Your "encrypted" value does not look like a correct password digest,
which has format "{salt}${iterations}${digest}"
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Negative pattern match in rewrite rule is not as documented
On 24/07/2019 20:14, Michael Chen wrote:
> Hi,
>
> The mention of using "NOT character ('!')" in rule patterns as negative
> match no longer matches implementation:
>
> https://tomcat.apache.org/tomcat-8.5-doc/rewrite.html
>
> In the rules, the NOT character ('!') is also available as a possible
>> pattern prefix. This enables you to negate a pattern; to say, for instance:
>> ``*if the current URL does NOT match this pattern*''. This can be used
>> for exceptional cases, where it is easier to match the negative pattern, or
>> as a last default rule.
>>
>
> The current implementation uses java.util.regex, which does not support a
> simple ! prefix as a negative match regex:
>
> https://docs.oracle.com/javase/8/docs/api/index.html?java/util/regex/Pattern.html
>
> Instead, you need to use zero-width lookahead like this (to match any URL
> but /portal/api/.*)
>
> ^(?!/portal/api/.*).*$
>
> This inaccurate documentation exist in all versions, at least since 8.0.x.
> For backward compatibility to the above documentation, RewriteRule needs
> the `positive` variable and logic found in the RewriteCond class.
>
> https://bz.apache.org/bugzilla/show_bug.cgi?id=63608
Thanks. I see the bug report. This is next on my TODO list. Although if
someone wants to beat me to it with a patch that would be great :)
Mark
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Can Tomcat ignore overridden jar
On 28/07/2019 07:26, Jmeter Tea wrote: > We are using Tomcat 8.5 *without any hot deploy*, > > I assume that classes are loaded to memory and for example if class change > in jar it will ignore (not hot deploy) Correct. But, classes are only loaded as needed. Tomcat does not load every class in a JAR when the web application starts. And only classes are loaded into memory. Other resources may be read from the JAR as required and NOT cached. > But if we override a jar when application is running it overrides classes > (or removing it) Yes, for classes that haven't yet been loaded. > For example when I copy empty jar it throws ZipException for classes that > were in the jar: No, that is not what is happening here. Your code is using the ServiceLoader which means each JAR's META-INF directory will be searched for service definitions. The empty JAR file is triggering the error. > java.lang.IllegalStateException: java.util.zip.ZipException: zip file is empty > at > org.apache.catalina.webresources.AbstractSingleArchiveResourceSet.getArchiveEntry(AbstractSingleArchiveResourceSet.java:97) > at > org.apache.catalina.webresources.AbstractArchiveResourceSet.getResource(AbstractArchiveResourceSet.java:260) > at > org.apache.catalina.webresources.StandardRoot.getResourcesInternal(StandardRoot.java:327) > at > org.apache.catalina.webresources.CachedResource.validateResources(CachedResource.java:127) > at org.apache.catalina.webresources.Cache.getResources(Cache.java:147) > at > org.apache.catalina.webresources.StandardRoot.getResources(StandardRoot.java:315) > at > org.apache.catalina.webresources.StandardRoot.getClassLoaderResources(StandardRoot.java:231) > at > org.apache.catalina.loader.WebappClassLoaderBase.findResources(WebappClassLoaderBase.java:939) > at java.lang.ClassLoader.getResources(ClassLoader.java:1142) > at > java.util.ServiceLoader$LazyIterator.hasNextService(ServiceLoader.java:348) > at > java.util.ServiceLoader$LazyIterator.hasNext(ServiceLoader.java:393) > at java.util.ServiceLoader$1.hasNext(ServiceLoader.java:474) > at javax.xml.parsers.FactoryFinder$1.run(FactoryFinder.java:293) > at java.security.AccessController.doPrivileged(Native Method) > at > javax.xml.parsers.FactoryFinder.findServiceProvider(FactoryFinder.java:289) > at javax.xml.parsers.FactoryFinder.find(FactoryFinder.java:267) > at > javax.xml.parsers.DocumentBuilderFactory.newInstance(DocumentBuilderFactory.java:120) > at com.MyHelper.createDoc(MyHelper.java:64) > > Can tomcat ignore overridden jar and pull classes from memory only ? No. > Is there some sort of built-in hot deploy I'm not aware of? No. > Or is it related to issue specific for tomcat with empty jar opening No. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
