Re: [OT] programming style or mental process ?

2021-04-06 Thread gustavo . avitabile



Quoting "André Warnier (tomcat/perl)" :


On 05.04.2021 14:37, Christopher Schultz wrote:
Or, more literarily, given that the syntax of most (all?)  
programming languages is based on English (if, then, else, new,  
for, while, until, exit, continue, etc.), we (*) do normally ask  
"is your coffee cold ?" and not "is cold your coffee ?".


On the other hand, in English, coffee which is not hot is called  
"cold coffee" but in e.g. Spanish, it's "coffee cold".


To nitpick, in Spanish one would rather say "cafe frio".


... and, in Italian, "caffè freddo",
but we Italians love coffee, and we have much phantasy, so try also:
"granita di caffè", "caffè gelato", "caffè col ghiaccio", "il caffè  
s'è fatto freddo", ...


But that's a bit beside the point since - as mentioned above - most  
currently fashionable programming languages are based on English.

Nevertheless, just for the sake of it, and in some imaginary situation
in which the Java syntax would be based on Spanish, one would  
probably have this :


  si (nada == requerimiento.obtengaCodificaciónCarácteros()) entonces {

  } sino {

  }

as opposed to

   si (requerimiento.obtengaCodificaciónCarácteros() == nada) entonces {

  } sino {

  }

.. which makes it even more striking that the first form deviates  
from the human language, because "nothing" cannot really be equal to  
anything, and thus the first form should always evaluate to false. (*)


(Which would also lead to more concise Java programs, because if you  
already know the answer, then you don't even need to make the test  
in the first place.)


On the other hand, this provides an interesting insight into  
English-speaking people's thought processes, for example as to the  
expression "nothing matches a good coffee in the morning", which is  
undoubtedly evaluated as true by many, although logically it cannot  
be.


:-)


(*) actually, this appears to be false : in Java, (null == null) is true.
See here for an in-depth discussion :  
https://stackoverflow.com/questions/2707322/what-is-null-in-java


P.S.
If anyone is interested about how it would be to write programs  
based on a Latin-inspired programming language, I recommend this :

https://metacpan.org/pod/distribution/Lingua-Romana-Perligata/lib/Lingua/Romana/Perligata.pm
(in which language it would be very difficult to confuse "==" and "=")

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: [OT] Re: What exactly does the AJP connector on 8009 do?

2021-04-06 Thread James H. H. Lampert

On 4/6/21 9:11 AM, Olaf Kock wrote:

*Everybody* has a dedicated testing system. Always!

*Some* are lucky that they have a completely separate production system.


We expect disk drives to fail. So we plan for it, using some form of 
RAID (full mirroring in my case).


And so the power supply fails instead.

Also:

The likelihood of a power supply failure is inversely proportional to 
its maintenance accessibility.


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: [OT] Re: What exactly does the AJP connector on 8009 do?

2021-04-06 Thread Christopher Schultz

Olaf,

On 4/6/21 12:11, Olaf Kock wrote:


On 06.04.21 11:53, André Warnier (tomcat/perl) wrote:


Shortcut :
- comment-out the AJP Connector in the tomcat configuration
- restart tomcat
- and wait for desperate support calls


That reminds me of the common wisdom in System Administration:

*Everybody* has a dedicated testing system. Always!

*Some* are lucky that they have a completely separate production system.


That's ... amazing.

http://www.quickmeme.com/meme/2gs6

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: [OT] programming style or mental process ?

2021-04-06 Thread Christopher Schultz

Konstantin,

On 4/6/21 06:41, Konstantin Kolinko wrote:

вс, 4 апр. 2021 г. в 13:24, André Warnier (tomcat/perl) :


Hi.
I have a question which may be totally off-topic for this list, but this has 
been puzzling
me for a while and I figure that someone here may be able to provide some clue 
as to the
answer, or at least some interesting ponts of view.

In various places (including on this list), I have seen multiple occurrences of 
a certain
way to write a test, namely :

if (null == request.getCharacterEncoding()) {

as opposed to

if (request.getCharacterEncoding() == null) {

Granted, the two are equivalent in the end.


Some programming languages have rules, in what order an expression is
evaluated. E.g. the left side is evaluated first, the result is stored
in a register (memory) of a CPU, then the right side is evaluated and
the result is stored, then it is followed by a comparison and a
conditional jump. Thus the two variants are not equivalent.

(Well, as null is a zero and not really a specific value, maybe it
does not need evaluation and a memory register to store it.)


JVM uses a stack and not registers, but of course many architectures 
(like most RISC) do use registers under the hood, so there is a bit of 
mapping here and there, at multiple levels. Then x86 is accumlator-based 
but also has a few registers, and that number grows with each processor 
revision.


Anyhow, Java bytecode has primitives for loading null values onto the 
stack, so it both has a definite value (probably 0, I've never bothered 
to dig into it too much) and it is definitely loaded into registers 
(well, onto the stack).


Further, JLS says that class members without explicit definitions get 
whatever the equivalent of "0" is in their data type. References are 
assigned "null", so null is probably == 0, though they could go 
old-school and use 0xdeadbeef like some C compilers back in the day.



In Java the Java Language Specification dictates the evaluation order,
"15.7.1 Evaluate Left-Hand Operand First". I vaguely remember that in
the C language the evaluation order in such expressions is
unspecified.

https://docs.oracle.com/javase/specs/

If one side of an expression can have unexpected side effects (like a
function call or a null pointer dereference can have), I prefer them
to be evaluated first. Thus my preference is for
"(request.getCharacterEncoding() == null)".


Otherwise, another point of view to consider is readability of the
code. If the function call is some lengthy expression, " (null ==
request.getCharacterEncoding()) " may be more readable when formatting
the code results in wrapping the lengthy expression, splitting it into
several lines.


I think that I should also mention the well-known construct when a
comparison is done by calling the "equals()" method on some constant
value:

CONSTANT_VALUE.equals(someFunction())

In this case the "CONSTANT_VALUE" is known to be non-null, and thus
calling its method cannot result in a NullPointerException. (In more
complex cases the static method "Objects.equals()" helps to compare
two values in a null-aware way).


In a way, this makes "null == thing" more consistent, because null is 
the constant in this case. You can't call null.equals(), of course, but 
it's the same idea... though for the opposite reason: in your case, you 
want to avoid both NPE and needless null-avoidance code.


-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



[OT] Re: What exactly does the AJP connector on 8009 do?

2021-04-06 Thread Olaf Kock


On 06.04.21 11:53, André Warnier (tomcat/perl) wrote:
>
> Shortcut :
> - comment-out the AJP Connector in the tomcat configuration
> - restart tomcat
> - and wait for desperate support calls
>
That reminds me of the common wisdom in System Administration:

*Everybody* has a dedicated testing system. Always!

*Some* are lucky that they have a completely separate production system.


(lost the source)


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: What exactly does the AJP connector on 8009 do?

2021-04-06 Thread Christopher Schultz

André,

On 4/6/21 05:53, André Warnier (tomcat/perl) wrote:

On 06.04.2021 00:45, James H. H. Lampert wrote:

On 4/5/21 1:22 PM, Christopher Schultz wrote:
If you are not running a reverse-proxy in front of Tomcat, then it 
does absolutely nothing for you.


If you *are* running a reverse-proxy in front of Tomcat, then it 
*may* do something for you, depending upon what software you are 
using and what its configuration is.


Thanks.

Hmm. We have *something* on one of our cloud servers, that has Tomcat 
sitting behind httpd (on the same box), and we have load balancing 
(through a couple of AWS Beanstalks) on our cloud-based product, but I 
don't know if the AJP port is involved in any of that.




I don't know about AWS Beanstalks


They almost certainly do not support AJP.

but for Apache httpd, there are some 
tell-tale configuration directives in the Apache httpd configuration 
files, which - if present - will tell you if Apache httpd is 
communicating with the back-end tomcat using the AJP protocol (and hence 
tomcat's AJP Connector).

Look for either of :
- ProxyPass instructions mentioning "AJP:"
- SetHandler jakarta-servlet
- JkMount
(case does generally not matter)


+1


Shortcut :
- comment-out the AJP Connector in the tomcat configuration
- restart tomcat
- and wait for desperate support calls


:)

(*) This is not a critic : it is very flexible that way; it's just a bit 
more work to search for the right files.


You can also run httpd and have it dump the list of all included files:

$ apachectl -t -D DUMP_INCLUDES

It seems silly that "apachectl" doesn't have a 
"--dump-effective-configuration" option which just dumps out EVERYTHING, 
as httpd would see the complete configuration.


-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: What exactly does the AJP connector on 8009 do?

2021-04-06 Thread Konstantin Kolinko
пн, 5 апр. 2021 г. в 21:59, James H. H. Lampert :
>
> We've just gotten a complaint about a vulnerability involving AJP (to
> something called "Ghostcat") from a customer. The report from the
> security consultant recommends updating to a more recent version of
> Tomcat, and I note that we've already started rolling out 7.0.108 to
> customers.
>
> Looking at server.xml, the only reference to AJP is in relation to port
> 8009, and that this connector is commented out in 108, but not in 93.
>
> So what exactly *is* this connector, and what purpose does it serve?

A well-configured instance of Apache Tomcat should serve requests
either over "http:"/"https:" or over "ajp:", but not both. The clients
for http: protocol are web browsers. The clients for AJP protocol are
web servers (proxies).

See also
https://tomcat.apache.org/connectors-doc/
https://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html
https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html
https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html#Connectors
https://en.wikipedia.org/wiki/Apache_JServ_Protocol

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: [OT] programming style or mental process ?

2021-04-06 Thread Konstantin Kolinko
вс, 4 апр. 2021 г. в 13:24, André Warnier (tomcat/perl) :
>
> Hi.
> I have a question which may be totally off-topic for this list, but this has 
> been puzzling
> me for a while and I figure that someone here may be able to provide some 
> clue as to the
> answer, or at least some interesting ponts of view.
>
> In various places (including on this list), I have seen multiple occurrences 
> of a certain
> way to write a test, namely :
>
>if (null == request.getCharacterEncoding()) {
>
> as opposed to
>
>if (request.getCharacterEncoding() == null) {
>
> Granted, the two are equivalent in the end.

Some programming languages have rules, in what order an expression is
evaluated. E.g. the left side is evaluated first, the result is stored
in a register (memory) of a CPU, then the right side is evaluated and
the result is stored, then it is followed by a comparison and a
conditional jump. Thus the two variants are not equivalent.

(Well, as null is a zero and not really a specific value, maybe it
does not need evaluation and a memory register to store it.)

In Java the Java Language Specification dictates the evaluation order,
"15.7.1 Evaluate Left-Hand Operand First". I vaguely remember that in
the C language the evaluation order in such expressions is
unspecified.

https://docs.oracle.com/javase/specs/

If one side of an expression can have unexpected side effects (like a
function call or a null pointer dereference can have), I prefer them
to be evaluated first. Thus my preference is for
"(request.getCharacterEncoding() == null)".


Otherwise, another point of view to consider is readability of the
code. If the function call is some lengthy expression, " (null ==
request.getCharacterEncoding()) " may be more readable when formatting
the code results in wrapping the lengthy expression, splitting it into
several lines.


I think that I should also mention the well-known construct when a
comparison is done by calling the "equals()" method on some constant
value:

   CONSTANT_VALUE.equals(someFunction())

In this case the "CONSTANT_VALUE" is known to be non-null, and thus
calling its method cannot result in a NullPointerException. (In more
complex cases the static method "Objects.equals()" helps to compare
two values in a null-aware way).

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: What exactly does the AJP connector on 8009 do?

2021-04-06 Thread tomcat/perl

On 06.04.2021 00:45, James H. H. Lampert wrote:

On 4/5/21 1:22 PM, Christopher Schultz wrote:
If you are not running a reverse-proxy in front of Tomcat, then it does absolutely 
nothing for you.


If you *are* running a reverse-proxy in front of Tomcat, then it *may* do something for 
you, depending upon what software you are using and what its configuration is.


Thanks.

Hmm. We have *something* on one of our cloud servers, that has Tomcat sitting behind httpd 
(on the same box), and we have load balancing (through a couple of AWS Beanstalks) on our 
cloud-based product, but I don't know if the AJP port is involved in any of that.




I don't know about AWS Beanstalks, but for Apache httpd, there are some tell-tale 
configuration directives in the Apache httpd configuration files, which - if present - 
will tell you if Apache httpd is communicating with the back-end tomcat using the AJP 
protocol (and hence tomcat's AJP Connector).

Look for either of :
- ProxyPass instructions mentioning "AJP:"
- SetHandler jakarta-servlet
- JkMount
(case does generally not matter)

(Note that under Linux(es), your Apache httpd config files may be spread in small chunks 
all over the place, generally in locations such as "/etc/apache2/*" or "/etc/httpd/*") (*)

 Relevant documentation is available here :
1) http://tomcat.apache.org/connectors-doc/
2) http://tomcat.apache.org/connectors-doc/reference/apache.html
3) http://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxypass
4) (more complicated cases) 
http://httpd.apache.org/docs/2.4/mod/mod_rewrite.html#rewriterule

Also, if Apache httpd uses AJP to communicate with tomcat, then either one of these Apache 
httpd add-on modules will be loaded and configured :

- mod_jk
- mod_proxy_ajp
To find out which modules are loaded by Apache httpd, use the following command 
:
# apache2ctl -M
(Note that the mere fact that a module is loaded, does not necessarily mean that it is 
being *used*; but if neither of them is loaded, then you can be pretty sure that Apache 
httpd is NOT using AJP)


Shortcut :
- comment-out the AJP Connector in the tomcat configuration
- restart tomcat
- and wait for desperate support calls



(*) This is not a critic : it is very flexible that way; it's just a bit more work to 
search for the right files.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: [OT] programming style or mental process ?

2021-04-06 Thread tomcat/perl

On 05.04.2021 14:37, Christopher Schultz wrote:
Or, more literarily, given that the syntax of most (all?) programming languages is based 
on English (if, then, else, new, for, while, until, exit, continue, etc.), we (*) do 
normally ask "is your coffee cold ?" and not "is cold your coffee ?".


On the other hand, in English, coffee which is not hot is called "cold coffee" but in e.g. 
Spanish, it's "coffee cold".


To nitpick, in Spanish one would rather say "cafe frio".
But that's a bit beside the point since - as mentioned above - most currently fashionable 
programming languages are based on English.

Nevertheless, just for the sake of it, and in some imaginary situation
in which the Java syntax would be based on Spanish, one would probably have 
this :

  si (nada == requerimiento.obtengaCodificaciónCarácteros()) entonces {

  } sino {

  }

as opposed to

   si (requerimiento.obtengaCodificaciónCarácteros() == nada) entonces {

  } sino {

  }

.. which makes it even more striking that the first form deviates from the human language, 
because "nothing" cannot really be equal to anything, and thus the first form should 
always evaluate to false. (*)


(Which would also lead to more concise Java programs, because if you already know the 
answer, then you don't even need to make the test in the first place.)


On the other hand, this provides an interesting insight into English-speaking people's 
thought processes, for example as to the expression "nothing matches a good coffee in the 
morning", which is undoubtedly evaluated as true by many, although logically it cannot be.


:-)


(*) actually, this appears to be false : in Java, (null == null) is true.
See here for an in-depth discussion : 
https://stackoverflow.com/questions/2707322/what-is-null-in-java


P.S.
If anyone is interested about how it would be to write programs based on a Latin-inspired 
programming language, I recommend this :

https://metacpan.org/pod/distribution/Lingua-Romana-Perligata/lib/Lingua/Romana/Perligata.pm
(in which language it would be very difficult to confuse "==" and "=")

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org