Re: Add custom Authenticator in context.xml
I guess it's for OAuth2. I'm using apache OAuth2 module and AJP in Tomcat. That's just great to externalize authentication out of the application, it works well, avoid bad design by nature ... but : - OAuth2 is mostly defined for an application authentication while in JEE the authentication mecanism are mostly serveur side. - java frameworks trend to code or put everything inside the app, while JEE protected it keeping it outside of the app (in the container) Message initial De: Thomas Meyer Répondre à: Tomcat Users List À: users@tomcat.apache.org Objet: Add custom Authenticator in context.xml Date: Sat, 4 Jul 2020 20:54:17 +0200 Hi, a while ago I did write a little POC of how to add a customauthenticator scheme to tomcat. this is what I did come up with: https://github.com/thomasmey/BearerTokenAuthenticator It's rather complicated solution!Is there an more easy solution to add a custom authenticator scheme to a Context/context.xml? Mfgthomas --- --To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.orgFor additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Trying to determine the minimum heap required for an operation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 John, On 7/6/20 16:12, john.e.gr...@wellsfargo.com.INVALID wrote: > Chris, >> John, >> >> On 7/6/20 11:48, john.e.gr...@wellsfargo.com.INVALID wrote: >>> Chris, >>> >>> -Original Message- From: Christopher Schultz Sent: Monday, July 06, 2020 10:21 AM To: Tomcat Users List Subject: [OT] Trying to determine the minimum heap required for an operation >>> All, >>> >>> Definitely off-topic, but it's the kind of weird thing someone >>> here might have experience with. >>> >>> I have an offline operation I'm considering bringing "inside" >>> my web-based application. My only concern is memory usage: it >>> requires that a bunch of data be loaded from a db into memory >>> and then analyzed. It doesn't take long to execute -- maybe 10 >>> seconds or so, so the memory can be released back to the rest >>> of the application. >>> >>> I've instrumented the command-line process with a thread which >>> runs every .5sec and captures the used-memory, maintaining a >>> high-water mark and reporting it after the whole operation is >>> done. The first time I ran it (with no specific JVM >>> memory-related settings), it reported that the high-water mark >>> was ~450MiB. >>> >>> I figured that was higher than necessary, and probably just >>> represented a lazy GC with loads of memory, so I constrained >>> the process using -Xmx64M. That resulted in a 16MiB high-water >>> mark. I tried again with -Xmx8M and the high-water mark became >>> 5MiB. >>> >>> Is there a particularly good way to force the GC to be as >>> aggressive as possible to see how low I can go, or should I >>> just keep playing-around with the -Xmx setting. >>> >>> Another option is to serialize my in-memory structure to the >>> disk to get a sense of the size in-memory, though it's really >>> not the same -- it will at least get me in the right ballpark. >>> >>> Any suggestions? >>> >>> Thanks, -chris --- - -- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org >>> >>> >>> I guess I’m that person with the weird experiences. >>> >>> Is memory or CPU in short supply? If not, I don't think you'll >>> have >> a problem. This isn't 1997 anymore. I do think you should run a >> realistic load test, however. >> >> No specific problem exists, but this is a multi-user web >> application. Usually somewhere around 500 - 1000 users logged-in >> at once. Session size is typically quite low -- only a handful of >> small objects present with lots of sharing of "large" objects and >> structures. Heap size is set to max 1GiB on each server and >> memory usage shows a beautiful sawtooth pattern hovering around >> ~400MiB for days at a time. >> >> I will certainly limit the number of these operations that can >> occur at once, and they should be relatively rare. My test >> example was using a small data set, but the size of the data-set >> varies wildly with the client, so I have to be careful for the >> larger ones. >> >> Busting the heap isn't something I'd like to have happen. >> >>> To me the most important GC metric is time spent per >> minute/hour/etc. The next most important metric is individual >> pause durations. Through testing you'll see what those numbers >> are. I work with some large apps that have multi-GB heaps and >> it's rare to see GC time being over 1-2%. IOW, 600-1200ms per >> minute. Often it's a fraction of a percent. With those small >> numbers you're talking about, I don't think you'll have any >> trouble in this area unless the server is very heavily loaded. >> >> Actually, I'm not super concerned about performance of the GC >> itself. I was just wondering if there was a way to ask the JVM >> "if you *had* to accomplish this task with the smallest possible >> heap, what would it be?" >> >>> Be sure to enable verbose GC. In java 8, it's something like >>> this: >>> >>> -XX:+PrintGCDetails -XX:+PrintGCTimeStamps >>> -XX:+PrintGCDateStamps >> - -Xloggc:/path/to/gc.log >>> >>> Run tests with and without the changes. You can analyze the GC >>> output with tools like GCEasy and GCViewer. >> Sure. >> >> Again, I'm more concerned with the overhead that will be required >> for a particular operation, so I can predict when running such an >> operation might end up endangering the application server's heap >> -- and therefore the logged-in users. >> >> Theoretically, if the thread hits a heap-full error, the thread >> will experience an OOME, release it's (temporary) large object >> tree, and the GC will be able to recover, but after an OOME it's >> never a great plan to trust the JVM for very long. >> >> - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with >> Thunderbird - https://www.enigmail.net/ >> >> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl8DTR4ACgkQHPApP >> 6U8 >> pFiAkQ//cWQ/C
RE: [OT] Trying to determine the minimum heap required for an operation
Chris, > John, > > On 7/6/20 11:48, john.e.gr...@wellsfargo.com.INVALID wrote: > > Chris, > > > > > >> -Original Message- From: Christopher Schultz > >> Sent: Monday, July 06, 2020 10:21 AM > >> To: Tomcat Users List Subject: [OT] Trying > >> to determine the minimum heap required for an operation > >> > > All, > > > > Definitely off-topic, but it's the kind of weird thing someone here > > might have experience with. > > > > I have an offline operation I'm considering bringing "inside" my > > web-based application. My only concern is memory usage: it requires > > that a bunch of data be loaded from a db into memory and then > > analyzed. It doesn't take long to execute -- maybe 10 seconds or so, > > so the memory can be released back to the rest of the application. > > > > I've instrumented the command-line process with a thread which runs > > every .5sec and captures the used-memory, maintaining a high-water > > mark and reporting it after the whole operation is done. The first > > time I ran it (with no specific JVM memory-related settings), it > > reported that the high-water mark was ~450MiB. > > > > I figured that was higher than necessary, and probably just > > represented a lazy GC with loads of memory, so I constrained the > > process using -Xmx64M. That resulted in a 16MiB high-water mark. I > > tried again with -Xmx8M and the high-water mark became 5MiB. > > > > Is there a particularly good way to force the GC to be as aggressive > > as possible to see how low I can go, or should I just keep > > playing-around with the -Xmx setting. > > > > Another option is to serialize my in-memory structure to the disk to > > get a sense of the size in-memory, though it's really not the same -- > > it will at least get me in the right ballpark. > > > > Any suggestions? > > > > Thanks, -chris > >> > >> - > >> > >> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > > I guess I’m that person with the weird experiences. > > > > Is memory or CPU in short supply? If not, I don't think you'll have > a problem. This isn't 1997 anymore. I do think you should run a realistic > load > test, however. > > No specific problem exists, but this is a multi-user web application. > Usually somewhere around 500 - 1000 users logged-in at once. Session size is > typically quite low -- only a handful of small objects present with lots of > sharing of "large" objects and structures. Heap size is set to max 1GiB on > each > server and memory usage shows a beautiful sawtooth pattern hovering > around ~400MiB for days at a time. > > I will certainly limit the number of these operations that can occur at once, > and they should be relatively rare. My test example was using a small data > set, but the size of the data-set varies wildly with the client, so I have to > be > careful for the larger ones. > > Busting the heap isn't something I'd like to have happen. > > > To me the most important GC metric is time spent per > minute/hour/etc. The next most important metric is individual pause > durations. Through testing you'll see what those numbers are. I work with > some large apps that have multi-GB heaps and it's rare to see GC time being > over 1-2%. IOW, 600-1200ms per minute. Often it's a fraction of a percent. > With those small numbers you're talking about, I don't think you'll have any > trouble in this area unless the server is very heavily loaded. > > Actually, I'm not super concerned about performance of the GC itself. > I was just wondering if there was a way to ask the JVM "if you *had* to > accomplish this task with the smallest possible heap, what would it be?" > > > Be sure to enable verbose GC. In java 8, it's something like > > this: > > > > -XX:+PrintGCDetails -XX:+PrintGCTimeStamps -XX:+PrintGCDateStamps > - -Xloggc:/path/to/gc.log > > > > Run tests with and without the changes. You can analyze the GC output > > with tools like GCEasy and GCViewer. > Sure. > > Again, I'm more concerned with the overhead that will be required for a > particular operation, so I can predict when running such an operation might > end up endangering the application server's heap -- and therefore the > logged-in users. > > Theoretically, if the thread hits a heap-full error, the thread will > experience > an OOME, release it's (temporary) large object tree, and the GC will be able > to recover, but after an OOME it's never a great plan to trust the JVM for > very long. > > - -chris > -BEGIN PGP SIGNATURE- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl8DTR4ACgkQHPApP > 6U8 > pFiAkQ//cWQ/CL35LJcRIervUhnByPXg/TN1MhfOl66zXx4upJcIpPXgBuIkigbe > 9d9y/jFnRCyHsFodSEsjtT/q2CxD7k30DIAwRrTaGxzrz60QlD/+t8l3getT9xot > s0bAxvlpjZTvvhTtpAAv9hkSwJuMxxECksbqmYXaO/rtoBu/N9R8MCjPz4cihTa > B > dLZ
Re: RFC7807 ErrorReportValve
Am 5. Juli 2020 11:28:40 MESZ schrieb Michael Osipov : >Am 2020-07-02 um 21:30 schrieb Thomas Meyer: >> Hi, >> >> What are your opinions on providing a RFC7807 based ErrorReportValve >as part of Tomcat default distribution? > >Thomas, this has been bugging me for a while. Let me share some >thoughts >on this, I'll limit my experiences with Tomcat, Spring Web and Zalando >Problem (including it's web module): > >Mark, please correct me if my citation of the Servlet API is wrong. > >* The Servlet API has been designed where the only clients where >browsers >* The Servlet API mandates that all invocations of >HttpServletResponse#setError() must yield in a HTML page and this >*cannot* be changed by defult >* Even if you write a REST API or explicitly use @RestController Spring > >will still invoke #setError() although it makes no sense. I consider >this to be a conceptual flaw in the Spring framework. > >Before we continue which issue do you want to solve? Tomcat produced >errors or by a framework? It's about tomcat produced errors: There are multiple webapps deployed to tomcat all under non-root context path. Some webapps use spring framework, for these webapps an CustomErrorController is installed so always a JSON response in a given JSON layout is done. Some webapps are pure servlet based, here an error-page entry in web.xml and an ErrrorSerlvet is used to also have the same JSON layout as above for all possible errors. But because of some race condition in deployment scripts for multi node setup, some class files weren't copies correctly, and tomcat ErrorReportValve was triggered with NoClassDef error. So much for the context. I guess I'll write an JsonErrorReportValve and install it in lib/ so deployment will always response with same JSON layout in all circumstances, e.g. failed deployment or access to unknown context path. > As for the framework, I would prefer to file > >an issue with Spring Framework first and see what the devs say because >this would solely solve a symptom. > >Michael > >- >To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[ANN] Apache Tomcat 8.5.57 available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.5.57. Apache Tomcat 8 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and Java Authentication Service Provider Interface for Containers technologies. Apache Tomcat 8.5.x replaces 8.0.x and includes new features pulled forward from the 9.0.x branch. The notable changes since 8.5.56 include: - Implement a significant portion of the TLS environment variables for the rewrite valve. - Reduce memory footprint of closed HTTP/2 streams - Improve parsing of RFC 2109 cookies Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-8.5-doc/changelog.html Downloads: http://tomcat.apache.org/download-80.cgi Migration guides from Apache Tomcat 7.x and 8.0.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Problem with JarScanFilter, maybe a bug?
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Vitor,
On 7/6/20 15:50, Vitor Medina Cruz wrote:
> On Mon, Jul 6, 2020 at 8:57 AM Mark Thomas
> wrote:
>
>> On 06/07/2020 12:25, Mark Thomas wrote:
>>> On 03/07/2020 13:40, Vitor Medina Cruz wrote:
On Thu, Jul 2, 2020 at 11:21 AM Mark Thomas
wrote:
> On 02/07/2020 14:14, Vitor Medina Cruz wrote:
>> On Wed, Jul 1, 2020 at 6:48 PM Mark Thomas
>> wrote:
>
>
>
>>> @WebFiler, @WebListener and @WebServlet are deployment
>>> annotations so scanning for these is controlled by the
>>> JarScanner.
>>>
>>> If an SCI has an @HandlesTypes annotation then all JARs
>>> that are potential SCI sources will be scanned for
>>> matches. To put it another way, the JarScanner
>>> configuration does NOT control the search for
>>> @HandlesTypes matches. Any JAR eligible to provide an
>>> SCI will be scanned for @HandlesTypes. Those JARs are
>>> controlled by
>
>>>
>>
>> Ok, and if a jar doesn't provide a web-fragment name? In
>> this old
>> post(
>>
>
>> http://tomcat.10.x6.nabble.com/Why-does-absolute-ordering-in-web-xml-
without-others-kill-classpath-scanning-td5029985.html
>
>>
)
>> it is said :
>>
>> "Tomcat will give these a name equal to the name of the
>> JAR file so
>> you
> can
>> use it in ordering. That is a Tomcat specific feature."
>>
>> This is/holds true? I tried with no success
>
> It should do. So for foobar-0.3.jar the name should be
> "foobar-0.3.jar"
>
>
Don't work... :( both in Tomcat 8.5.56 and 9.0.36 I got a
"Used a wrong fragment name [flow-server-2.2.1.jar] at
web.xml absolute-ordering tag"
>>>
>>> Hmm. Let me look into what is going on here...
>>
>> My memory and the comment from 2015 were incorrect. It is the
>> full URL that is used rather than just the name.
>>
>> While the JAR name should be unique within WEB-INF/lib, the JAR
>> scanning extends outside of that to include CATALINA_BASE/lib and
>> potentially the the bootstrap class path. Duplicates can trigger
>> deployment failure - hence the more cautious approach.
>>
>> As an example, this is the URL on my system (taken from Tomcat
>> 10.0.x but the code should be the same in 9.0.x and 8.5.x):
>>
>>
>> file:/home/mark/repos/asf-tomcat-10.0.x/output/build/webapps/examples
/WEB-INF/lib/taglibs-standard-impl-1.2.5-migrated-0.0.1.jar
>>
>>
>>
Rather long for a fragment but it ensures uniqueness.
>>
>
> Thanks, that worked! In my windows machine I used file:/C:/ the path>
>
>
> Is it possible to use relative path of some sort in order to not
> tie this config to my machine?
No promises, but you could try:
${catalina.base}/path/relative/to/tomcat
for example:
${catalina.base}/webapps/mywebapp/WEB-INF/lib/taglibs-standard-impl-1.2.
5-migrated-0.0.1.jar
I don't know if the system-property-replacement will be honored in
that particular context, but it is supported in others. It seems like
that could be added if it's not already supported.
- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl8Dg/MACgkQHPApP6U8
pFh04RAApg2rrmhJmLnupkKTHLAPL/yud4WPpYiVRJaNXoX32Bp3FfHIPH+2nMGL
l00gVVsPxmN1jMaOrhpgQsNT033QiUuHm9LaZjXBe2Md7iUAW+dhn7f0tYfA2Eds
SpnNxMHHTEH/zsMD3WX771xqPh1qDRwW2h89NshkYTYkWaeL2UtshXRaffMipkwm
mdRtj25wVch2rgILjup3qCyoQwgmq/9XZWsyiGVdL3YBkvijTwb79BLX00vT20vJ
u3wWqA4zzuz1IovyKTIqSd9fGcAwCAyx+53aQgqo7nZYXtRfweZSjyx1QSWLFVdU
u2zzkaZeoQJs47Lvu6Db4pSPFa//zitSoIhxrnXfv7xDsUPZiYQg+HG8KqXuFeAd
x3fju5EpRDfU1snbCgAU3XZjUQpcd+9TzoTfJM8RfgkUl7AL07POrPGWWqOuYahs
XlC7Lbf/TqGseaWZ1aVAS0JPtm/h9DzIn8K2BK4157y7hOvhhSKgiG45iNgeKt0t
s0+i2nG0lGM9ajG34JWIkpx6vrOn1J+p0wX56ZqHGu4DmznMqg5HlN32N1p/FdgX
AJk5qxfbpayNwJGornvDRduXmQwT8NhKOillebU5DfAiWYMaYlu1UAQ643cx06/h
44U/o8mJDCsSYWJkgZIKq/0OkAtUmkCGYnIGTmRW4fXptpyENM4=
=Vczr
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Add custom Authenticator in context.xml
Am 6. Juli 2020 14:14:59 MESZ schrieb Mark Thomas : >On 04/07/2020 19:54, Thomas Meyer wrote: >> Hi, >> >> a while ago I did write a little POC of how to add a custom >> authenticator scheme to tomcat. >> >> this is what I did come up with: >> https://github.com/thomasmey/BearerTokenAuthenticator >> >> It's rather complicated solution! >> Is there an more easy solution to add a custom authenticator scheme >to a Context/context.xml? > >How about: > >1. Extract the Authenticators.properties file from catalina.jar > (or from source) >2. Edit it to reference the custom Authenticator >3. Place it at $CATALINA_BASE/lib/org/apache/catalina/startup >4. Add the JAR with the custom authenticator to $CATALINA_BASE/lib > >which would make it generally available to use in WEB-INF/web.xml Okay, understand! Nice trick. > >Or > >1. Add it directly to context.xml as: > > > className="de.m3y3r.catalina.authenticator.BearerTokenAuthenticator" /> > Ah, okay an Authenticator is also a Valve, I didn't think about this! I will play around with this setup a bit. thanks for the hint! > >which you would need to do for each app that wants to use it (or set it >in the global web.xml for all apps). > >Mark > >- >To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[ANN] Apache Tomcat 9.0.37 available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 9.0.37. Apache Tomcat 9 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and JASPIC technologies. Apache Tomcat 9.0.37 is a bugfix and feature release. The notable changes compared to 9.0.36 include: - Implement a significant portion of the TLS environment variables for the rewrite valve. - Improvements to the creation of OSGi manifests. - Reduce memory footprint of closed HTTP/2 streams Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-9.0-doc/changelog.html Downloads: http://tomcat.apache.org/download-90.cgi Migration guides from Apache Tomcat 7.x and 8.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Problem with JarScanFilter, maybe a bug?
On Mon, Jul 6, 2020 at 8:57 AM Mark Thomas wrote: > On 06/07/2020 12:25, Mark Thomas wrote: > > On 03/07/2020 13:40, Vitor Medina Cruz wrote: > >> On Thu, Jul 2, 2020 at 11:21 AM Mark Thomas wrote: > >> > >>> On 02/07/2020 14:14, Vitor Medina Cruz wrote: > On Wed, Jul 1, 2020 at 6:48 PM Mark Thomas wrote: > >>> > >>> > >>> > > @WebFiler, @WebListener and @WebServlet are deployment annotations so > > scanning for these is controlled by the JarScanner. > > > > If an SCI has an @HandlesTypes annotation then all JARs that are > > potential SCI sources will be scanned for matches. To put it another > > way, the JarScanner configuration does NOT control the search for > > @HandlesTypes matches. Any JAR eligible to provide an SCI will be > > scanned for @HandlesTypes. Those JARs are controlled by > >>> > > > > Ok, and if a jar doesn't provide a web-fragment name? In this old > post( > > >>> > http://tomcat.10.x6.nabble.com/Why-does-absolute-ordering-in-web-xml-without-others-kill-classpath-scanning-td5029985.html > >>> ) > it is said : > > "Tomcat will give these a name equal to the name of the JAR file so > you > >>> can > use it in ordering. That is a Tomcat specific feature." > > This is/holds true? I tried with no success > >>> > >>> It should do. So for foobar-0.3.jar the name should be "foobar-0.3.jar" > >>> > >>> > >> Don't work... :( both in Tomcat 8.5.56 and 9.0.36 I got a "Used a wrong > >> fragment name [flow-server-2.2.1.jar] at web.xml absolute-ordering tag" > > > > Hmm. Let me look into what is going on here... > > My memory and the comment from 2015 were incorrect. It is the full URL > that is used rather than just the name. > > While the JAR name should be unique within WEB-INF/lib, the JAR scanning > extends outside of that to include CATALINA_BASE/lib and potentially the > the bootstrap class path. Duplicates can trigger deployment failure - > hence the more cautious approach. > > As an example, this is the URL on my system (taken from Tomcat 10.0.x > but the code should be the same in 9.0.x and 8.5.x): > > > file:/home/mark/repos/asf-tomcat-10.0.x/output/build/webapps/examples/WEB-INF/lib/taglibs-standard-impl-1.2.5-migrated-0.0.1.jar > > Rather long for a fragment but it ensures uniqueness. > Thanks, that worked! In my windows machine I used file:/C:/ Is it possible to use relative path of some sort in order to not tie this config to my machine? > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
[ANN] Apache Tomcat 10.0.0-M7 available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.0.0-M7. Apache Tomcat 10 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations specifications. Users of Tomcat 10 onwards should be aware that, as a result of the move from Java EE to Jakarta EE as part of the transfer of Java EE to the Eclipse Foundation, the primary package for all implemented APIs has changed from javax.* to jakarta.*. This will almost certainly require code changes to enable applications to migrate from Tomcat 9 and earlier to Tomcat 10 and later. A migration tool is under development to aid this process. Apache Tomcat 10.0.0-M7 is a milestone release of the 10.0.x branch and has been made to provide users with early access to the new features in Apache Tomcat 10.0.x so that they may provide feedback. The notable changes compared to 10.0.0-M6 include: - Implement a significant portion of the TLS environment variables for the rewrite valve. - Add the Jakarta EE 9 schema. - Improvements to the creation of OSGi manifests. Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-10.0-doc/changelog.html Downloads: http://tomcat.apache.org/download-10.cgi Migration guides from Apache Tomcat 7.0.x, 8.5.x and 9.0.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SameSite attribute handling
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Abirami,
On 7/6/20 12:16, S Abirami wrote:
> I have used setHeader, addCookie for that also it is getting
> twice
Of course it is, if Tomcat is automatically adding a Cookie to the
response for you.
> Only after, disabling cookie false in context.xml setHeader for
> cookie is working.
What exact version of Tomcat are you using?
What is the problem you are trying to solve?
If you are setting sameSiteCookies to something other than "unset",
then it will affect all cookies for which Tomcat generates a
"Set-Cookie" header.
> I tried option also
??
- From your original post:
> Context changes reflecting issue in tenable vulnerable.
I'm not sure I understand what you are saying, here. Can you explain
in a different way?
- -chris
> -Original Message- From: Christopher Schultz
> Sent: Thursday, July 2, 2020 11:07
> PM To: Tomcat Users List Subject: Re:
> SameSite attribute handling
>
> Abirami,
>
> On 7/1/20 03:06, S Abirami wrote:
>> We can add the samesite attribute in set-cookie header through
>> context.xml entry in tomcat. Is there any other way, can we add
>> samesite attribute in response of set-cookie header.
> Not for Tomcat-generated cookies, and not for cookies added to the
> response like this:
>
> response.addCookie(myCookie);
>
> This is because the Servlet API hasn't yet caught up with
> state-of-the-art.
>
> You can, however, craft your own Set-Cookie response header like
> this:
>
> response.addHeader("Set-Cookie", "CookieName=value;
> SameSite=Strict");
>
> Remember that there are rules about the composition of the cookie's
> name, value, etc. that Tomcat enforces for you that you will have
> to handel yourself.
>
>> I tried with filter by using setHeader but it is sending two
>> set-Cookie header.
>
> Correct: you will have to use *either* setCookie() or setHeader().
>
> -chris
>
> -
>
>
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
> -
>
>
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl8DX2YACgkQHPApP6U8
pFgcSxAArdXTwk0pPdSEjSX141D2mDyD1kHKrZdYDjx/xF/NOphvIQCE2aa2baDG
38hmlmwL8x4CaNs0DJa3Wbnq2MDnnzUlZAbxHlLpaLuFedJgkuKLMSz9ZOZpqD6G
1yDw1rTF2ipxJ5lD9/2gzC9Sx8PZumieKNJhYIhLgT+m8jMg6z6zABsSJ7rkIydg
ypUwB6EVFsWnKTmC1UwCRYukjZLE4OhMem5WTnAg98aTdGSzdrU3POdwRTfmbYXa
qhVp0+Ig95pvODmxM1MEwgKlZxj4p8ToRClxkB8A3t3E4pp1TreEVemj3lHCKu8b
npT+ZqcrMa5evswUflvP+7bTzDuM1Y9Bc8K3ZDNM2hKs0KCxAHiZgI02RTZJFUXm
eQN8mmv4FrCtWGUKgAcRcZdlPmT7WNBxhZnDe8n0WGJPNEZ2Gu7sLhjAhIvwz/DU
cHVvHrq7QMSBrRFpiBW4KkjS18P6nhSN6P22ex3GVa0cpj6+EVbuIc0LFSJ8YlqI
AO/t4WGte0TeF5WaxaCKS6+ZQvWRe1S+YACXi0mstbB6TSYKnYFJRzonw2sCLF3K
ic58arJzXlqpd9qWv424vP5QhG2FChXSPXctgkk75PZWtZfcqc9qXBN0ZrRAoclv
LfSGXPG4YSWQ3uZ9t5Ia1UQ9h6btGHZGuYZGrMkvJJ5Ksj8u9Rg=
=QssU
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SameSite attribute handling
Hi Christopher,
I have used setHeader, addCookie for that also it is getting twice
Only after, disabling cookie false in context.xml setHeader for cookie is
working.
I tried option also
Regards,
Abirami.S
-Original Message-
From: Christopher Schultz
Sent: Thursday, July 2, 2020 11:07 PM
To: Tomcat Users List
Subject: Re: SameSite attribute handling
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Abirami,
On 7/1/20 03:06, S Abirami wrote:
> We can add the samesite attribute in set-cookie header through
> context.xml entry in tomcat. Is there any other way, can we add
> samesite attribute in response of set-cookie header.
Not for Tomcat-generated cookies, and not for cookies added to the response
like this:
response.addCookie(myCookie);
This is because the Servlet API hasn't yet caught up with state-of-the-art.
You can, however, craft your own Set-Cookie response header like this:
response.addHeader("Set-Cookie", "CookieName=value; SameSite=Strict");
Remember that there are rules about the composition of the cookie's name,
value, etc. that Tomcat enforces for you that you will have to handel yourself.
> I tried with filter by using setHeader but it is sending two
> set-Cookie header.
Correct: you will have to use *either* setCookie() or setHeader().
- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird -
https://protect2.fireeye.com/v1/url?k=e0a38852-be03323c-e0a3c8c9-86b1886cfa64-a04f2de4a687fd81&q=1&e=a3c49822-9bd3-43bd-ab88-cf37edfe243e&u=https%3A%2F%2Fwww.enigmail.net%2F
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl7+GyYACgkQHPApP6U8
pFiSqBAAhG9IHJXD4ec6TQD1F2o9CIbRyHSkVYrAl0miT5cz6BkhuqG7uEnpUw66
8m3oe6CCG1syEliyyHM3A7ySXGEYm54otp4A0GRkcK64kd+RwQKKV5JsSp0xFxtG
dqKRtPGKJL7sQ+kaa4Qo2KqAa7ntQFTRVhg44Lofj8usiu/az5Kg6y8gSgQ/3I2Y
n75PCchaMHsilvSIm3sztR6MpoeRXevv7/93LfI1xzyN6Rg1mE0xivKReQfryMeT
sySwz3S1kZgOb3y+xUgSdL0HNSzT+IoKX58UTrMnmnWRS1hnJ30Fu21Nki+ygyZi
iikJCYi8Fv2SjkvQh+klgVMsr/QxYvYIBKof0Tf4n8/gU6ABy9ZVUdiTeezATytT
Kh5r2C6I+nk9/Osl9s9pHauqzQ/evwjPe/d0eJXkHILam09KB6wqnJ4m3Gq9NcYc
S9f5vjTuScncrVn9+GTvr29onrhI8gh7BRTmYehgHaqt7Hl7alLeNV7ccIOjjYOY
qqC+qXDydaHUBBgappAnZnHepNPSKn0kjKhi63gsjoBVXnLmgR7mYUWwmvoPb+/t
E3T5PL73/cjxBNPk/THao0JI+3UoDlQG4rsZL/wxo7q1ZGzbtrbUrr+7Q7pDBY+y
3YhzVFu68xHkH0Tch3UxFn2qvPXToPHNCzSXDi9Dm5IuGf49UKc=
=97wq
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Trying to determine the minimum heap required for an operation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 John, On 7/6/20 11:48, john.e.gr...@wellsfargo.com.INVALID wrote: > Chris, > > >> -Original Message- From: Christopher Schultz >> Sent: Monday, July 06, 2020 10:21 >> AM To: Tomcat Users List Subject: [OT] >> Trying to determine the minimum heap required for an operation >> > All, > > Definitely off-topic, but it's the kind of weird thing someone here > might have experience with. > > I have an offline operation I'm considering bringing "inside" my > web-based application. My only concern is memory usage: it requires > that a bunch of data be loaded from a db into memory and then > analyzed. It doesn't take long to execute -- maybe 10 seconds or > so, so the memory can be released back to the rest of the > application. > > I've instrumented the command-line process with a thread which runs > every .5sec and captures the used-memory, maintaining a high-water > mark and reporting it after the whole operation is done. The first > time I ran it (with no specific JVM memory-related settings), it > reported that the high-water mark was ~450MiB. > > I figured that was higher than necessary, and probably just > represented a lazy GC with loads of memory, so I constrained the > process using -Xmx64M. That resulted in a 16MiB high-water mark. I > tried again with -Xmx8M and the high-water mark became 5MiB. > > Is there a particularly good way to force the GC to be as > aggressive as possible to see how low I can go, or should I just > keep playing-around with the -Xmx setting. > > Another option is to serialize my in-memory structure to the disk > to get a sense of the size in-memory, though it's really not the > same -- it will at least get me in the right ballpark. > > Any suggestions? > > Thanks, -chris >> >> - >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org > > > I guess I’m that person with the weird experiences. > > Is memory or CPU in short supply? If not, I don't think you'll > have a problem. This isn't 1997 anymore. I do think you should run a realistic load test, however. No specific problem exists, but this is a multi-user web application. Usually somewhere around 500 - 1000 users logged-in at once. Session size is typically quite low -- only a handful of small objects present with lots of sharing of "large" objects and structures. Heap size is set to max 1GiB on each server and memory usage shows a beautiful sawtooth pattern hovering around ~400MiB for days at a time. I will certainly limit the number of these operations that can occur at once, and they should be relatively rare. My test example was using a small data set, but the size of the data-set varies wildly with the client, so I have to be careful for the larger ones. Busting the heap isn't something I'd like to have happen. > To me the most important GC metric is time spent per minute/hour/etc. The next most important metric is individual pause durations. Through testing you'll see what those numbers are. I work with some large apps that have multi-GB heaps and it's rare to see GC time being over 1-2%. IOW, 600-1200ms per minute. Often it's a fraction of a percent. With those small numbers you're talking about, I don't think you'll have any trouble in this area unless the server is very heavily loaded. Actually, I'm not super concerned about performance of the GC itself. I was just wondering if there was a way to ask the JVM "if you *had* to accomplish this task with the smallest possible heap, what would it be?" > Be sure to enable verbose GC. In java 8, it's something like > this: > > -XX:+PrintGCDetails -XX:+PrintGCTimeStamps -XX:+PrintGCDateStamps - -Xloggc:/path/to/gc.log > > Run tests with and without the changes. You can analyze the GC > output with tools like GCEasy and GCViewer. Sure. Again, I'm more concerned with the overhead that will be required for a particular operation, so I can predict when running such an operation might end up endangering the application server's heap -- and therefore the logged-in users. Theoretically, if the thread hits a heap-full error, the thread will experience an OOME, release it's (temporary) large object tree, and the GC will be able to recover, but after an OOME it's never a great plan to trust the JVM for very long. - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl8DTR4ACgkQHPApP6U8 pFiAkQ//cWQ/CL35LJcRIervUhnByPXg/TN1MhfOl66zXx4upJcIpPXgBuIkigbe 9d9y/jFnRCyHsFodSEsjtT/q2CxD7k30DIAwRrTaGxzrz60QlD/+t8l3getT9xot s0bAxvlpjZTvvhTtpAAv9hkSwJuMxxECksbqmYXaO/rtoBu/N9R8MCjPz4cihTaB dLZZ32Ibhg7tn0VBhwaJYz8AlYK3qJLUfISBU8h3WXXpmrbw48wDmkMYtdwUPcoL aWw9UbOolLj0EZiCh4QjCXb404pLbqTe0Hbuy7FBNv1rB8RDOFj8vWo8eotshqiJ c8fVY5jxHV9dqc0S2A6cCjoTrwsvUPimiykhCnrvCUpnif1I90H2b181sCtEyIyV XTADe
Re: [OT] Trying to determine the minimum heap required for an operation
Hello Christopher, On Mon, Jul 6, 2020, 8:50 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > All, > > Definitely off-topic, but it's the kind of weird thing someone here > might have experience with. > > I have an offline operation I'm considering bringing "inside" my > web-based application. My only concern is memory usage: it requires > that a bunch of data be loaded from a db into memory and then > analyzed. It doesn't take long to execute -- maybe 10 seconds or so, > so the memory can be released back to the rest of the application. > > I've instrumented the command-line process with a thread which runs > every .5sec and captures the used-memory, maintaining a high-water > mark and reporting it after the whole operation is done. The first > time I ran it (with no specific JVM memory-related settings), it > reported that the high-water mark was ~450MiB. > > I figured that was higher than necessary, and probably just > represented a lazy GC with loads of memory, so I constrained the > process using -Xmx64M. That resulted in a 16MiB high-water mark. I > tried again with -Xmx8M and the high-water mark became 5MiB. > > Is there a particularly good way to force the GC to be as aggressive > as possible to see how low I can go, or should I just keep > playing-around with the -Xmx setting. > Looks like you wanted to track live objects generated by your program. I don't recall a JMX metrics of JVM to get that. If someway you can trigger couple of Full GCs during processing and logging everything on a GC log, then you'll get that. So, reducing -Xmx will help after some iterations. One thing you can try using is -Dsun.rmi.dgc.client.gcInterval and server flags and set them to 1 sec. That way you will get Full GC every 1 sec. It worked properly with Parallel GC and doesn't work with G1 in JDK 1.8. You can try and see if serves your purpose. More on that property can be found at https://docs.oracle.com/javase/8/docs/technotes/guides/rmi/sunrmiproperties.html > > Another option is to serialize my in-memory structure to the disk to > get a sense of the size in-memory, though it's really not the same -- > it will at least get me in the right ballpark. > > Any suggestions? > > Thanks, > - -chris > -BEGIN PGP SIGNATURE- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl8DQT8ACgkQHPApP6U8 > pFhvJA/+N8CfjjWvBwkXSpAW6gbozyqgcxx0zt5z9TEbC4viCZNAQchlh0WE1jxF > dQL2NS6138VNOn45QfVLru7jcVQdk6loRSK4Dxe02neAD6sEwe0v3/zsuu7CDu4x > Ln3fwohp+5YNxHAUGc4ssGtw8cilShSSLnJCHwG3mxA+grxg6QvVRVqCxV0b+sCE > ocH0MirON5G7b7zETZohtm5lPcghwDy5SBQ4fVo3mLDjUGR8woGr8SL820pQ3BuY > rjGrJ7SHxq+rVnhOrtX6c4YdEebhjR963385kwPf1ND0GoeCp8Yk/LgySxBRPAbh > 2Kt0UTlbK7wYSDii6kVag1Ayrt5gCyUSrHndvVIl6SdI5gLWfZDbTB3+fvHNg+k5 > x/+Xx/YPvDbXv+b7CtO663uIKV+24iaVq94W+0NVacp3P0YmAmK1CZ9ggs7HQ/SC > uu3R1wRo4yp7eWszhgfpwPHJBvb9Krtfsr8P6rhs5Ry03pzblkmzzTRCvsE85UEZ > 96RN1OGx2YfPEM4+EN9+rxB1hcElLT8V420MAZd9Jx2n8JmJqdZl6DxJ7vgtvKKj > 0Y60VaC211M7tzq2zZ5Sh3th3X2tePPoeJQH/vYrreM4snlM8Mt22eQ7jVFri4bY > F+mu+8DGP3csWmY16nZ0SQ+ZDUS4E9yEplOHq1YKKyHSYGHjn88= > =u12k > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
RE: [OT] Trying to determine the minimum heap required for an operation
Chris, > -Original Message- > From: Christopher Schultz > Sent: Monday, July 06, 2020 10:21 AM > To: Tomcat Users List > Subject: [OT] Trying to determine the minimum heap required for an > operation > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > All, > > Definitely off-topic, but it's the kind of weird thing someone here might have > experience with. > > I have an offline operation I'm considering bringing "inside" my web-based > application. My only concern is memory usage: it requires that a bunch of > data be loaded from a db into memory and then analyzed. It doesn't take > long to execute -- maybe 10 seconds or so, so the memory can be released > back to the rest of the application. > > I've instrumented the command-line process with a thread which runs every > .5sec and captures the used-memory, maintaining a high-water mark and > reporting it after the whole operation is done. The first time I ran it (with > no > specific JVM memory-related settings), it reported that the high-water mark > was ~450MiB. > > I figured that was higher than necessary, and probably just represented a > lazy GC with loads of memory, so I constrained the process using -Xmx64M. > That resulted in a 16MiB high-water mark. I tried again with -Xmx8M and the > high-water mark became 5MiB. > > Is there a particularly good way to force the GC to be as aggressive as > possible to see how low I can go, or should I just keep playing-around with > the -Xmx setting. > > Another option is to serialize my in-memory structure to the disk to get a > sense of the size in-memory, though it's really not the same -- it will at > least > get me in the right ballpark. > > Any suggestions? > > Thanks, > - -chris > -BEGIN PGP SIGNATURE- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl8DQT8ACgkQHPApP > 6U8 > pFhvJA/+N8CfjjWvBwkXSpAW6gbozyqgcxx0zt5z9TEbC4viCZNAQchlh0WE1jx > F > dQL2NS6138VNOn45QfVLru7jcVQdk6loRSK4Dxe02neAD6sEwe0v3/zsuu7CDu > 4x > Ln3fwohp+5YNxHAUGc4ssGtw8cilShSSLnJCHwG3mxA+grxg6QvVRVqCxV0b+ > sCE > ocH0MirON5G7b7zETZohtm5lPcghwDy5SBQ4fVo3mLDjUGR8woGr8SL820pQ3 > BuY > rjGrJ7SHxq+rVnhOrtX6c4YdEebhjR963385kwPf1ND0GoeCp8Yk/LgySxBRPAbh > 2Kt0UTlbK7wYSDii6kVag1Ayrt5gCyUSrHndvVIl6SdI5gLWfZDbTB3+fvHNg+k5 > x/+Xx/YPvDbXv+b7CtO663uIKV+24iaVq94W+0NVacp3P0YmAmK1CZ9ggs7HQ > /SC > uu3R1wRo4yp7eWszhgfpwPHJBvb9Krtfsr8P6rhs5Ry03pzblkmzzTRCvsE85UEZ > 96RN1OGx2YfPEM4+EN9+rxB1hcElLT8V420MAZd9Jx2n8JmJqdZl6DxJ7vgtvKKj > 0Y60VaC211M7tzq2zZ5Sh3th3X2tePPoeJQH/vYrreM4snlM8Mt22eQ7jVFri4bY > F+mu+8DGP3csWmY16nZ0SQ+ZDUS4E9yEplOHq1YKKyHSYGHjn88= > =u12k > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org I guess I’m that person with the weird experiences. Is memory or CPU in short supply? If not, I don't think you'll have a problem. This isn't 1997 anymore. I do think you should run a realistic load test, however. To me the most important GC metric is time spent per minute/hour/etc. The next most important metric is individual pause durations. Through testing you'll see what those numbers are. I work with some large apps that have multi-GB heaps and it's rare to see GC time being over 1-2%. IOW, 600-1200ms per minute. Often it's a fraction of a percent. With those small numbers you're talking about, I don't think you'll have any trouble in this area unless the server is very heavily loaded. Be sure to enable verbose GC. In java 8, it's something like this: -XX:+PrintGCDetails -XX:+PrintGCTimeStamps -XX:+PrintGCDateStamps -Xloggc:/path/to/gc.log Run tests with and without the changes. You can analyze the GC output with tools like GCEasy and GCViewer. John
[OT] Trying to determine the minimum heap required for an operation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 All, Definitely off-topic, but it's the kind of weird thing someone here might have experience with. I have an offline operation I'm considering bringing "inside" my web-based application. My only concern is memory usage: it requires that a bunch of data be loaded from a db into memory and then analyzed. It doesn't take long to execute -- maybe 10 seconds or so, so the memory can be released back to the rest of the application. I've instrumented the command-line process with a thread which runs every .5sec and captures the used-memory, maintaining a high-water mark and reporting it after the whole operation is done. The first time I ran it (with no specific JVM memory-related settings), it reported that the high-water mark was ~450MiB. I figured that was higher than necessary, and probably just represented a lazy GC with loads of memory, so I constrained the process using -Xmx64M. That resulted in a 16MiB high-water mark. I tried again with -Xmx8M and the high-water mark became 5MiB. Is there a particularly good way to force the GC to be as aggressive as possible to see how low I can go, or should I just keep playing-around with the -Xmx setting. Another option is to serialize my in-memory structure to the disk to get a sense of the size in-memory, though it's really not the same -- it will at least get me in the right ballpark. Any suggestions? Thanks, - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl8DQT8ACgkQHPApP6U8 pFhvJA/+N8CfjjWvBwkXSpAW6gbozyqgcxx0zt5z9TEbC4viCZNAQchlh0WE1jxF dQL2NS6138VNOn45QfVLru7jcVQdk6loRSK4Dxe02neAD6sEwe0v3/zsuu7CDu4x Ln3fwohp+5YNxHAUGc4ssGtw8cilShSSLnJCHwG3mxA+grxg6QvVRVqCxV0b+sCE ocH0MirON5G7b7zETZohtm5lPcghwDy5SBQ4fVo3mLDjUGR8woGr8SL820pQ3BuY rjGrJ7SHxq+rVnhOrtX6c4YdEebhjR963385kwPf1ND0GoeCp8Yk/LgySxBRPAbh 2Kt0UTlbK7wYSDii6kVag1Ayrt5gCyUSrHndvVIl6SdI5gLWfZDbTB3+fvHNg+k5 x/+Xx/YPvDbXv+b7CtO663uIKV+24iaVq94W+0NVacp3P0YmAmK1CZ9ggs7HQ/SC uu3R1wRo4yp7eWszhgfpwPHJBvb9Krtfsr8P6rhs5Ry03pzblkmzzTRCvsE85UEZ 96RN1OGx2YfPEM4+EN9+rxB1hcElLT8V420MAZd9Jx2n8JmJqdZl6DxJ7vgtvKKj 0Y60VaC211M7tzq2zZ5Sh3th3X2tePPoeJQH/vYrreM4snlM8Mt22eQ7jVFri4bY F+mu+8DGP3csWmY16nZ0SQ+ZDUS4E9yEplOHq1YKKyHSYGHjn88= =u12k -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: RFC7807 ErrorReportValve
On 05/07/2020 10:28, Michael Osipov wrote: > Am 2020-07-02 um 21:30 schrieb Thomas Meyer: >> Hi, >> >> What are your opinions on providing a RFC7807 based ErrorReportValve >> as part of Tomcat default distribution? > > Thomas, this has been bugging me for a while. Let me share some thoughts > on this, I'll limit my experiences with Tomcat, Spring Web and Zalando > Problem (including it's web module): > > Mark, please correct me if my citation of the Servlet API is wrong. > > * The Servlet API has been designed where the only clients where browsers I don't think anything in the Servlet API is browser specific. That use case is certainly supported but I don't think that support is exclusive. > * The Servlet API mandates that all invocations of > HttpServletResponse#setError() must yield in a HTML page and this > *cannot* be changed by defult I don't recall any requirement to that effect and I can't find anything looking in the spec. The requirement is that the error handling mechanism is invoked. Nothing stops an application providing an error servlet configured to handle all errors. That could return HTML, JSON, XML, text/plain, etc. Tomcat's default implementation returns HTML. > * Even if you write a REST API or explicitly use @RestController Spring > will still invoke #setError() although it makes no sense. I consider > this to be a conceptual flaw in the Spring framework. Why? That using sendError() just invokes the error handling mechanism. What matters is what is configured to handle those errors. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: RFC7807 ErrorReportValve
On 03/07/2020 20:42, Thomas Meyer wrote: > Am 2. Juli 2020 21:45:53 MESZ schrieb Mark Thomas : >> On 02/07/2020 20:30, Thomas Meyer wrote: >>> Hi, >>> >>> What are your opinions on providing a RFC7807 based ErrorReportValve >> as part of Tomcat default distribution? >> >> RFC 7807 looks to be application specific so support for that RFC looks >> to be better handled at the application level. > > Mhh, okay, sad to hear. > > The basic idea was to provide an ErrorReportValve that always responds with > an JSON, given the use case that tomcat is sometimes used purely as an HTTP > JSON based API server, aka. REST, this Valve would always return an JSON > object and not suddenly an HTML page if for any reason something goes > horrible wrong. > > It would be a nice to have for tomcat to provide an out of the box support > for this use case. > > But yes the format of the JSON is hard to define generally, above RFC was one > of the first search results :-) If there was something that could be done generically at the container level then I'd have no objection but it doesn't look like RFC 7807 is a good fir for that. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat mod_jk rpm-build for CentOS-8 - exit with error.
Hi, I'm trying to build a rpm package for CentOS-8 for mod_jk with the latest version 1.2.48. While building the rpm package, following error occurs: - %< - ... make[1]: Entering directory '/root/rpmbuild/BUILD/tomcat-connectors-1.2.48-src/native/apache-2.0' /usr/lib64/apr-1/build/libtool --silent --mode=link gcc -I/usr/include/httpd -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -DHAVE_CONFIG_H -DUSE_APACHE_MD5 -I../common -I ../common -DLINUX -D_REENTRANT -D_GNU_SOURCE -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -pthread -DHAVE_APR -I/usr/include/apr-1 -I/usr/include/apr-1 -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -DHAVE_CONFIG_H -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -I/usr/include/apr-1 -Wl,-z,relro,-z,now -Wl,-z,relro -Wl,-z,now -Wl,-specs=/usr/lib/rpm/redhat/redhat-hardened-ld -o mod_jk.la -module -rpath /usr/lib64/httpd/modules -avoid-version mod_jk.lo ../common/jk_ajp12_worker.lo ../common/jk_connect.lo ../common/jk_msg_buff.lo ../common/jk_util.lo ../common/jk_ajp13.lo ../common/jk_pool.lo ../common/jk_worker.lo ../common/jk_ajp13_worker.lo ../common/jk_lb_worker.lo ../common/jk_sockbuf.lo ../common/jk_map.lo ../common/jk_uri_worker_map.lo ../common/jk_ajp14.lo ../common/jk_ajp14_worker.lo ../common/jk_md5.lo ../common/jk_shm.lo ../common/jk_ajp_common.lo ../common/jk_context.lo ../common/jk_url.lo ../common/jk_status.lo /usr/bin/ld: unrecognized option '-specs=/usr/lib/rpm/redhat/redhat-hardened-ld' /usr/bin/ld: use the --help option for usage information collect2: error: ld returned 1 exit status make[1]: *** [Makefile:83: mod_jk.la] Error 1 make[1]: Leaving directory '/root/rpmbuild/BUILD/tomcat-connectors-1.2.48-src/native/apache-2.0' make: *** [Makefile:470: all-recursive] Error 1 error: Bad exit status from /var/tmp/rpm-tmp.O4kRZI (%build) - >% - Any ideas how can I solve that problem? Thank you in advance! Klaus. -- --- e-Mail : kl...@tachtler.net Homepage: https://www.tachtler.net DokuWiki: https://dokuwiki.tachtler.net --- binQ1HNUvMZAY.bin Description: Öffentlicher PGP-Schlüssel - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Add custom Authenticator in context.xml
On 04/07/2020 19:54, Thomas Meyer wrote: > Hi, > > a while ago I did write a little POC of how to add a custom > authenticator scheme to tomcat. > > this is what I did come up with: > https://github.com/thomasmey/BearerTokenAuthenticator > > It's rather complicated solution! > Is there an more easy solution to add a custom authenticator scheme to a > Context/context.xml? How about: 1. Extract the Authenticators.properties file from catalina.jar (or from source) 2. Edit it to reference the custom Authenticator 3. Place it at $CATALINA_BASE/lib/org/apache/catalina/startup 4. Add the JAR with the custom authenticator to $CATALINA_BASE/lib which would make it generally available to use in WEB-INF/web.xml Or 1. Add it directly to context.xml as: which you would need to do for each app that wants to use it (or set it in the global web.xml for all apps). Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Problem with JarScanFilter, maybe a bug?
On 06/07/2020 12:25, Mark Thomas wrote: > On 03/07/2020 13:40, Vitor Medina Cruz wrote: >> On Thu, Jul 2, 2020 at 11:21 AM Mark Thomas wrote: >> >>> On 02/07/2020 14:14, Vitor Medina Cruz wrote: On Wed, Jul 1, 2020 at 6:48 PM Mark Thomas wrote: >>> >>> >>> > @WebFiler, @WebListener and @WebServlet are deployment annotations so > scanning for these is controlled by the JarScanner. > > If an SCI has an @HandlesTypes annotation then all JARs that are > potential SCI sources will be scanned for matches. To put it another > way, the JarScanner configuration does NOT control the search for > @HandlesTypes matches. Any JAR eligible to provide an SCI will be > scanned for @HandlesTypes. Those JARs are controlled by >>> > Ok, and if a jar doesn't provide a web-fragment name? In this old post( >>> http://tomcat.10.x6.nabble.com/Why-does-absolute-ordering-in-web-xml-without-others-kill-classpath-scanning-td5029985.html >>> ) it is said : "Tomcat will give these a name equal to the name of the JAR file so you >>> can use it in ordering. That is a Tomcat specific feature." This is/holds true? I tried with no success >>> >>> It should do. So for foobar-0.3.jar the name should be "foobar-0.3.jar" >>> >>> >> Don't work... :( both in Tomcat 8.5.56 and 9.0.36 I got a "Used a wrong >> fragment name [flow-server-2.2.1.jar] at web.xml absolute-ordering tag" > > Hmm. Let me look into what is going on here... My memory and the comment from 2015 were incorrect. It is the full URL that is used rather than just the name. While the JAR name should be unique within WEB-INF/lib, the JAR scanning extends outside of that to include CATALINA_BASE/lib and potentially the the bootstrap class path. Duplicates can trigger deployment failure - hence the more cautious approach. As an example, this is the URL on my system (taken from Tomcat 10.0.x but the code should be the same in 9.0.x and 8.5.x): file:/home/mark/repos/asf-tomcat-10.0.x/output/build/webapps/examples/WEB-INF/lib/taglibs-standard-impl-1.2.5-migrated-0.0.1.jar Rather long for a fragment but it ensures uniqueness. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Problem with JarScanFilter, maybe a bug?
On 03/07/2020 13:40, Vitor Medina Cruz wrote: > On Thu, Jul 2, 2020 at 11:21 AM Mark Thomas wrote: > >> On 02/07/2020 14:14, Vitor Medina Cruz wrote: >>> On Wed, Jul 1, 2020 at 6:48 PM Mark Thomas wrote: >> >> >> @WebFiler, @WebListener and @WebServlet are deployment annotations so scanning for these is controlled by the JarScanner. If an SCI has an @HandlesTypes annotation then all JARs that are potential SCI sources will be scanned for matches. To put it another way, the JarScanner configuration does NOT control the search for @HandlesTypes matches. Any JAR eligible to provide an SCI will be scanned for @HandlesTypes. Those JARs are controlled by >> >>> >>> Ok, and if a jar doesn't provide a web-fragment name? In this old post( >>> >> http://tomcat.10.x6.nabble.com/Why-does-absolute-ordering-in-web-xml-without-others-kill-classpath-scanning-td5029985.html >> ) >>> it is said : >>> >>> "Tomcat will give these a name equal to the name of the JAR file so you >> can >>> use it in ordering. That is a Tomcat specific feature." >>> >>> This is/holds true? I tried with no success >> >> It should do. So for foobar-0.3.jar the name should be "foobar-0.3.jar" >> >> > Don't work... :( both in Tomcat 8.5.56 and 9.0.36 I got a "Used a wrong > fragment name [flow-server-2.2.1.jar] at web.xml absolute-ordering tag" Hmm. Let me look into what is going on here... Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
