Re: [OT] Tomcat app within docker container

[logo]

Martynas,

> Am 09.01.2020 um 23:12 schrieb Martynas Jusevičius :
> 
> Forget Kubernetes for now :)
> 
> My recipe is using a multi-stage build. Very crudely:
> 
> FROM maven as maven
> # build your webapp into a .war
> mvn clean install
> 
> FROM tomcat
> COPY --from=maven /webapp/target/ROOT webapps/ROOT/
> 

NICE!

> It copies the whole folder from the build directory rather than the .war file.
> Here is an example:
> https://github.com/AtomGraph/LinkedDataHub/blob/master/Dockerfile
> 
> It does not use tomcat image directly but rather an intermediary image
> which adds config as ENV capabilities as well as LetsEncrypt
> certificates:
> https://hub.docker.com/r/atomgraph/letsencrypt-tomcat/
> 
> You might also want to take a look at the entrypoint script which is a
> bit more involved:
> https://github.com/AtomGraph/LinkedDataHub/blob/master/platform/entrypoint.sh
> 

Thanks for sharing. Will be very interesting to improve my deployment.


> Look at the container as a large function. Minimize the number of
> inputs to it - generate all the configs that can be generated and
> execute the init actions within Dockerfile and/or entrypoint. Mount
> the rest from host as volumes, under Tomcat's webapps/ROOT (assuming
> you're Dockerizing one webapp).
> 
> Martynas
> atomgraph.com
> 
> On Thu, Jan 9, 2020 at 8:32 PM Christopher Schultz
>  wrote:
>> 
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA256
>> 
>> Pater,
>> 
>> On 1/9/20 12:39 PM, logo wrote:
 Am 09.01.2020 um 17:51 schrieb Alex K :
 
 Hi all,
 
 I have two .war files that when deployed at a plain Debian 9 VM
 are working fine. I have prepared a docker file so as to deploy
 the same apps within a docker container and for some reason one
 of the apps is not loading due to some error.
 
 Dockerfile: FROM debian:latest
>>> 
>>> Why not using any of the different flavored tomcat images?
>>> 
>>> https://hub.docker.com/_/tomcat 
>>> 
>>> You get a working jdk (oracle, adopt, openjdk) and don’t have to
>>> build the system yourself. That may help to get the base running
>>> and then copy your file to the correct spots.
>> 
>> If you've got experience with Docker, I'd love for someone to put
>> together a post/presenation/whatever which addresses this question:
>> 
>> I've got an application that I deploy to Tomcat on a traditional
>> server; How do I Dockerize that?
>> 
>> Specifically, I'd like more than just "well, docker-compose with your
>> WAR file and put it in the right place" because we all know that there
>> are plenty of configuration files, etc. that don't work well with a
>> WAR file, etc.
>> 
>> So maybe this bleeds into "well, if you want to use Docker, maybe you
>> want to consider Kubernetes for configuration" and then explain how
>> you might move some of your server/application configuration into
>> Kubernetes (or similar). I'd like to understand how to package-up
>> things like this to be able to eventually use something like AWS's
>> auto-scaling.
>> 
>> - -chris
>> -BEGIN PGP SIGNATURE-
>> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>> 
>> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4Xf6sACgkQHPApP6U8
>> pFgobg//Zf5fQ5RqqNDYRDk8KFuS7QWmsZWxUez/waeEbrLW0z/iBRYaIDf63dDs
>> G6/XOPAKov5K4jWxLxTeUY/GUVklwdqy8mGnQJwEmBOlFrMqidfrYZEbx4b6Us1o
>> /GiAch2QUFhflaZ7DzSjxLYosMdReiQRl4PXnLVxNUQ7jB7aRaYRMwXgjCJGc66b
>> PXJSUamYhngIlV4ZYB23ACJsbUlaacsyiYdXOJNSuip/xb8atz547KuGT7shCT0P
>> QqJMNDD91KHWBtgrldkO9pb6zYMpwCUxf5PE9jpgk6U6MDlXeXF+HGEnYY6PFxwV
>> kJfsPt2JUIC8Coo7ydkboxUgSQ16xvV6/PvhAdUGiaadS+WF4ZullveqSyNVHBQw
>> dQI563oQYZ1qfh8zcHeZdsb7TLIaVh9Vx2Vn/+XN1bA1tcvjJx+Pz0fEHjtTy8Q+
>> JW2nLIV2ZdbpsdHi0FjdIWIXscg+EyVMUiPx+qmpVyFA3Al7GWLc1h7yQic+hsuT
>> oscRQf2crbu2tpPBBRP5YodtcAtOOvxbbRsQnALxKuBhBDmFzdl4taPTXlko6Kqc
>> b1C/onqwrDlVPKwySPWFU43rTCLImD0L7eGCDxIzDX5z/HbGahtvYxKXf/Jpg7Sl
>> lZuGlyhIIgRoWZF3utUsI11YjRsmRFme0EtfpMdBz/Xb4v/9YeU=
>> =PK8y
>> -END PGP SIGNATURE-
>> 
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [OT] Tomcat app within docker container

[Martynas Jusevičius]

Forget Kubernetes for now :)

My recipe is using a multi-stage build. Very crudely:

FROM maven as maven
# build your webapp into a .war
mvn clean install

FROM tomcat
COPY --from=maven /webapp/target/ROOT webapps/ROOT/

It copies the whole folder from the build directory rather than the .war file.
Here is an example:
https://github.com/AtomGraph/LinkedDataHub/blob/master/Dockerfile

It does not use tomcat image directly but rather an intermediary image
which adds config as ENV capabilities as well as LetsEncrypt
certificates:
https://hub.docker.com/r/atomgraph/letsencrypt-tomcat/

You might also want to take a look at the entrypoint script which is a
bit more involved:
https://github.com/AtomGraph/LinkedDataHub/blob/master/platform/entrypoint.sh

Look at the container as a large function. Minimize the number of
inputs to it - generate all the configs that can be generated and
execute the init actions within Dockerfile and/or entrypoint. Mount
the rest from host as volumes, under Tomcat's webapps/ROOT (assuming
you're Dockerizing one webapp).

Martynas
atomgraph.com

On Thu, Jan 9, 2020 at 8:32 PM Christopher Schultz
 wrote:
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Pater,
>
> On 1/9/20 12:39 PM, logo wrote:
> >> Am 09.01.2020 um 17:51 schrieb Alex K :
> >>
> >> Hi all,
> >>
> >> I have two .war files that when deployed at a plain Debian 9 VM
> >> are working fine. I have prepared a docker file so as to deploy
> >> the same apps within a docker container and for some reason one
> >> of the apps is not loading due to some error.
> >>
> >> Dockerfile: FROM debian:latest
> >
> > Why not using any of the different flavored tomcat images?
> >
> > https://hub.docker.com/_/tomcat 
> >
> > You get a working jdk (oracle, adopt, openjdk) and don’t have to
> > build the system yourself. That may help to get the base running
> > and then copy your file to the correct spots.
>
> If you've got experience with Docker, I'd love for someone to put
> together a post/presenation/whatever which addresses this question:
>
> I've got an application that I deploy to Tomcat on a traditional
> server; How do I Dockerize that?
>
> Specifically, I'd like more than just "well, docker-compose with your
> WAR file and put it in the right place" because we all know that there
> are plenty of configuration files, etc. that don't work well with a
> WAR file, etc.
>
> So maybe this bleeds into "well, if you want to use Docker, maybe you
> want to consider Kubernetes for configuration" and then explain how
> you might move some of your server/application configuration into
> Kubernetes (or similar). I'd like to understand how to package-up
> things like this to be able to eventually use something like AWS's
> auto-scaling.
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4Xf6sACgkQHPApP6U8
> pFgobg//Zf5fQ5RqqNDYRDk8KFuS7QWmsZWxUez/waeEbrLW0z/iBRYaIDf63dDs
> G6/XOPAKov5K4jWxLxTeUY/GUVklwdqy8mGnQJwEmBOlFrMqidfrYZEbx4b6Us1o
> /GiAch2QUFhflaZ7DzSjxLYosMdReiQRl4PXnLVxNUQ7jB7aRaYRMwXgjCJGc66b
> PXJSUamYhngIlV4ZYB23ACJsbUlaacsyiYdXOJNSuip/xb8atz547KuGT7shCT0P
> QqJMNDD91KHWBtgrldkO9pb6zYMpwCUxf5PE9jpgk6U6MDlXeXF+HGEnYY6PFxwV
> kJfsPt2JUIC8Coo7ydkboxUgSQ16xvV6/PvhAdUGiaadS+WF4ZullveqSyNVHBQw
> dQI563oQYZ1qfh8zcHeZdsb7TLIaVh9Vx2Vn/+XN1bA1tcvjJx+Pz0fEHjtTy8Q+
> JW2nLIV2ZdbpsdHi0FjdIWIXscg+EyVMUiPx+qmpVyFA3Al7GWLc1h7yQic+hsuT
> oscRQf2crbu2tpPBBRP5YodtcAtOOvxbbRsQnALxKuBhBDmFzdl4taPTXlko6Kqc
> b1C/onqwrDlVPKwySPWFU43rTCLImD0L7eGCDxIzDX5z/HbGahtvYxKXf/Jpg7Sl
> lZuGlyhIIgRoWZF3utUsI11YjRsmRFme0EtfpMdBz/Xb4v/9YeU=
> =PK8y
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: ECDSA Private Keys

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

All,

On 1/9/20 3:45 PM, Christopher Schultz wrote:
> Mark and Peter,
> 
> On 1/9/20 3:36 PM, Mark Thomas wrote:
>> On 09/01/2020 20:22, logo wrote:
>>> Mark,
>>> 
 Am 09.01.2020 um 20:36 schrieb Mark Thomas
 :
 
 On 02/01/2020 09:24, logo wrote:
 
 
 
> The connector comes up correctly, is accessible through
> the browser but if I test the ssl setup, I get an error
> message that the key/cert may not be used for "Key
> agreement"
> 
> See: testssl.sh :8443
> 
> Signature Algorithm  ECDSA with SHA256 Server key 
> size  EC 256 bits Server key usage Digital
> Signature, Key Encipherment Certificate incorrectly used
> for key agreement Server extended key usageTLS Web 
> Server Authentication, TLS Web Client Authentication
>>> 
>>> The key usage error is caused by identifying ECDH_RSA ciphers
>>> on the connector… (most certainly an unexpected edge case,
>>> I’ve debugged it that far). That should not be the case - as it
>>> is an ECDSA Cert, right?
> 
>> I don't think so.
> 
>> I'm seeing ECHD/RSA ciphers in the output and I am not getting
>> that warning.
> 
>> My reading of a couple of questions on stack exchange suggests
>> RSA vs DSA ciphers depends on how the CA signs the cert. My test
>> CA signs with RSA.
> 
> DSA is almost never used. Nearly 100% of keys in the world are 
> plain-RSA or EC. I know of no CA that uses DSA for signing. So
> pretty much every cert you will come across will be EC-with-RSA or 
> RSA-with-RSA (that's keytype-with-signature-type).

Obviously, the above is a mixture of half-truths and irrelevant
information. I was thinking of RSA versus DSA keys, not ECDSA as a
signature algorithm in its own right.

Carry on...

- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4XkdgACgkQHPApP6U8
pFiJ/xAAudFM0wtuRNTIZy6hHGpwLZ4QX6Z9mbWYBYJ93eId8VKL8jQyHgkGTXyT
OZ2moW+13Grr5zGxo7WgS4EGc1+MKnrBfSY0BwQJwKCwDCJOKTCqMjSybUMrrM7Y
POf/Lwc+KbxTNhMd7KonxpwYOhox6Cu+I0wh/EQl5jsJCDK4VFW9Y7BjywlQsGjI
reYQCEu7Sc98c+x8lw1eb6soAj7cIRzmyf8lofS0eOXW10waesIrZSL+8/QyiGd6
ku6198xaB4ofGOaeXBOO3L91e/2Kx4oRPd0FQHqe0h/nUp9+YJbOr6ypub9nCuuX
Oq/MAPUv2Abds3mYAAdRNipJmsGmcud3dgJubzmVAQqfoJTCZHtn90p7IBJGK1t0
7nCmFCDGdqEYv43v6lBrzc6X5BBMT99c7gZ7pqWq7n2lAmorVNZK3rDkT4wMUjP3
OO0YapUd2+PyrneBFGb5e6lHvzHGk6sbKTNoeMkcMFAD3S5cE20w79gBruYP3y3B
PlwFIXmYQTGBExIpTxZQziD19yKsavi8tMXWfLHt9yw04a9vIxeQdaSG6sFLQrj7
ZzyX1q9uhxieyTNNjwaDxhkLpnSJDHelu5SLV32TBr+9OL3426r3cVsivQQlouWD
iAGdB84DMZLj0dINM1Y7XJHe/4FHjoMfnn7ELIiTdYmPm1sLJMQ=
=c/td
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: ECDSA Private Keys

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mark and Peter,

On 1/9/20 3:36 PM, Mark Thomas wrote:
> On 09/01/2020 20:22, logo wrote:
>> Mark,
>> 
>>> Am 09.01.2020 um 20:36 schrieb Mark Thomas :
>>> 
>>> On 02/01/2020 09:24, logo wrote:
>>> 
>>> 
>>> 
 The connector comes up correctly, is accessible through the
 browser but if I test the ssl setup, I get an error message
 that the key/cert may not be used for "Key agreement"
 
 See: testssl.sh :8443
 
 Signature Algorithm  ECDSA with SHA256 Server key
 size  EC 256 bits Server key usage
 Digital Signature, Key Encipherment Certificate incorrectly
 used for key agreement Server extended key usageTLS Web
 Server Authentication, TLS Web Client Authentication
>> 
>> The key usage error is caused by identifying ECDH_RSA ciphers on
>> the connector… (most certainly an unexpected edge case, I’ve
>> debugged it that far). That should not be the case - as it is an
>> ECDSA Cert, right?
> 
> I don't think so.
> 
> I'm seeing ECHD/RSA ciphers in the output and I am not getting that
> warning.
> 
> My reading of a couple of questions on stack exchange suggests RSA
> vs DSA ciphers depends on how the CA signs the cert. My test CA
> signs with RSA.

DSA is almost never used. Nearly 100% of keys in the world are
plain-RSA or EC. I know of no CA that uses DSA for signing. So pretty
much every cert you will come across will be EC-with-RSA or
RSA-with-RSA (that's keytype-with-signature-type).

> key usage and extended key usage are properties of the certificate.
> My understanding is that the cipher doesn't play a role here.

+1

- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4XkMsACgkQHPApP6U8
pFjECA/8CBx2d+AoQ8zi4rkatrow7c0VuzY/FVGS9nbwtevsiPhV6JXHPwarT1iX
WWQta+brIbNf6LHBjC1UpkCpJpoumgNPpmwofv5+gTj1dbhnpLhsWEZaiHYRPQ7Y
90Q5JbdnvSJZOdupbY+swtw9V/8yJt+D3VFdaUAchSibPKyYReGWr0ctMlRwmH7S
h+qGTrxfAxff8CCnw6upeDnMnN1LznPFut3UJT1OCQ/H92IXXvmK652oyU6SjZ3A
t47Yyuj/DvXN6CHVQouM4J5W2uxujOFJGLpqRxZ73EyThrRwijN/FtWBD51LPCk4
BpXYNA6Epobd9TnYZDt638WW0HOrkzh15a37kzD4ONGGJEJMVW65uqram7UMVnIY
I2QoKYRM+3PZfrUFl1Elaspy2rFfUJiLdtWscRE207tmYN4smW24DnwuxQNKWYCn
6SMvVPzzmfPY4oNXwKNhO+ZGaLHAdezQUyD5jpgu1AFB0iztrWTc5Gm+b2v2B+/Q
rwAn63NhKaG10jrmTrqoMeVDNkBPOGHiQL6mf730TsvD12WfojwP2IgVrSv3j+RY
27dhoR3OGQGFldq/lHVJ22awEGvdDc82gQzt3RvbMiSdcp/hikrTE4xbdEQFpdps
1piz2DnIwdMMQiAdCCucem52kv1CRFJUWgsBMLiRE0nIuRSrMGA=
=oqwA
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: ECDSA Private Keys

[Mark Thomas]

On 09/01/2020 20:22, logo wrote:
> Mark,
> 
>> Am 09.01.2020 um 20:36 schrieb Mark Thomas :
>>
>> On 02/01/2020 09:24, logo wrote:
>>
>> 
>>
>>> The connector comes up correctly, is accessible through the browser but if 
>>> I test the ssl setup, I get an error message that the key/cert may not be 
>>> used for "Key agreement"
>>>
>>> See:
>>> testssl.sh :8443
>>>
>>> Signature Algorithm  ECDSA with SHA256
>>> Server key size  EC 256 bits
>>> Server key usage Digital Signature, Key Encipherment
>>>  Certificate incorrectly used for key agreement
>>> Server extended key usageTLS Web Server Authentication, TLS Web Client 
>>> Authentication
> 
> The key usage error is caused by identifying ECDH_RSA ciphers on the 
> connector… (most certainly an unexpected edge case, I’ve debugged it that 
> far). That should not be the case - as it is an ECDSA Cert, right?

I don't think so.

I'm seeing ECHD/RSA ciphers in the output and I am not getting that warning.

My reading of a couple of questions on stack exchange suggests RSA vs
DSA ciphers depends on how the CA signs the cert. My test CA signs with RSA.

key usage and extended key usage are properties of the certificate. My
understanding is that the cipher doesn't play a role here.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: ECDSA Private Keys

[Mark Thomas]

On 02/01/2020 09:24, logo wrote:



>  Testing 370 ciphers via OpenSSL plus sockets against the server, ordered by 
> encryption strength 

I've been through these and this is the summary of the results.
I'm testing OpenSSL master (although not updated for a while) and JSSE
from AdoptOpenJDK 1.8.0_222-b10

Cipher suites supported and reported by both implementations:
C009, C00A, C023, C024, C02B, C02C
Note: These cipher suites are used with slightly different
configurations because OpenSSL and JSSE support different curves

All the remaining OpenSSL cipher suites are not supported by JSSE.

All of the remaining JSSE cipher suites are not supported by OpenSSL
(they were removed in 1.1.0).

So while the results appear to be very different, those differences are
explainable.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: ECDSA Private Keys

[logo]

Mark,

> Am 09.01.2020 um 20:36 schrieb Mark Thomas :
> 
> On 02/01/2020 09:24, logo wrote:
> 
> 
> 
>> The connector comes up correctly, is accessible through the browser but if I 
>> test the ssl setup, I get an error message that the key/cert may not be used 
>> for "Key agreement"
>> 
>> See:
>> testssl.sh :8443
>> 
>> Signature Algorithm  ECDSA with SHA256
>> Server key size  EC 256 bits
>> Server key usage Digital Signature, Key Encipherment
>>  Certificate incorrectly used for key agreement
>> Server extended key usageTLS Web Server Authentication, TLS Web Client 
>> Authentication

The key usage error is caused by identifying ECDH_RSA ciphers on the connector… 
(most certainly an unexpected edge case, I’ve debugged it that far). That 
should not be the case - as it is an ECDSA Cert, right?

> 
> The allowed usages are configured when a certificate is created. See:
> https://www.openssl.org/docs/manmaster/man5/x509v3_config.html
> 
> You need to take this up with your Certificate Authority.

The CA is issuing the right cert with appropriate usage for a Webserver 
"Digital Signature, Key Encipherment".

> 
> I'll look at the cipher differences next.
> 

testssl.sh -e  https://: should give you my result.

Thanks.

Peter

[1] https://github.com/drwetter/testssl.sh 


> Mark
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 

Re: ECDSA Private Keys

[Mark Thomas]

On 02/01/2020 09:24, logo wrote:



> The connector comes up correctly, is accessible through the browser but if I 
> test the ssl setup, I get an error message that the key/cert may not be used 
> for "Key agreement"
> 
> See:
> testssl.sh :8443
> 
>  Signature Algorithm  ECDSA with SHA256
>  Server key size  EC 256 bits
>  Server key usage Digital Signature, Key Encipherment
>   Certificate incorrectly used for key agreement
>  Server extended key usageTLS Web Server Authentication, TLS Web Client 
> Authentication

The allowed usages are configured when a certificate is created. See:
https://www.openssl.org/docs/manmaster/man5/x509v3_config.html

You need to take this up with your Certificate Authority.

I'll look at the cipher differences next.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [OT] Tomcat app within docker container

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Pater,

On 1/9/20 12:39 PM, logo wrote:
>> Am 09.01.2020 um 17:51 schrieb Alex K :
>> 
>> Hi all,
>> 
>> I have two .war files that when deployed at a plain Debian 9 VM
>> are working fine. I have prepared a docker file so as to deploy
>> the same apps within a docker container and for some reason one
>> of the apps is not loading due to some error.
>> 
>> Dockerfile: FROM debian:latest
> 
> Why not using any of the different flavored tomcat images?
> 
> https://hub.docker.com/_/tomcat 
> 
> You get a working jdk (oracle, adopt, openjdk) and don’t have to
> build the system yourself. That may help to get the base running
> and then copy your file to the correct spots.

If you've got experience with Docker, I'd love for someone to put
together a post/presenation/whatever which addresses this question:

I've got an application that I deploy to Tomcat on a traditional
server; How do I Dockerize that?

Specifically, I'd like more than just "well, docker-compose with your
WAR file and put it in the right place" because we all know that there
are plenty of configuration files, etc. that don't work well with a
WAR file, etc.

So maybe this bleeds into "well, if you want to use Docker, maybe you
want to consider Kubernetes for configuration" and then explain how
you might move some of your server/application configuration into
Kubernetes (or similar). I'd like to understand how to package-up
things like this to be able to eventually use something like AWS's
auto-scaling.

- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4Xf6sACgkQHPApP6U8
pFgobg//Zf5fQ5RqqNDYRDk8KFuS7QWmsZWxUez/waeEbrLW0z/iBRYaIDf63dDs
G6/XOPAKov5K4jWxLxTeUY/GUVklwdqy8mGnQJwEmBOlFrMqidfrYZEbx4b6Us1o
/GiAch2QUFhflaZ7DzSjxLYosMdReiQRl4PXnLVxNUQ7jB7aRaYRMwXgjCJGc66b
PXJSUamYhngIlV4ZYB23ACJsbUlaacsyiYdXOJNSuip/xb8atz547KuGT7shCT0P
QqJMNDD91KHWBtgrldkO9pb6zYMpwCUxf5PE9jpgk6U6MDlXeXF+HGEnYY6PFxwV
kJfsPt2JUIC8Coo7ydkboxUgSQ16xvV6/PvhAdUGiaadS+WF4ZullveqSyNVHBQw
dQI563oQYZ1qfh8zcHeZdsb7TLIaVh9Vx2Vn/+XN1bA1tcvjJx+Pz0fEHjtTy8Q+
JW2nLIV2ZdbpsdHi0FjdIWIXscg+EyVMUiPx+qmpVyFA3Al7GWLc1h7yQic+hsuT
oscRQf2crbu2tpPBBRP5YodtcAtOOvxbbRsQnALxKuBhBDmFzdl4taPTXlko6Kqc
b1C/onqwrDlVPKwySPWFU43rTCLImD0L7eGCDxIzDX5z/HbGahtvYxKXf/Jpg7Sl
lZuGlyhIIgRoWZF3utUsI11YjRsmRFme0EtfpMdBz/Xb4v/9YeU=
=PK8y
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Dates on Linux vs. Windows - Resolved

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Jerry,

On 1/9/20 1:15 PM, Christopher Schultz wrote:
> You should write yourself some small tests in Java to try
> everything [you've] read here. Just grab a date value from the
> database and inspect the object you get back. Mess with the time
> zones of various components, see what changes, and how to need to
> handle the those situations so the user always sees what they
> expect to see.

I wrote some code for this. I'm attaching it below.

What you'll find is that, no matter what:

1. NOW() always returns a timestamp which is in the client's session
time zone (not the JVM's time zone)
2. Timestamp values are not re-zoned at any stage
3. The zone offset of the java.util.Date object returned by
ResultSet.getDate|Timestamp always matches the JVM's time zone

#3 is where the confusion is coming from, I think.

If you SELECT a date that should be in America/Chicago and your JVM TZ
is America/Chicago, then all is well. But if you change the client
session's time zone and SELECT a date that you expect to be in the new
time zone, then it depends whether this was SELECT NOW() or SELECT
field FROM table. The former will be totally wrong (wait, NOW()
returns *tomorrow*?). The latter will give you whatever date was
stored (without re-zoning it) and your java.util.Date object will have
the America/Chicago zone offset.

Hope that helps,
- -chris

 CUT 
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.TimeZone;

public class JDBCDateTest {
private static SimpleDateFormat df = new
SimpleDateFormat("-MM-dd HH:mm:ss zzz");

/**
 * Sorry for the bad CLI argument interface; this is an example
 * and not really worth fleshing this all out. Unfortunately,
 * it means havig to put your password on the command-line :(
 */
public static void main(String[] args)
throws Exception
{
String url = "jdbc:mysql://localhost/test";
String driver = "com.mysql.jdbc.Driver";
String username = System.getProperty("user.name");
String password = null;

Connection conn = null;
Statement s = null;
ResultSet rs = null;

int argindex = 0;

while(argindex < args.length) {
String arg = args[argindex++];

if("--url".equals(arg) || "-U".equals(arg))
url = args[argindex++];
else if("--driver".equals(arg) || "-D".equals(arg))
driver = args[argindex++];
else if("--username".equals(arg) || "-u".equals(arg))
username = args[argindex++];
else if("--password".equals(arg) || "-p".equals(arg))
password= args[argindex++];
else {
System.err.println("Unknown argument: " + arg);
System.exit(1);
}
}
try {
// Register JDBC driver
Class.forName(driver);

conn = DriverManager.getConnection(url, username, password);

// First, dump some time zone information
TimeZone tz = TimeZone.getDefault();
System.out.println("JVM default time zone: " + tz.getID());

s = conn.createStatement();
rs = s.executeQuery("SELECT @@global.time_zone AS
server_zone, @@session.time_zone AS session_zone");

if(!rs.next())
throw new IllegalStateException("Could not fetch
server time zones");

System.out.println("Server time zone:  " +
rs.getString("server_zone"));
System.out.println("Session time zone: " +
rs.getString("server_zone"));

rs.close(); rs = null;

System.out.println("=  SELECT NOW() with default time
zone ");
rs = s.executeQuery("SELECT NOW() AS now");

if(!rs.next())
throw new IllegalStateException("SELECT NOW returned
no rows");

dump(rs.getDate("now"));
dump(rs.getTimestamp("now"));
rs.close(); rs = null;

System.out.println("=  SELECT NOW() with +10:00 time
zone ");

s.executeUpdate("SET time_zone = '+10:00'");
rs = s.executeQuery("SELECT NOW() AS now");

if(!rs.next())
throw new IllegalStateException("SELECT returned no
rows");

dump(rs.getDate("now"));
dump(rs.getTimestamp("now"));

rs.close(); rs = null;

System.out.println("=  SELECT explicit date with
+10:00 time zone ");

rs = s.executeQuery("SELECT TIMESTAMP('2020-01-09
14:14:00') AS date");

if(!rs.next())
throw new IllegalStateException("SELECT returned no
rows");

dump(rs.getDate("date"));
dump(rs.getTimestamp("date"));

rs.close(); rs 

Re: Using the certificate files instead of a Java Keystore file, Re: Let's Encrypt with Tomcat?

[James H. H. Lampert]

On 1/9/20 1:24 AM, Mark Thomas wrote:

The moderators are aware of the situation. The subscriber in question
was blocked from making further posts an hour or so ago.


I'm glad to see that I'm not the only one who looked at those posts, and 
found them less-than-helpful (I think every link he posted was one using 
a JKS, and we already know they work fine), and in some cases downright 
nonsensical. Although making him only the third or fourth user to be 
kicked out, in the history of the List, seems a bit drastic, unless he 
has a history of similar actions.


At any rate, in answer to Peter's question about my private key, the 
file looks like:

-BEGIN RSA PRIVATE KEY-

[REDACTED]

-END RSA PRIVATE KEY-
and looking at it with KeyStore Explorer tells me it's an RSA private 
key, 2048 bits, format PKCS#8.


As to the cert and chain files, the .cer file looks like:

-BEGIN CERTIFICATE-

[REDACTED]

-END CERTIFICATE-

and looking at it with KSE shows that it contains our certificate,

and the .ca.crt file looks like:

-BEGIN CERTIFICATE-

[REDACTED]

-END CERTIFICATE-
-BEGIN CERTIFICATE-

[REDACTED]

-END CERTIFICATE-
-BEGIN CERTIFICATE-

[REDACTED]

-END CERTIFICATE-


and looking at it with KSE shows that it contains "AddTrust External CA 
Root," "COMODO RSA Certification Authority," and "COMODO RSA 
Organization Validation Secure Server CA."


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [OT] Using the certificate files instead of a Java Keystore file, Re: Let's Encrypt with Tomcat?

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Everyone,

On 1/9/20 4:24 AM, Mark Thomas wrote:
> On 09/01/2020 08:27, calder wrote:
>> Moderators ?
> 
> The moderators can be contacted via users-ow...@tomcat.apache.org
> 
> The moderators are aware of the situation. The subscriber in
> question was blocked from making further posts an hour or so ago.
> 
> Blocking a user is not a decision the moderators take lightly.
> Excluding obvious spambots, I can only think of 2 instances in the
> last 20 years before this one (it might be 3 - my memory is a
> little hazy going back that far) where a user has been blocked from
> this list. The moderators try to point out inappropriate behaviour
> and provide an opportunity for posters to change their behaviour
> before a ban is applied.
> 
> The moderators appreciate that behaviour like this can be
> frustrating. We aim to deal with it as quickly as we can whilst at
> the same time trying to allow for the fact that everyone can have a
> bad day sometimes.

I would encourage the lifting of this block. We have had posters in
the past who have posted many confusing messages and frankly, it's
fairly easy to sift-out the cruft.

While some novice readers may be confused by such posts, it's up to
the rest of us to provide better and more helpful responses.

I'd prefer not to ban people unless they are being overtly abusive.
Annoying is not being abusive. Picking fights with one or two
community members is not being abusive. (Yet)

I replied to this thread instead of starting a new one because I
didn't want to start a whole new thread debating this topic. I
apologize if this reply ends up hijacking the original thread (a
second time). If you feel like this is a larger discussion to be had
on the list, please start a new thread.

- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4XcHcACgkQHPApP6U8
pFipQRAApFI15mbpZYeKDw++FJr5z8QzE5MAn/zKeckWA+tgOuc5hIN0lJk3lfFF
IsyOYqlrrBfrPQQd9GEaDTrxHc8vCEVPEEQWgnm+04LwiPR6Udu/ADncjaMdVw9U
j2KO5/wRoGAPl/6VfSEyxvIhW8+MZ88cM69AYIp91CCjHJBXZd59+ADXRjHcOHNo
a3otBmZ5wJnjC3tg3LwUwS2u2+jimWEqN06Dp96oXy7xmzW8+nmKY1v24J0WjW/Z
C7c2C1H/kGmi2lnolyqeYxzQmul2y9n9VkF2Uh2cmXFlWF3y99V7R3U7CXJM0FC2
seV0N9kVmbWgphYnG0Ihj6IfjbsANHjRfc+tEMT9KqIgKxR5QJPgdjNIUNN8To8u
WoJnt30q8xgbPPkvdeYaLQlQU9JwWuU5Llz7I72rraig4ZLoaJitm+oBW2vtVs3I
E9+vDQEEc3IDeU7odfNwO/18bQgz+bDf9Z3DD99XRvPKteutOMiFtiEpANpmDDZu
P7ozxoSaCe2a6pITMRl75ioXVsDTS+3fBg0682ItJl0J+MjO6Ul97f8cV9sry7Jf
iq2ucsiMT+CdSz8Xx9uKndOXyam7gbZVYvhUdtYIWUTQcF0isu9U3HJ0ipYhbhWn
9KgEq9XzHcMhTzaiEDFYaoyvUooEt/dNKmm0UF8aE+rMtuuFxCk=
=39IH
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [OT] Specifying a custom SSLSocketFactory for an LDAP connection

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Michael,

On 1/9/20 2:21 AM, Michael Osipov wrote:
> Am 2020-01-09 um 01:34 schrieb Christopher Schultz:
>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256
>> 
>> All,
>> 
>> For anyone who has experience with LDAP in Java, I need a little
>> help. I have some code connecting to an LDAP server and doing all
>> the wonderful things I want to do, but I'd like to customize the 
>> SSLSocket(Factory) that gets used by the connection to e.g. limit
>> the cipher suites, provide client certs, a custom trust store,
>> etc.
>> 
>> I've done some Googling and it looks like I can do this:
>> 
>> props.put("java.naming.ldap.factory.socket", 
>> "com.example.CustomSSLSocketFactory" );
>> 
>> But that means that my CustomSSLSocketFatory class must have 
>> hard-coded (or statically set) values for the various settings.
>> Yuck.
>> 
>> The Tomcat code (for JNDIRealm) supports customization for
>> STARTTLS, and that appears to be able to use a custom
>> SSLSocketFactory *instance*. But it looks like that requires the
>> use of STARTTLS which I do not need. I'm working with
>> LDAP-over-TLS.
>> 
>> Has anyone worked with Java's LDAP code enough to know if this
>> is possible and/or how to do it? I know I can fall-back to a
>> hard-coded or statically-configured SSLSocketFactory class but
>> I'd prefer something a little more explicitly-configurable.
> 
> Chris,
> 
> STARTTLS != LDAPS.

Correct. I was trying to make it clear that I'd like to use TLS, not
STARTTLS. I see examples for setting an SSLSocketFactory for STARTTLS
(in Tomcat's code) but I do not want to go that route because I am
using actual TLS.

> STARTTLS is an LDAPv3 extension with its OID. The cients requests
> this in-band and the server, if supported, switches to it.
> 
> Please clarify why you are mixing a custom socket with STARTTLS?

I am not.

> Do you want to customize the socket or modify the STARTTLS
> negotiation?

I want to specify the SSLSocketFactory *instance* to use (not just a
class name) for a real LDAP-over-TLS connection.

- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4XblEACgkQHPApP6U8
pFighBAAgYYtd/oyH+LEX+zxY9E9FG5j+IUjDJr43bZIOVpu1YYV/hfKBe0D+N0O
fBcS7atr9+NC1ng+md9hKs2k3EE3G7DRowPXRRRZA/r4d1guPsCNCtUwGpq8aofi
OYKZExX8GIEQFq9vOutBvrssm19cmi2Qoa5inhth9SzSE/8Lb9ms8rVRF2EKt+SZ
7b5rHRmd2PlusoS5CuU/PJYgfWEJl6gqANT66S/vzpzdFtE/UjHKLtwbZN06eGOr
vhmGyx8V3gBuvsSpTqjdE/IPPo+zunUWB4VyRU7fyjIlzPunfEuBUv2yZ/Mt80VN
WQcPFYegx4jnV/wh3BhfJj6ScLLvjlL4UYVsmtloGwTh+hfO3C9cbC24J286akj8
udXBhutUQLeB65aOUZZ1T62FsU2u2Xe55+NVWgPZHZvcJS+yeTthg6D9AH4NKR6V
m87Se84DSaT1cd32R0A/H/A0N9pFG3+T6GHfGr/41EJZ3H8I5GRAMSTW4ZCQ7t/N
2hPbhLNASq5BFsmVuiEcjYdOiKPlUtiG2OKCRyQ+6qkKuaZTHiyR2ehuOH1bYAI8
gT1jaWGBkBH+g57aQbm+KRH97FVE0lRD0fPG75MO3W+xQZtrskukoHbjeaEgUilr
+VkPVn+uVqc582NT16Rk3o5ioEV/QN3WMlkHJmX2gttJ7BLRjuw=
=8aQe
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Dates on Linux vs. Windows - Resolved

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Jerry,

On 1/8/20 6:24 PM, Jerry Malcolm wrote:
> 
> On 1/8/2020 4:47 PM, Christopher Schultz wrote:
>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256
>> 
>> Johan,
>> 
>> On 1/8/20 3:28 AM, Johan Compagner wrote:
>>> So you moved once the database to a different timezone (that 
>>> had say that 6 hour difference) then the behavior is 
>>> correct...
>>> 
>>> Its very weird but that is default behavior of the normal 
>>> datetime columns that are created if you move stuff around the 
>>> database somehow remembers at what timezone the datetime was 
>>> inserted and will convert the millis accordingly..
>> The database doesn't store timezone information. It just has a 
>> DATETIME which is zoneless. If you INSERT .. VALUES ('2020-01-08
>>  17:45:00') then that's what gets written. It doesn't do any 
>> translation. That's why it's important for the client to 
>> understand the context of all datetime values and adjust 
>> accordingly.
>> 
>>> Its the same as if you have different clients connecting to the
>>> same database over different timezones they will al see the 
>>> same date as a string (so the formatted date) instead of
>>> really having the same millis after 1970 utc.
>> Correct.
>> 
>>> I always find this very very weird. But i guess this is the 
>>> difference between database types "timestamp with timezone" and
>>> "timestamp"
>>> 
>>> So moving the database or moving the client (app server) with 
>>> existing data is very tricky.
>> If the client always adjusts both ways, there shouldn't be any 
>> problems. Ignorant clients will always cause confusion.
>> 
>> - -chris
>> 
>>> On Wed, 8 Jan 2020 at 06:05, Jerry Malcolm 
>>>  wrote:
>>> 
 First of all, a big thank you to everyone who responded to 
 this one.  I doubt I'd have figured it out for days without 
 your guidance and help.
 
 And the winner is the JVM timezone.  But the problem was 
 NOT that the JVM wasn't set to US Central time.  The problem 
 was that it WAS set to US Central, apparently inherited from 
 the Linux OS TZ.  There was no parameter on the tomcat java 
 command that set the timezone.  So I added one and set it to 
 America/Chicago.  No change.  But since it appeared we were 
 already double-dipping and converting from GMT to central 
 twice (i.e. subtracting an additional 6 hours), I figured 
 ok tell the JVM to stay in GMT and not do any 
 conversions.  So now, the database returns Central time
 dates and times, but JVM no longer thinks it needs to convert
 again to 'more central'.
 
 This is about as convoluted and ugly as it gets.  And I don't
 make any claims of thinking I can give a rational explanation
 for why it works this way.  But it's on to fight a battle on
 another hill now.
 
 Just to summarize for anybody who comes along with a similar
  problem I original set the timezone of mySQL RDS
 instance to Central time when I created it months back
 (unchangable after it's set).  I set my Linux timezone to
 Central as well in order to make my log files have entries
 with the correct timestamps. But as I described earlier,
 changing the OS timezone made the JVM also go to Central as
 well.  But the JVM apparently assumed the database was in GMT
 so it subtracted 6 more hours off the already-central time
 from the db.  I guess the real error was not initially
 leaving the MySQL RDS in GMT.  But since that's not
 changeable without recreating a whole new RDS instance, the
 next option is what I did with the jvm.   Makes total sense,
 right??? :-)
 
 Thanks again.
 
 Jerry
 
> Chris, I really want to get this right.  I understand that enough 
> wrongs in even numbers may result in a 'right'.  But I'd really 
> like to understand this.  So bear with me on this.  It makes sense 
> that the database doesn't store timezone info in data fields
> unless the tz is part of the data itself.  But then what is the 
> significance of the RDS timezone and/or setting mySQL timezone 
> values if the database is zoneless.

In cases where the timezone matters (e.g. TIMESTAMP fields in MySQL),
the JDBC driver will convert the date correctly.

I would encourage you to inspect the time zone related fields in the
java.util.Date and/or java.sql.Date and/or java.sql.Timestamp values
that you get back from e.g. ResultSet.getDate and
ResultSet.getTimestamp. You should find that the field-values (e.g.
month/day/year/hour/minute/second) match those of the database *when
they are adjusted according to the time zone info in the object*.

If you print a java.util.Date object (that is, using Date.toString(),
you should get something like this:

  Thu Jan 09 12:10:05 EST 2020

If you just print -MM-dd HH:mm:ss you won't see that TZ info at
the end. Worse, because both the java.util.Date *and*
java.text.SimpleDateFormat 

Re: Tomcat app within docker container

[Mark Eggers]

Alex,

On 1/9/2020 8:51 AM, Alex K wrote:
> Hi all,
> 
> I have two .war files that when deployed at a plain Debian 9 VM are working
> fine.
> I have prepared a docker file so as to deploy the same apps within a docker
> container and for some reason one of the apps is not loading due to some
> error.
> 
> Dockerfile:
> FROM debian:latest
> USER root
> 
> ENV CATALINA_HOME /opt/tomcat
> ENV PATH $CATALINA_HOME/bin:$PATH
> RUN mkdir -p "$CATALINA_HOME"
> WORKDIR $CATALINA_HOME
> 
> # Install packages
> RUN apt update && apt install default-jdk -y && groupadd tomcat && useradd
> -s /bin/false -g tomcat -d $CATALINA_HOME tomcat
> COPY apache-tomcat-8.5.50.tar.gz /tmp/
> 
> RUN tar xzvf /tmp/apache-tomcat-8.5.50.tar.gz -C /opt/tomcat
> --strip-components=1
> 
> ADD app.war $CATALINA_HOME/webapps/
> ADD orbeon.war $CATALINA_HOME/webapps/
> ADD server.xml $CATALINA_HOME/conf/
> ADD web.xml $CATALINA_HOME/conf/
> ADD mariadb-java-client-2.4.1.jar $CATALINA_HOME/lib
> ADD setenv.sh $CATALINA_HOME/bin/
> 
> RUN chgrp -R tomcat $CATALINA_HOME && \
> chown -R tomcat webapps/ work/ temp/ logs/ && \
> chmod -R g+r conf && \
> chmod g+x conf && \
> chmod 750 $CATALINA_HOME/bin/setenv.sh && \
> rm -f /tmp/apache-tomcat-8.5.50.tar.gz;
> 
> EXPOSE 8443
> CMD ["catalina.sh", "run"]
> 
> I have tried also several other ways, by using directly other docker tomcat
> images everytime resulting with some error.
> 
> The error I am getting now is:
> 
> 10:21:32.201 WARN  c.h.c.c.s.CubaXmlWebApplicationContext  - Exception
> encountered during context initialization - cancelling refresh attempt:
> org.springframework.beans.factory.BeanCreationException: Error creating
> bean with name 'org.springframework.security.filterChains': Cannot resolve
> reference to bean
> 'org.springframework.security.web.DefaultSecurityFilterChain#0' while
> setting bean property 'sourceList' with key [0]; nested exception is
> org.springframework.beans.factory.BeanCreationException: Error creating
> bean with name
> 'org.springframework.security.web.DefaultSecurityFilterChain#0': Cannot
> create inner bean '(inner bean)#27690bd5' of type
> [org.springframework.security.web.authentication.www.BasicAuthenticationFilter]
> while setting constructor argument with key [4]; nested exception is
> org.springframework.beans.factory.BeanCreationException: Error creating
> bean with name '(inner bean)#27690bd5': Cannot resolve reference to bean
> 'clientAuthenticationEntryPoint' while setting constructor argument; nested
> exception is org.springframework.beans.factory.BeanCreationException: Error
> creating bean with name 'clientAuthenticationEntryPoint' defined in class
> path resource [com/haulmont/addon/restapi/rest-dispatcher-spring.xml]:
> Instantiation of bean failed; nested exception is
> org.springframework.beans.BeanInstantiationException: Failed to instantiate
> [org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint]:
> Constructor threw exception; nested exception is
> java.lang.NoClassDefFoundError: javax/xml/bind/JAXBException
> 10:21:32.243 ERROR c.h.a.r.a.r.RestAPIDispatcherServlet- Context
> initialization failed
> org.springframework.beans.factory.BeanCreationException: Error creating
> bean with name 'org.springframework.security.filterChains': Cannot resolve
> reference to bean
> 'org.springframework.security.web.DefaultSecurityFilterChain#0' while
> setting bean property 'sourceList' with key [0]; nested exception is
> org.springframework.beans.factory.BeanCreationException: Error creating
> bean with name
> 'org.springframework.security.web.DefaultSecurityFilterChain#0': Cannot
> create inner bean '(inner bean)#27690bd5' of type
> [org.springframework.security.web.authentication.www.BasicAuthenticationFilter]
> while setting constructor argument with key [4]; nested exception is
> org.springframework.beans.factory.BeanCreationException: Error creating
> bean with name '(inner bean)#27690bd5': Cannot resolve reference to bean
> 'clientAuthenticationEntryPoint' while setting constructor argument; nested
> exception is org.springframework.beans.factory.BeanCreationException: Error
> creating bean with name 'clientAuthenticationEntryPoint' defined in class
> path resource [com/haulmont/addon/restapi/rest-dispatcher-spring.xml]:
> Instantiation of bean failed; nested exception is
> org.springframework.beans.BeanInstantiationException: Failed to instantiate
> [org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint]:
> Constructor threw exception; nested exception is
> java.lang.NoClassDefFoundError: javax/xml/bind/JAXBException
> 
> 
> Since I am not very familiar with tomcat, I would appreciate any pointers
> how to troubleshoot this.
> 
> Thanx,
> Alex
> 

What's the Java version for Debian 9 versus the debian:latest docker image?

. . . just my two cents
/mde/



signature.asc
Description: OpenPGP digital signature

Re: Tomcat app within docker container

[logo]

Hi Alex,



> Am 09.01.2020 um 17:51 schrieb Alex K :
> 
> Hi all,
> 
> I have two .war files that when deployed at a plain Debian 9 VM are working
> fine.
> I have prepared a docker file so as to deploy the same apps within a docker
> container and for some reason one of the apps is not loading due to some
> error.
> 
> Dockerfile:
> FROM debian:latest

Why not using any of the different flavored tomcat images?

https://hub.docker.com/_/tomcat 

You get a working jdk (oracle, adopt, openjdk) and don’t have to build the 
system yourself.
That may help to get the base running and then copy your file to the correct 
spots.


> USER root
> 
> ENV CATALINA_HOME /opt/tomcat
> ENV PATH $CATALINA_HOME/bin:$PATH
> RUN mkdir -p "$CATALINA_HOME"
> WORKDIR $CATALINA_HOME
> 
> # Install packages
> RUN apt update && apt install default-jdk -y && groupadd tomcat && useradd
> -s /bin/false -g tomcat -d $CATALINA_HOME tomcat
> COPY apache-tomcat-8.5.50.tar.gz /tmp/
> 
> RUN tar xzvf /tmp/apache-tomcat-8.5.50.tar.gz -C /opt/tomcat
> --strip-components=1
> 
> ADD app.war $CATALINA_HOME/webapps/
> ADD orbeon.war $CATALINA_HOME/webapps/
> ADD server.xml $CATALINA_HOME/conf/
> ADD web.xml $CATALINA_HOME/conf/
> ADD mariadb-java-client-2.4.1.jar $CATALINA_HOME/lib
> ADD setenv.sh $CATALINA_HOME/bin/
> 
> RUN chgrp -R tomcat $CATALINA_HOME && \
>chown -R tomcat webapps/ work/ temp/ logs/ && \
>chmod -R g+r conf && \
>chmod g+x conf && \
>chmod 750 $CATALINA_HOME/bin/setenv.sh && \
>rm -f /tmp/apache-tomcat-8.5.50.tar.gz;
> 
> EXPOSE 8443
> CMD ["catalina.sh", "run"]
> 
> I have tried also several other ways, by using directly other docker tomcat
> images everytime resulting with some error.
> 
> The error I am getting now is:
> 
> 10:21:32.201 WARN  c.h.c.c.s.CubaXmlWebApplicationContext  - Exception
> encountered during context initialization - cancelling refresh attempt:
> org.springframework.beans.factory.BeanCreationException: Error creating
> bean with name 'org.springframework.security.filterChains': Cannot resolve
> reference to bean
> 'org.springframework.security.web.DefaultSecurityFilterChain#0' while
> setting bean property 'sourceList' with key [0]; nested exception is
> org.springframework.beans.factory.BeanCreationException: Error creating
> bean with name
> 'org.springframework.security.web.DefaultSecurityFilterChain#0': Cannot
> create inner bean '(inner bean)#27690bd5' of type
> [org.springframework.security.web.authentication.www.BasicAuthenticationFilter]
> while setting constructor argument with key [4]; nested exception is
> org.springframework.beans.factory.BeanCreationException: Error creating
> bean with name '(inner bean)#27690bd5': Cannot resolve reference to bean
> 'clientAuthenticationEntryPoint' while setting constructor argument; nested
> exception is org.springframework.beans.factory.BeanCreationException: Error
> creating bean with name 'clientAuthenticationEntryPoint' defined in class
> path resource [com/haulmont/addon/restapi/rest-dispatcher-spring.xml]:
> Instantiation of bean failed; nested exception is
> org.springframework.beans.BeanInstantiationException: Failed to instantiate
> [org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint]:
> Constructor threw exception; nested exception is
> java.lang.NoClassDefFoundError: javax/xml/bind/JAXBException
> 10:21:32.243 ERROR c.h.a.r.a.r.RestAPIDispatcherServlet- Context
> initialization failed
> org.springframework.beans.factory.BeanCreationException: Error creating
> bean with name 'org.springframework.security.filterChains': Cannot resolve
> reference to bean
> 'org.springframework.security.web.DefaultSecurityFilterChain#0' while
> setting bean property 'sourceList' with key [0]; nested exception is
> org.springframework.beans.factory.BeanCreationException: Error creating
> bean with name
> 'org.springframework.security.web.DefaultSecurityFilterChain#0': Cannot
> create inner bean '(inner bean)#27690bd5' of type
> [org.springframework.security.web.authentication.www.BasicAuthenticationFilter]
> while setting constructor argument with key [4]; nested exception is
> org.springframework.beans.factory.BeanCreationException: Error creating
> bean with name '(inner bean)#27690bd5': Cannot resolve reference to bean
> 'clientAuthenticationEntryPoint' while setting constructor argument; nested
> exception is org.springframework.beans.factory.BeanCreationException: Error
> creating bean with name 'clientAuthenticationEntryPoint' defined in class
> path resource [com/haulmont/addon/restapi/rest-dispatcher-spring.xml]:
> Instantiation of bean failed; nested exception is
> org.springframework.beans.BeanInstantiationException: Failed to instantiate
> [org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint]:
> Constructor threw exception; nested exception is
> java.lang.NoClassDefFoundError: javax/xml/bind/JAXBException
> 
> 

javax.xml.bind libs 

Re: lower/uppercase rewrite maps

[Felix Schumacher]

Am 09.01.20 um 17:35 schrieb Chris Cheshire:
> On Thu, Jan 9, 2020 at 11:15 AM Felix Schumacher
>  wrote:
>>
>> Am 09.01.20 um 17:01 schrieb Chris Cheshire:
>>> Looking through the documentation for the rewrite valve [1], I see
>>> there is an example of how to write and use a rewrite map to convert a
>>> value to upper case. This is the inverse of what I want (lowercase),
>>> so great, easy enough to implement. This seems like something that
>>> could be included by default but I couldn't see anything in
>>> catalina.jar.
>>>
>>> Is this something that would be included if I create a patch for it,
>>> and how would I go about it?
>> I have opened a PR a bit ago (https://github.com/apache/tomcat/pull/221)
>> but hadn't had time to investigate any further. Remy thought it would be
>> a bit overengineered. Romain liked the idea of ServiceLoader but wanted
>> to have it a bit more optimized (see
>> https://lists.apache.org/thread.html/472e875a46e811370f7df8b7d4fae37170a31d73c3d814a48e4d565c%40%3Cdev.tomcat.apache.org%3E).
>>
>> Would this be something you like to have?
>>
>> I think of committing the first part of the PR in any case, as I believe
>> that the parsing of the parameters should be more in line with that of
>> httpd.
>>
>> Felix
>>
> From the example in the docs
> **
> RewriteMap uc example.maps.UpperCaseMap
> RewriteRule ^/(.*)$ ${uc:$1}
> **
>
> All I would like is for UpperCaseMap to live within the Catalina
> packaging as written so that I don't have to introduce a compile time
> dependency for a configuration file entry. Maybe I am missing
> something, but I don't see where having an SPI for this gains anything
> for simple usages like this.

The idea was to include the maps that are included in the httpd
implementation as documented at
https://httpd.apache.org/docs/2.4/rewrite/rewritemap.html#int and at the
same time to make it easier to include custom implementations via SPI.

The good thing here is, that you showed interest int such
implementations and that it is a nice feature indeed.

Felix

>
> I can solve my problem by using multiple regular expressions, so it
> isn't critical. It just seemed like something that could be included
> by default.
>
> Chris
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: lower/uppercase rewrite maps

[Felix Schumacher]

Am 09.01.20 um 17:39 schrieb Rémy Maucherat:
> On Thu, Jan 9, 2020 at 5:16 PM Felix Schumacher <
> felix.schumac...@internetallee.de> wrote:
>
>> Am 09.01.20 um 17:01 schrieb Chris Cheshire:
>>> Looking through the documentation for the rewrite valve [1], I see
>>> there is an example of how to write and use a rewrite map to convert a
>>> value to upper case. This is the inverse of what I want (lowercase),
>>> so great, easy enough to implement. This seems like something that
>>> could be included by default but I couldn't see anything in
>>> catalina.jar.
>>>
>>> Is this something that would be included if I create a patch for it,
>>> and how would I go about it?
>> I have opened a PR a bit ago (https://github.com/apache/tomcat/pull/221)
>> but hadn't had time to investigate any further. Remy thought it would be
>> a bit overengineered. Romain liked the idea of ServiceLoader but wanted
>> to have it a bit more optimized (see
>>
>> https://lists.apache.org/thread.html/472e875a46e811370f7df8b7d4fae37170a31d73c3d814a48e4d565c%40%3Cdev.tomcat.apache.org%3E
>> ).
>>
>> Would this be something you like to have?
>>
>> I think of committing the first part of the PR in any case, as I believe
>> that the parsing of the parameters should be more in line with that of
>> httpd.
>>
> I was planning to pull the non service loader parts of the PR as they are
> likely useful utility classes, but I didn't (procrastination ... and bad
> colds ...). I think I'm really against ServiceLoader configuration for
> Tomcat at the moment, it seems even worse than system properties overall.

Do you think the int:xxx part is OK?

Felix

>
> Rémy
>
>
>> Felix
>>
>>> Chris
>>>
>>> [1] http://tomcat.apache.org/tomcat-9.0-doc/rewrite.html
>>>
>>> -
>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Tomcat app within docker container

[Alex K]

Hi all,

I have two .war files that when deployed at a plain Debian 9 VM are working
fine.
I have prepared a docker file so as to deploy the same apps within a docker
container and for some reason one of the apps is not loading due to some
error.

Dockerfile:
FROM debian:latest
USER root

ENV CATALINA_HOME /opt/tomcat
ENV PATH $CATALINA_HOME/bin:$PATH
RUN mkdir -p "$CATALINA_HOME"
WORKDIR $CATALINA_HOME

# Install packages
RUN apt update && apt install default-jdk -y && groupadd tomcat && useradd
-s /bin/false -g tomcat -d $CATALINA_HOME tomcat
COPY apache-tomcat-8.5.50.tar.gz /tmp/

RUN tar xzvf /tmp/apache-tomcat-8.5.50.tar.gz -C /opt/tomcat
--strip-components=1

ADD app.war $CATALINA_HOME/webapps/
ADD orbeon.war $CATALINA_HOME/webapps/
ADD server.xml $CATALINA_HOME/conf/
ADD web.xml $CATALINA_HOME/conf/
ADD mariadb-java-client-2.4.1.jar $CATALINA_HOME/lib
ADD setenv.sh $CATALINA_HOME/bin/

RUN chgrp -R tomcat $CATALINA_HOME && \
chown -R tomcat webapps/ work/ temp/ logs/ && \
chmod -R g+r conf && \
chmod g+x conf && \
chmod 750 $CATALINA_HOME/bin/setenv.sh && \
rm -f /tmp/apache-tomcat-8.5.50.tar.gz;

EXPOSE 8443
CMD ["catalina.sh", "run"]

I have tried also several other ways, by using directly other docker tomcat
images everytime resulting with some error.

The error I am getting now is:

10:21:32.201 WARN  c.h.c.c.s.CubaXmlWebApplicationContext  - Exception
encountered during context initialization - cancelling refresh attempt:
org.springframework.beans.factory.BeanCreationException: Error creating
bean with name 'org.springframework.security.filterChains': Cannot resolve
reference to bean
'org.springframework.security.web.DefaultSecurityFilterChain#0' while
setting bean property 'sourceList' with key [0]; nested exception is
org.springframework.beans.factory.BeanCreationException: Error creating
bean with name
'org.springframework.security.web.DefaultSecurityFilterChain#0': Cannot
create inner bean '(inner bean)#27690bd5' of type
[org.springframework.security.web.authentication.www.BasicAuthenticationFilter]
while setting constructor argument with key [4]; nested exception is
org.springframework.beans.factory.BeanCreationException: Error creating
bean with name '(inner bean)#27690bd5': Cannot resolve reference to bean
'clientAuthenticationEntryPoint' while setting constructor argument; nested
exception is org.springframework.beans.factory.BeanCreationException: Error
creating bean with name 'clientAuthenticationEntryPoint' defined in class
path resource [com/haulmont/addon/restapi/rest-dispatcher-spring.xml]:
Instantiation of bean failed; nested exception is
org.springframework.beans.BeanInstantiationException: Failed to instantiate
[org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint]:
Constructor threw exception; nested exception is
java.lang.NoClassDefFoundError: javax/xml/bind/JAXBException
10:21:32.243 ERROR c.h.a.r.a.r.RestAPIDispatcherServlet- Context
initialization failed
org.springframework.beans.factory.BeanCreationException: Error creating
bean with name 'org.springframework.security.filterChains': Cannot resolve
reference to bean
'org.springframework.security.web.DefaultSecurityFilterChain#0' while
setting bean property 'sourceList' with key [0]; nested exception is
org.springframework.beans.factory.BeanCreationException: Error creating
bean with name
'org.springframework.security.web.DefaultSecurityFilterChain#0': Cannot
create inner bean '(inner bean)#27690bd5' of type
[org.springframework.security.web.authentication.www.BasicAuthenticationFilter]
while setting constructor argument with key [4]; nested exception is
org.springframework.beans.factory.BeanCreationException: Error creating
bean with name '(inner bean)#27690bd5': Cannot resolve reference to bean
'clientAuthenticationEntryPoint' while setting constructor argument; nested
exception is org.springframework.beans.factory.BeanCreationException: Error
creating bean with name 'clientAuthenticationEntryPoint' defined in class
path resource [com/haulmont/addon/restapi/rest-dispatcher-spring.xml]:
Instantiation of bean failed; nested exception is
org.springframework.beans.BeanInstantiationException: Failed to instantiate
[org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint]:
Constructor threw exception; nested exception is
java.lang.NoClassDefFoundError: javax/xml/bind/JAXBException


Since I am not very familiar with tomcat, I would appreciate any pointers
how to troubleshoot this.

Thanx,
Alex

Re: lower/uppercase rewrite maps

[Rémy Maucherat]

On Thu, Jan 9, 2020 at 5:16 PM Felix Schumacher <
felix.schumac...@internetallee.de> wrote:

>
> Am 09.01.20 um 17:01 schrieb Chris Cheshire:
> > Looking through the documentation for the rewrite valve [1], I see
> > there is an example of how to write and use a rewrite map to convert a
> > value to upper case. This is the inverse of what I want (lowercase),
> > so great, easy enough to implement. This seems like something that
> > could be included by default but I couldn't see anything in
> > catalina.jar.
> >
> > Is this something that would be included if I create a patch for it,
> > and how would I go about it?
>
> I have opened a PR a bit ago (https://github.com/apache/tomcat/pull/221)
> but hadn't had time to investigate any further. Remy thought it would be
> a bit overengineered. Romain liked the idea of ServiceLoader but wanted
> to have it a bit more optimized (see
>
> https://lists.apache.org/thread.html/472e875a46e811370f7df8b7d4fae37170a31d73c3d814a48e4d565c%40%3Cdev.tomcat.apache.org%3E
> ).
>
> Would this be something you like to have?
>
> I think of committing the first part of the PR in any case, as I believe
> that the parsing of the parameters should be more in line with that of
> httpd.
>

I was planning to pull the non service loader parts of the PR as they are
likely useful utility classes, but I didn't (procrastination ... and bad
colds ...). I think I'm really against ServiceLoader configuration for
Tomcat at the moment, it seems even worse than system properties overall.

Rémy


>
> Felix
>
> >
> > Chris
> >
> > [1] http://tomcat.apache.org/tomcat-9.0-doc/rewrite.html
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: lower/uppercase rewrite maps

[Chris Cheshire]

On Thu, Jan 9, 2020 at 11:15 AM Felix Schumacher
 wrote:
>
>
> Am 09.01.20 um 17:01 schrieb Chris Cheshire:
> > Looking through the documentation for the rewrite valve [1], I see
> > there is an example of how to write and use a rewrite map to convert a
> > value to upper case. This is the inverse of what I want (lowercase),
> > so great, easy enough to implement. This seems like something that
> > could be included by default but I couldn't see anything in
> > catalina.jar.
> >
> > Is this something that would be included if I create a patch for it,
> > and how would I go about it?
>
> I have opened a PR a bit ago (https://github.com/apache/tomcat/pull/221)
> but hadn't had time to investigate any further. Remy thought it would be
> a bit overengineered. Romain liked the idea of ServiceLoader but wanted
> to have it a bit more optimized (see
> https://lists.apache.org/thread.html/472e875a46e811370f7df8b7d4fae37170a31d73c3d814a48e4d565c%40%3Cdev.tomcat.apache.org%3E).
>
> Would this be something you like to have?
>
> I think of committing the first part of the PR in any case, as I believe
> that the parsing of the parameters should be more in line with that of
> httpd.
>
> Felix
>

>From the example in the docs
**
RewriteMap uc example.maps.UpperCaseMap
RewriteRule ^/(.*)$ ${uc:$1}
**

All I would like is for UpperCaseMap to live within the Catalina
packaging as written so that I don't have to introduce a compile time
dependency for a configuration file entry. Maybe I am missing
something, but I don't see where having an SPI for this gains anything
for simple usages like this.

I can solve my problem by using multiple regular expressions, so it
isn't critical. It just seemed like something that could be included
by default.

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: lower/uppercase rewrite maps

[Felix Schumacher]

Am 09.01.20 um 17:01 schrieb Chris Cheshire:
> Looking through the documentation for the rewrite valve [1], I see
> there is an example of how to write and use a rewrite map to convert a
> value to upper case. This is the inverse of what I want (lowercase),
> so great, easy enough to implement. This seems like something that
> could be included by default but I couldn't see anything in
> catalina.jar.
>
> Is this something that would be included if I create a patch for it,
> and how would I go about it?

I have opened a PR a bit ago (https://github.com/apache/tomcat/pull/221)
but hadn't had time to investigate any further. Remy thought it would be
a bit overengineered. Romain liked the idea of ServiceLoader but wanted
to have it a bit more optimized (see
https://lists.apache.org/thread.html/472e875a46e811370f7df8b7d4fae37170a31d73c3d814a48e4d565c%40%3Cdev.tomcat.apache.org%3E).

Would this be something you like to have?

I think of committing the first part of the PR in any case, as I believe
that the parsing of the parameters should be more in line with that of
httpd.

Felix

>
> Chris
>
> [1] http://tomcat.apache.org/tomcat-9.0-doc/rewrite.html
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

lower/uppercase rewrite maps

[Chris Cheshire]

Looking through the documentation for the rewrite valve [1], I see
there is an example of how to write and use a rewrite map to convert a
value to upper case. This is the inverse of what I want (lowercase),
so great, easy enough to implement. This seems like something that
could be included by default but I couldn't see anything in
catalina.jar.

Is this something that would be included if I create a patch for it,
and how would I go about it?

Chris

[1] http://tomcat.apache.org/tomcat-9.0-doc/rewrite.html

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Using the certificate files instead of a Java Keystore file, Re: Let's Encrypt with Tomcat?

[logo]

James,

Am 2020-01-09 00:58, schrieb James H. H. Lampert:

I wrote:
Am I to understand that Tomcat 8.5.40 can use the ".cer," ".ca.crt" 
and ".key" files directly, instead of the Java Keystore file?


On 12/30/19 1:41 PM, Peter Kreuser wrote:

Correct!


I tried an experiment this afternoon:

I made a copy of the existing server.xml file, and I changed the active
connector from this (keystore file and alias redacted for privacy,
ciphers and compressibleMimeTypes clauses redacted because they're
quite long, and not relevant here):
protocol="org.apache.coyote.http11.Http11NioProtocol"
 compression="on" compressionMinSize="2048" 
noCompressionUserAgents="gozilla, traviata"

 compressableMimeType="[REDACTED]"
 maxThreads="1000" socket.appReadBufSize="1024" 
socket.appWriteBufSize="1024" bufferSize="1024"

 SSLEnabled="true" scheme="https" secure="true"
 keystoreFile="[REDACTED]" keyAlias="[REDACTED]" ciphers="[REDACTED]"
 clientAuth="false" sslProtocol="TLS" />


to this:
protocol="org.apache.coyote.http11.Http11NioProtocol"
 compression="on" compressionMinSize="2048" 
noCompressionUserAgents="gozilla, traviata"

 compressableMimeType="[REDACTED]"
 maxThreads="1000" socket.appReadBufSize="1024" 
socket.appWriteBufSize="1024" bufferSize="1024"

 SSLEnabled="true" scheme="https" secure="true">
  
certificateKeyFile="[REDACTED].key"

 certificateChainFile="[REDACTED].ca.crt" />
  



and restarted Tomcat, and it failed to open the port, producing this
in catalina.out:
08-Jan-2020 23:14:09.026 SEVERE [main] 
org.apache.catalina.core.StandardService.initInternal Failed to 
initialize connector [Connector[HTTP/1.1-8443]]
 org.apache.catalina.LifecycleException: Failed to initialize 
component [Connector[HTTP/1.1-8443]]
at 
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112)
at 
org.apache.catalina.core.StandardService.initInternal(StandardService.java:552)
at 
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at 
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
at 
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at 
org.apache.catalina.startup.Catalina.load(Catalina.java:639)
at 
org.apache.catalina.startup.Catalina.load(Catalina.java:662)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.lang.reflect.Method.invoke(Method.java:498)
at 
org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309)
at 
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)
Caused by: org.apache.catalina.LifecycleException: Protocol handler 
initialization failed
at 
org.apache.catalina.connector.Connector.initInternal(Connector.java:995)
at 
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)

... 12 more
Caused by: java.lang.IllegalArgumentException: Cannot store 
non-PrivateKeys
at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:100)
at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:72)
at 
org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:244)
at 
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1105)
at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:224)
at 
org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
at 
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68)
at 
org.apache.catalina.connector.Connector.initInternal(Connector.java:993)

... 13 more
Caused by: java.security.KeyStoreException: Cannot store 
non-PrivateKeys
at 
sun.security.provider.JavaKeyStore.engineSetKeyEntry(JavaKeyStore.java:261)
at 
sun.security.provider.JavaKeyStore$JKS.engineSetKeyEntry(JavaKeyStore.java:56)
at 
sun.security.provider.KeyStoreDelegator.engineSetKeyEntry(KeyStoreDelegator.java:117)
at 
sun.security.provider.JavaKeyStore$DualFormatJKS.engineSetKeyEntry(JavaKeyStore.java:70)

at java.security.KeyStore.setKeyEntry(KeyStore.java:1140)
at 
org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:313)
at 
org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:239)
at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:98)

... 20 more




I recently came across a similar problem (at least the same error 
message), where the key was in an unsupported format (first line of the 
file: "BEGIN EC PRIVATE KEY"; Mark is working on a solution for this). 
What type of private key are you using? all files PEM 

Re: Tomcat webapp did not work

[Mark Thomas]

On 09/01/2020 09:36, Cuong Trung LY wrote:
> Hello,
> 
> Last November, my tomcat webapps was suddenly not working. I restarted tomcat 
> service and it's come back to normal state.
> 
> Access log returned 400 for request at the time
> Time Taken: 0.000 0 10.176.94.121 - - [20/Nov/2019:17:54:32 +0800] "-" 400 -
> Time Taken: 0.000 0 10.176.94.121 - - [20/Nov/2019:17:54:32 +0800] "-" 400 -
> Time Taken: 0.000 0 10.176.94.121 - - [20/Nov/2019:18:01:45 +0800] "-" 400 -
> Time Taken: 0.000 0 10.176.94.121 - - [20/Nov/2019:18:01:45 +0800] "-" 400 -
> 
> From Catalina log, before the time that I cannot access webapp, there is some 
> log as below:
> Nov 20, 2019 5:54:32 PM org.apache.coyote.http11.AbstractHttp11Processor 
> process
> INFO: Error parsing HTTP request header
> Note: further occurrences of HTTP header parsing errors will be logged at 
> DEBUG level.
> java.lang.IllegalArgumentException: Invalid character found in method name. 
> HTTP method names must be tokens
> at 
> org.apache.coyote.http11.InternalInputBuffer.parseRequestLine(InternalInputBuffer.java:135)
> at 
> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:996)
> at 
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:623)
> at 
> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
> at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> at 
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
> at java.lang.Thread.run(Thread.java:745)
> 
> Nov 20, 2019 6:01:45 PM org.apache.coyote.http11.AbstractHttp11Processor 
> process
> INFO: Error parsing HTTP request header
> Note: further occurrences of HTTP header parsing errors will be logged at 
> DEBUG level.
> java.lang.IllegalArgumentException: Invalid character found in method name. 
> HTTP method names must be tokens
> at 
> org.apache.coyote.http11.InternalInputBuffer.parseRequestLine(InternalInputBuffer.java:135)
> at 
> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:996)
> at 
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:623)
> at 
> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
> at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> at 
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
> at java.lang.Thread.run(Thread.java:745)
> 
> As there is no others error, I can't know why it was not working. Could you 
> please help check if those error can made the tomcat to hang and webapps 
> cannot access?

No, they won't.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: BLOCKING: performance issue with Tomcat 8.5.35 in org.apache.tomcat.util.net.NioBlockingSelector.write API

[Mark Thomas]

On 09/01/2020 04:49, Rathore, Rajendra wrote:
> Hi Team,
> 
> If someone know how to check whether proper read/write operation done or not 
> or it will caused by network please let me know because it is blocking for me.

I recommend you ignore the advice from Zahid.

The stack trace you posts indicates that it is the client that is not
reading the data. You should focus your attention there.

If the application is simple, Wireshark (or similar) may be helpful
although network dumps generate a lot of data and can overwhelm you if
you aren't familiar with them.

If you create a simple web application (single servlet or JSP) that
someone here can test that demonstrates the problem then we may be able
to help further. Often, just creating such a test case can help you
solve the issue yourself.

Mark


> 
> Thanks and Regards,
> Rajendra Rathore
> 9922701491
> 
> -Original Message-
> From: Rathore, Rajendra 
> Sent: Wednesday, January 8, 2020 11:43 AM
> To: 'Tomcat Users List' 
> Subject: RE: performance issue with Tomcat 8.5.35 in 
> org.apache.tomcat.util.net.NioBlockingSelector.write API
> 
> Can someone please help me to find out the root cause for below issue.
> 
> Thanks and Regards,
> Rajendra Rathore
> 9922701491
> 
> -Original Message-
> From: Rathore, Rajendra
> Sent: Tuesday, January 7, 2020 4:16 PM
> To: Tomcat Users List 
> Subject: RE: performance issue with Tomcat 8.5.35 in 
> org.apache.tomcat.util.net.NioBlockingSelector.write API
> 
> Hi Remy,
> 
> Thanks for the reply,
> 
> As you mention below points
> 
> "There's a problem only if things are blocked improperly, for example if the 
> client is correctly reading the data and/or there's no network backlog.
> Also the timeout configured on the connector must be respected by the 
> operation."
> 
> 1. how can we check the network backlog or data read/write not working 
> properly, if any tool pls let us know 2. how can we set connector timeout.
> 
> Thanks and Regards,
> Rajendra Rathore
> 9922701491
> 
> -Original Message-
> From: Rémy Maucherat 
> Sent: Tuesday, January 7, 2020 4:11 PM
> To: Tomcat Users List 
> Subject: Re: performance issue with Tomcat 8.5.35 in 
> org.apache.tomcat.util.net.NioBlockingSelector.write API
> 
> External email from: users-return-269207-rarathore=ptc@tomcat.apache.org
> 
> On Tue, Jan 7, 2020 at 6:33 AM Rathore, Rajendra  wrote:
> 
>> Hi Rémy/ Christopher,
>>
>> It will stuck there for 10-15 minutes, so it will take time to load 
>> simple Web UI, there is no WebSocket call. I am giving you one of the 
>> sample where it will take 90% time in write operation, sometime it will 
>> reach to 100%.
>>
>>
>>  ||
>>
>> O-org.apache.coyote.ajp.AjpProcessor.writeData(AjpProcessor.java:1331)
>> count=1669(%92.877)
>>  ||
>>   
>> O-org.apache.tomcat.util.net.SocketWrapperBase.write(SocketWrapperBase
>> .java:385)
>> count=1669(%92.877)
>>  ||
>> 
>> O-org.apache.tomcat.util.net.SocketWrapperBase.writeBlocking(SocketWra
>> pperBase.java:462)
>> count=1669(%92.877)
>>  ||
>>   
>> O-org.apache.tomcat.util.net.SocketWrapperBase.doWrite(SocketWrapperBa
>> se.java:726)
>> count=1669(%92.877)
>>  ||
>> 
>> O-org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper.doWrite(NioE
>> ndpoint.java:1316)
>> count=1669(%92.877)
>>  ||
>>   
>> O-org.apache.tomcat.util.net.NioSelectorPool.write(NioSelectorPool.jav
>> a:157)
>> count=1669(%92.877)
>>  ||
>> 
>> O-org.apache.tomcat.util.net.NioBlockingSelector.write(NioBlockingSele
>> ctor.java:114)
>> count=1667(%92.766)
>>  ||
>> |
>> O-org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper.awaitWriteLa
>> tch(NioEndpoint.java:1160)
>> count=1667(%92.766)
>>  ||
>> |
>> O-org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper.awaitLatch(NioEndpoint.java:1157)
>> count=1667(%92.766)
>>  ||
>> |
>> O-java.util.concurrent.CountDownLatch.await(CountDownLatch.java:277)
>> count=1667(%92.766)
>>
>>
> It's a normal blocking write, and the await does not consume CPU (it sits 
> there however and a profiler will count that but it doesn't matter).
> There's a problem only if things are blocked improperly, for example if the 

Tomcat webapp did not work

[Cuong Trung LY]

Hello,

Last November, my tomcat webapps was suddenly not working. I restarted tomcat 
service and it's come back to normal state.

Access log returned 400 for request at the time
Time Taken: 0.000 0 10.176.94.121 - - [20/Nov/2019:17:54:32 +0800] "-" 400 -
Time Taken: 0.000 0 10.176.94.121 - - [20/Nov/2019:17:54:32 +0800] "-" 400 -
Time Taken: 0.000 0 10.176.94.121 - - [20/Nov/2019:18:01:45 +0800] "-" 400 -
Time Taken: 0.000 0 10.176.94.121 - - [20/Nov/2019:18:01:45 +0800] "-" 400 -

>From Catalina log, before the time that I cannot access webapp, there is some 
>log as below:
Nov 20, 2019 5:54:32 PM org.apache.coyote.http11.AbstractHttp11Processor process
INFO: Error parsing HTTP request header
Note: further occurrences of HTTP header parsing errors will be logged at DEBUG 
level.
java.lang.IllegalArgumentException: Invalid character found in method name. 
HTTP method names must be tokens
at 
org.apache.coyote.http11.InternalInputBuffer.parseRequestLine(InternalInputBuffer.java:135)
at 
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:996)
at 
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:623)
at 
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at 
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)

Nov 20, 2019 6:01:45 PM org.apache.coyote.http11.AbstractHttp11Processor process
INFO: Error parsing HTTP request header
Note: further occurrences of HTTP header parsing errors will be logged at DEBUG 
level.
java.lang.IllegalArgumentException: Invalid character found in method name. 
HTTP method names must be tokens
at 
org.apache.coyote.http11.InternalInputBuffer.parseRequestLine(InternalInputBuffer.java:135)
at 
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:996)
at 
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:623)
at 
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at 
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)

As there is no others error, I can't know why it was not working. Could you 
please help check if those error can made the tomcat to hang and webapps cannot 
access?

Thank you very much.

Re: Using the certificate files instead of a Java Keystore file, Re: Let's Encrypt with Tomcat?

[Mark Thomas]

On 09/01/2020 08:27, calder wrote:
> Moderators ?

The moderators can be contacted via users-ow...@tomcat.apache.org

The moderators are aware of the situation. The subscriber in question
was blocked from making further posts an hour or so ago.

Blocking a user is not a decision the moderators take lightly. Excluding
obvious spambots, I can only think of 2 instances in the last 20 years
before this one (it might be 3 - my memory is a little hazy going back
that far) where a user has been blocked from this list. The moderators
try to point out inappropriate behaviour and provide an opportunity for
posters to change their behaviour before a ban is applied.

The moderators appreciate that behaviour like this can be frustrating.
We aim to deal with it as quickly as we can whilst at the same time
trying to allow for the fact that everyone can have a bad day sometimes.

Mark
wearing his list moderator hat

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: ECDSA Private Keys

[Mark Thomas]

On 08/01/2020 21:39, logo wrote:



>> I have confirmed that this updated key then works cleanly with both the
>> OpenSSL and JSSE TLS implementations.
>>
> 
> Felix already suggested that. I've tried it and at first it looks good. 
> Connector starts and serves the ECDSA cert.

Sorry I missed that. It was late and I was trying to do things too quickly.

> Please see the last two emails with the findings of the testssl.sh scans. I 
> don’t know but tomcat now also serves strange ciphers… (at least some that 
> openssl doesn’t even support and the scanner gets some strange results!)
> 
> https://markmail.org/message/nj7lvuplld4c5nqx

ACK. I'll try and dig deeper once I've tackled the conversion issue.

>> In theory, Tomcat should be able to do this conversion for you. The
>> issue will be how much of the crypto API we need to do that is part of
>> the public API and, where it isn't, how easy it is to craft our own.
>>
>> I'm currently investigating…
>>
> 
> Thanks for your support. I got the people at smallstep to create an option to 
> also create RSA certs. So there is currently a workaround to use their acme 
> process with tomcat.

Yes, we can do the conversion. It isn't too bad but I need to clean up
my rather hacky approach to make it more robust before committing it. I
hope to make progress on this today.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Using the certificate files instead of a Java Keystore file, Re: Let's Encrypt with Tomcat?

[calder]

Moderators ?



On Wed, Jan 8, 2020, 20:44 Zahid Rahman  wrote:

>
> https://stackoverflow.com/questions/46786046/severe-main-org-apache-catalina-core-standardservice-initinternal-failed-to-in
>
> I went to college and studied IT before finding a job. My teacher explained
> to me that you should always look at the first error and ignore the rest.
>



Then your  "teacher"  has  NO IDEA  what they are talking about, as related
to log interpretation ... and now, YOU foster the same INVALID information.


When one reads a log file, if there are any "Caused by"  statements, locate
the last "Caused by" in the stack trace, and that is the area of root cause.

One can see there are "Caused by's" in the stack trace, so "looking at the
first error"  does NOT apply in this case.



James, do not take Zahid's information as accurate - his knowledge is
lacking.



First error.
> 08-Jan-2020 23:14:09.026 SEVERE [main]
> org.apache.catalina.core.StandardService.initInternal
> Failed to initialize connector [Connector[HTTP/1.1-8443]]
>
>
> Once that has been addressed  then either the remaining  will disappear or
> address the second error which will then be the first error.
>
>
> On Wed, 8 Jan 2020, 23:59 James H. H. Lampert, 
> wrote:
>
> > I wrote:
> > > Am I to understand that Tomcat 8.5.40 can use the ".cer," ".ca.crt"
> > > and ".key" files directly, instead of the Java Keystore file?
> >
> > On 12/30/19 1:41 PM, Peter Kreuser wrote:
> > > Correct!
> >
> > I tried an experiment this afternoon:
> >
> > I made a copy of the existing server.xml file, and I changed the active
> > connector from this (keystore file and alias redacted for privacy,
> > ciphers and compressibleMimeTypes clauses redacted because they're quite
> > long, and not relevant here):
> > >  > protocol="org.apache.coyote.http11.Http11NioProtocol"
> > >  compression="on" compressionMinSize="2048"
> > noCompressionUserAgents="gozilla, traviata"
> > >  compressableMimeType="[REDACTED]"
> > >  maxThreads="1000" socket.appReadBufSize="1024"
> > socket.appWriteBufSize="1024" bufferSize="1024"
> > >  SSLEnabled="true" scheme="https" secure="true"
> > >  keystoreFile="[REDACTED]" keyAlias="[REDACTED]" ciphers="[REDACTED]"
> > >  clientAuth="false" sslProtocol="TLS" />
> >
> > to this:
> > >  > protocol="org.apache.coyote.http11.Http11NioProtocol"
> > >  compression="on" compressionMinSize="2048"
> > noCompressionUserAgents="gozilla, traviata"
> > >  compressableMimeType="[REDACTED]"
> > >  maxThreads="1000" socket.appReadBufSize="1024"
> > socket.appWriteBufSize="1024" bufferSize="1024"
> > >  SSLEnabled="true" scheme="https" secure="true">
> > >> >certificateVerification="none" sslProtocol="TLS">
> > >  > certificateKeyFile="[REDACTED].key"
> > >  certificateChainFile="[REDACTED].ca.crt" />
> > >   
> > > 
> >
> > and restarted Tomcat, and it failed to open the port, producing this in
> > catalina.out:
> > > 08-Jan-2020 23:14:09.026 SEVERE [main]
> > org.apache.catalina.core.StandardService.initInternal Failed to
> initialize
> > connector [Connector[HTTP/1.1-8443]]
> > >  org.apache.catalina.LifecycleException: Failed to initialize component
> > [Connector[HTTP/1.1-8443]]
> > > at
> > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112)
> > > at
> >
> org.apache.catalina.core.StandardService.initInternal(StandardService.java:552)
> > > at
> > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> > > at
> >
> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
> > > at
> > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> > > at org.apache.catalina.startup.Catalina.load(Catalina.java:639)
> > > at org.apache.catalina.startup.Catalina.load(Catalina.java:662)
> > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > > at
> >
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> > > at
> >
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> > > at java.lang.reflect.Method.invoke(Method.java:498)
> > > at
> org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309)
> > > at
> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)
> > > Caused by: org.apache.catalina.LifecycleException: Protocol handler
> > initialization failed
> > > at
> > org.apache.catalina.connector.Connector.initInternal(Connector.java:995)
> > > at
> > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> > > ... 12 more
> > > Caused by: java.lang.IllegalArgumentException: Cannot store
> > non-PrivateKeys
> > > at org.apache.tomcat.util.net
> > .AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:100)
> > > at org.apache.tomcat.util.net
> > .AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:72)
> > >