RE: Tomcat closes connections on unexpected status codes

2024-04-19 Thread Harri Pesonen 
I have developed a restful web service, which uses HTTP response codes 200 OK, 
201 Created, 204 No Content and 404 Not Found.
It does not use 400 Bad Request or 500 Internal Server Error normally.
400 Bad Request is more common than 500 Internal Server Error, which should 
basically never happen.
400 Bad Request is the best response in many cases, if client gives some query 
parameter which is not supported by the application logic.
I think that it would be better not to close connection in this case, if the 
error comes from application.
I wonder if there is option for application to define that connection should be 
closed or not after the response has been sent? 
Or is the option only from the client.

For me this 404 Not Found is also a small problem, as it is error, but it can 
happen quite often.
HTTP errors are not nice in logs.
Normally if you try to fetch some restful resource, which does not exist, then 
it returns 404 Not Found.
GET /service/resource/id => 404 Not Found
If I now had an option to rewrite the service, I would probably use 204 No 
Content in this case as well, to avoid errors.
204 No Content is normally used with PUT and DELETE requests.

-Harri

-Original Message-
From: Christopher Schultz  
Sent: perjantai 19. huhtikuuta 2024 14.27
To: users@tomcat.apache.org
Subject: Re: Tomcat closes connections on unexpected status codes

Mark,

On 4/18/24 11:38, Mark Thomas wrote:
> On 18/04/2024 15:16, Adwait Kumar Singh wrote:
>> I think we should *always* close connections in cases where it can 
>> lead to request smuggling vulnerabilities like when there is an error 
>> during header or request line parsing, but allowing the user to 
>> control connection close when the status is being set by the user, 
>> should be safe?
> 
> I'm not (yet) convinced distinguishing between those scenarios is 
> always going to be possible.
> 
>> It allows users to send back responses like InvalidInputException 
>> with a
>> 400 status without being forced to close the connection.
> 
> I appreciate why a 400 is used here but 400 has always struck me as 
> more for protocol level issues rather than application level issues.

Didn't someone tell me recently that, technically, ANY client-error is allowed 
to trigger a 400 response without being more specific?

> That is the fundamental problem here. The status codes are being used 
> for two completely different purposes.

+1

I've always found it distasteful when REST services do this. To me, 400 means 
"the request was actually malformed". If you need authentication, that's a 401. 
If you aren't allowed, that's 403. If you didn't provide a required header, 
that's a 412, etc. I've usually found the "correct" 
response code to use for every situation and I've never written an application 
that returns a 400 response directly.

-chris

>> On Thu, Apr 18, 2024 at 6:41 AM Rémy Maucherat  wrote:
>>
>>> On Thu, Apr 18, 2024 at 1:17 PM Mark Thomas  wrote:

 On 18/04/2024 09:07, Stefan Ansing wrote:
> Hi,
>
> We've observed some unexpected behaviour in Apache Tomcat (version
>>> 10.1.19)
> where we see that HTTP/1.1 connections are closed whenever a 
> servlet application returns the following status codes: 400, 408, 
> 411, 414,
>>> 500,
> 503, 501. This causes client applications to rapidly reconnect and
>>> induce
> high server-side CPU load due to doing TLS handshakes.
>
> The 400 and 500 status codes are commonly used in RESTful
>>> microservices to
> communicate errors. Reviewing RFC 9112 I couldn't find any 
> requirement
>>> for
> closing connections on these status codes.
>
> After testing with Undertow (version 2.3.12), where we didn't see 
> the
>>> same
> behaviour, we believe that these status codes do not necessitate a 
> new connection.

 The Tomcat developers disagree. Connections are closed after these 
 status codes to avoid various forms of request smuggling attacks.

> Checking the Tomcat sources makes me believe that the behaviour is 
> hard-coded[1]. I'm reaching out here to re-evaluate the list of 
> status codes and to discuss the possibilities of making the 
> behaviour
>>> configurable.

 Making this list of status codes configurable seems reasonable. The 
 default can stay as current and if users want to change it then 
 they have to accept the associated security risks.
>>>
>>> If it's insecure, then it would still be a valid CVE even if the 
>>> configuration is optional. We don't have an "allowSmuggling" 
>>> attribute on the connector to relax header or status line parsing, 
>>> even though many would have wanted it in the past ...
>>>
>>> Rémy
>>>
 Mark


>
> A colleague of mine reported a bug for this issue:
> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2F
> bz.apache.org%2Fbugzilla%2Fshow_bug.cgi%3Fid%3D68901=05%7C02%
>

RE: Tomcat Internal Architect for JSP compilation?

2024-03-22 Thread Harri Pesonen 
Linux has "auditd" tool to log file system changes:

https://www.redhat.com/sysadmin/configure-linux-auditing-auditd

-Harri

-Original Message-
From: Subodh Joshi 
Sent: perjantai 22. maaliskuuta 2024 7.36
To: Tomcat Users List 
Subject: Re: Tomcat Internal Architect for JSP compilation?

[Et saa yleensä sähköpostia subodhcjosh...@gmail.com. Lisätietoja siitä, miksi 
tämä on tärkeää, on osoitteessa https://aka.ms/LearnAboutSenderIdentification ]

Hi Chris

Thanks for your response.

So i added below properties in application.properties file

> spring.mvc.cache-control.cache-allowed=false
>
> and then Deleted the /tmp/tomcat directory . So now when i restart the
server A.jsp only fail with 500 error (ClassNotFoundException) as this is first 
page which i was trying to load, rest JSP pages working fine without any issue .

Why i am doing this exercise?
In our some of the deployed linux environment many clients are complaining 
about this issue , We tried to monitor who actually deleting these /tmp/tomcat 
folder but still we are not able to figure it out and we are not able to 
reproduce it . So i have to do reproduce it manually deleting the /tmp/tomcat 
directory.

thanks & regards

On Thu, Mar 21, 2024 at 7:24 PM Christopher Schultz < 
ch...@christopherschultz.net> wrote:

> Subudh,
>
> On 3/21/24 07:32, Subodh Joshi wrote:
> >   Expert,
> >
> > Recently i came across a issue and i was getting no clue what was
> > going
> on
> > wrong with the Application.
> >
> > So here is the issue , we were getting following issue in our web
> > application(Springboot+Embedded Tomcat) which is deployed into Linux
> machine
> >
> > java.lang.ClassNotFoundException:
> >> org.apache.jsp.WEB_002dINF.jsp.ImportTab_jsp
> >>  at
> >> java.base/java.net.URLClassLoader.findClass(URLClassLoader.java:445)
> >>  at
> >> org.apache.jasper.servlet.JasperLoader.loadClass(JasperLoader.java:129)
> >>  at
> >> org.apache.jasper.servlet.JasperLoader.loadClass(JasperLoader.java:58)
> >>  at
> >>
> org.apache.catalina.core.DefaultInstanceManager.newInstance(DefaultIns
> tanceManager.java:151)
> >>  at
> >>
> org.apache.jasper.servlet.JspServletWrapper.getServlet(JspServletWrapp
> er.java:189)
> >>  at
> >>
> org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.
> java:410)
> >>  at
> >> org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:380)
> >>  at
> >> org.apache.jasper.servlet.JspServlet.service(JspServlet.java:328)
> >>  at
> jakarta.servlet.http.HttpServlet.service(HttpServlet.java:658)
> >>  at
> >>
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appli
> cationFilterChain.java:205)
> >>  at
> >>
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFi
> lterChain.java:149)
> >>  at
> >> org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)
> >>  at
> >>
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appli
> cationFilterChain.java:174)
> >>  at
> >>
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFi
> lterChain.java:149)
> >>  at
> >>
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRe
> questFilter.java:110)
> >>  at
> >>
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appli
> cationFilterChain.java:174)
> >>  at
> >>
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFi
> lterChain.java:149)
> >>  at
> >>
> org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFi
> lter(CompositeFilter.java:108)
> >>  at
> >>
> org.springframework.security.web.FilterChainProxy.lambda$doFilterInter
> nal$3(FilterChainProxy.java:231)
> >>  at
> >>
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.d
> oFilter(FilterChainProxy.java:365)
> >>  at
> >>
> org.springframework.security.web.access.intercept.AuthorizationFilter.
> doFilter(AuthorizationFilter.java:100)
> >>  at
> >>
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.d
> oFilter(FilterChainProxy.java:374)
> >>  at
> >>
> org.springframework.security.web.access.ExceptionTranslationFilter.doF
> ilter(ExceptionTranslationFilter.java:126)
> >>  at
> >>
> org.springframework.security.web.access.ExceptionTranslationFilter.doF
> ilter(ExceptionTranslationFilter.java:120)
> >>  at
> >>
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.d
> oFilter(FilterChainProxy.java:374)
> >>  at
> >>
> org.springframework.security.web.authentication.AnonymousAuthenticatio
> nFilter.doFilter(AnonymousAuthenticationFilter.java:100)
> >>  at
> >>
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.d
> oFilter(FilterChainProxy.java:374)
> >>  at
> >>
>

RE: When does Tomcat add and remove threads?

2024-03-13 Thread Harri Pesonen 
Yes the standard JDK ThreadPoolExecutor behavior is bad.
Here is a good thread describing how to fix ThreadPoolExecutor to behave how it 
should be.

https://stackoverflow.com/questions/19528304/how-to-get-the-threadpoolexecutor-to-increase-threads-to-max-before-queueing

Obviously Tomcat had to do similar thing.
I wish that JDK would add some kind of easy option to ThreadPoolExecutor to add 
more threads instead of adding to queue, when all existing threads are busy, 
because the current behavior does not make sense.

-Harri

-Original Message-
From: john.e.gr...@wellsfargo.com.INVALID  
Sent: tiistai 12. maaliskuuta 2024 18.54
To: users@tomcat.apache.org
Subject: RE: When does Tomcat add and remove threads?

[Et saa yleensä sähköpostia john.e.gr...@wellsfargo.com.invalid. Lisätietoja 
siitä, miksi tämä on tärkeää, on osoitteessa 
https://aka.ms/LearnAboutSenderIdentification ]

All,


> -Original Message-
> From: Christopher Schultz 
> Sent: Tuesday, March 12, 2024 8:31 AM
> To: users@tomcat.apache.org
> Subject: Re: When does Tomcat add and remove threads?
>
> John,
>
> On 3/11/24 18:14, john.e.gr...@wellsfargo.com.INVALID wrote:
> > From: Christopher Schultz 
> > Sent: Monday, March 11, 2024 5:09 PM
>  >
> >> On 3/11/24 17:47, john.e.gr...@wellsfargo.com.INVALID wrote:
> >>> I am using Tomcat 9.x.
> >>>
> >>> When does Tomcat add and remove threads from its internal thread 
> >>> pool?  I'm talking about the threads with names like 
> >>> http-nio-8080-exec-1.  It appears the thread pool is Tomcat's own 
> >>> ThreadPoolExecutor but I don't see the exact behavior documented.
> >>> I'm familiar with how java.util.concurrent does it, but it looks 
> >>> like Tomcat's version is a little different.
>  >>
> >> Are you looking for a technical explanation with code references, 
> >> or a plain-English description of when threads are created and 
> >> added? >
> > Mostly plain English like the j.u.c. ThreadPoolExecutor Java doc has.
> > What happens when all core threads are in use?  When do tasks go on 
> > the queue?  When does core thread + 1 get added?  When do threads 
> > get removed?
> Tomcat will create thread pools under two separate circumstances. They 
> are related, but behave somewhat differently.
>
> First, if you declare an  in your server.xml, then a thread 
> pool will be created. You can control the number of threads and their 
> retention policy such as "keep X spare threads around" and "retire 
> threads after N seconds without being used."
>
> Second, if you declare a  without specifying an "executor", 
> a thread pool will be configured for you but you don't really have 
> control over it because all those nice configuration options for an 
>  are not available on the . If you want to 
> control those settings, use a  linked with an . 
> To be clear, if you declare a  without an "executor" 
> attribute, your thread pool will be of a fixed size and threads will 
> never be released. (I think the thread pool starts small and grows but 
> will never shrink.)
>
> An  is implemented in the StandardThreadExecutor and 
> ThreadPoolExecutor classes, which I believe were adaptations of 
> classes from java.util.concurrent introduced into Tomcat before 
> java.util.concurrent was actually available -- which is why it wasn't 
> used directly in Tomcat. (NB: The ThreadPoolExecutor class in Tomcat 
> contains an "@author Doug Lea" tag. The Tomcat source is licensed 
> under AL2, the JDK source is licensed under GPL2, but the original was 
> released by Doug Lea into the public domain under a CC0
> 1.0 Deed license.)
>
> The re-sizing occurs in the ThreadPoolExecutor class if you'd like to 
> read it. It is not entirely straightforward. You could start by 
> reading the code for the runWorker(Worker w) method where, at the end, 
> processWorkerExit is called.
>
> But since Tomcat's ThreadPoolExecutor is basically Java's 
> ThreadPoolExecutor, they work the same.
>
> -chris
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

I took matters in to my own hands and wrote a test to see what was happening.

Unlike java.util.concurrent.ThreadPoolExecutor, Tomcat's TPE adds threads when 
all core threads are busy.  It only adds tasks to the queue when max threads 
are busy.  I prefer this behavior to the JDK behavior.

Threads are removed when idle for 60 seconds.  This appears to be hard-coded in 
AbstreactEndpoint.createExecutor().

Thanks

B CB  [  
X  ܚX KK[XZ[
 \ \  ][  X  ܚX P X ]  \X K ܙ B  ܈Y][ۘ[  [X[  K[XZ[
 \ \  Z[ X ]  \X K ܙ B

RE: java.lang.InternalError: Unexpected CryptoAPI failure generating seed

2023-04-24 Thread Harri Pesonen 
Thanks.
This has quite good explanation of the issue:
https://www.baeldung.com/java-security-egd

It seems that there is no easy workaround for this in Windows at least.
Problem is with entropy, the native Windows random number generator does not 
always have enough randomness available.
I think that JDK should catch this error and have some fallback mechanism to 
generate random seed from process ID, UTC time and ticks, for example.

-Harri

-Original Message-
From: Thomas Worster  
Sent: perjantai 21. huhtikuuta 2023 22.04
To: Tomcat Users List 
Subject: Re: java.lang.InternalError: Unexpected CryptoAPI failure generating 
seed

[Et saa yleensä sähköpostia tho...@worster.net. Lisätietoja siitä, miksi tämä 
on tärkeää, on osoitteessa https://aka.ms/LearnAboutSenderIdentification ]

That document is mostly about a corrupted install in Weblogic, but after that, 
it suggests making sure you are using the urandom (non-blocking) random number 
generator.  If you're using the blocking RNG, it would explain why the issue is 
not easily repeatable.

-Djava.security.egd=file:/dev/./urandom

I can't recall if the format of that string is the same in Windows, but it 
should be similar.

Tom

On Fri, Apr 21, 2023 at 2:15 PM Christopher Schultz < 
ch...@christopherschultz.net> wrote:

> Harri,
>
> On 4/21/23 04:39, Harri Pesonen wrote:
> > No, I think that I have seen this only once now, but of course it 
> > might
> have happened more than once.
> > Googling says that other people have seen this as well, but very
> randomly.
> > Apparently the problem happens in Windows function, but JNI call 
> > does
> not tell the reason for failure.
> > This happened in AWS cloud, perhaps the server was busy or something.
> > Or there is some kind of bug in JDK.
> > Probably this would need JDK developer to look at.
> > There might be solution here:
> > https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsu
> > pport.oracle.com%2Fknowledge%2FMiddleware%2F1492450_1.html%23FIX
> > a=05%7C01%7Charri.pesonen%40sinch.com%7C2edaa7818d1d44ae08bd08db429b
> > 4338%7C3b518aae89214a7b8497619d756ce20e%7C0%7C0%7C638177006836670213
> > %7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI
> > 6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=MWDK3tgFxX5JRqgfCXvggg
> > xAr7MAGQotu%2BGGcCXdz6w%3D=0
> > But I can't see it. 
>
> I can't see it, either; I'm not an Oracle customer.
>
>
> If this is rare, and Tomcat can't really do anything about it, I would 
> say "monitor your servers and restart them if necessary."
>
> Sorry... it doesn't look like we really have any other choices, here.
>
> -chris
>
> > -Original Message-
> > From: Christopher Schultz 
> > Sent: torstai 20. huhtikuuta 2023 19.35
> > To: users@tomcat.apache.org
> > Subject: Re: java.lang.InternalError: Unexpected CryptoAPI failure
> generating seed
> >
> > Harri,
> >
> > On 4/18/23 07:43, Harri Pesonen wrote:
> >> Hello, we have:
> >>
> >> Tomcat/8.5.83
> >> Windows Server 2016
> >> java.version=11.0.12
> >> java.vendor=Azul Systems, Inc.
> >> sun.arch.data.model=64
> >>
> >> Sometimes Tomcat fails to start our application because of this error:
> >>
> >> 06:45:58.230 ERR> (Catalina-startStop-1)
> (org.apache.catalina.startup.HostConfig#deployDescriptors) Error 
> waiting for multi-thread deployment of deployment descriptors to 
> complete
> >> java.util.concurrent.ExecutionException: java.lang.InternalError:
> Unexpected CryptoAPI failure generating seed
> >>at
> java.base/java.util.concurrent.FutureTask.report(FutureTask.java:122)
> >>at
> java.base/java.util.concurrent.FutureTask.get(FutureTask.java:191)
> >>at
> org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.ja
> va:594)
> >>at
> org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:472)
> >>at
> org.apache.catalina.startup.HostConfig.start(HostConfig.java:1610)
> >>at
> org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:
> 318)
> >>at
> org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBas
> e.java:123)
> >>at
> org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.
> java:423)
> >>at
> org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:366
> )

RE: java.lang.InternalError: Unexpected CryptoAPI failure generating seed

2023-04-21 Thread Harri Pesonen 
No, I think that I have seen this only once now, but of course it might have 
happened more than once.
Googling says that other people have seen this as well, but very randomly.
Apparently the problem happens in Windows function, but JNI call does not tell 
the reason for failure.
This happened in AWS cloud, perhaps the server was busy or something.
Or there is some kind of bug in JDK.
Probably this would need JDK developer to look at.
There might be solution here:
https://support.oracle.com/knowledge/Middleware/1492450_1.html#FIX
But I can't see it. 

-Harri

-Original Message-
From: Christopher Schultz  
Sent: torstai 20. huhtikuuta 2023 19.35
To: users@tomcat.apache.org
Subject: Re: java.lang.InternalError: Unexpected CryptoAPI failure generating 
seed

Harri,

On 4/18/23 07:43, Harri Pesonen wrote:
> Hello, we have:
> 
> Tomcat/8.5.83
> Windows Server 2016
> java.version=11.0.12
> java.vendor=Azul Systems, Inc.
> sun.arch.data.model=64
> 
> Sometimes Tomcat fails to start our application because of this error:
> 
> 06:45:58.230 ERR> (Catalina-startStop-1) 
> (org.apache.catalina.startup.HostConfig#deployDescriptors) Error waiting for 
> multi-thread deployment of deployment descriptors to complete
> java.util.concurrent.ExecutionException: java.lang.InternalError: Unexpected 
> CryptoAPI failure generating seed
>   at 
> java.base/java.util.concurrent.FutureTask.report(FutureTask.java:122)
>   at 
> java.base/java.util.concurrent.FutureTask.get(FutureTask.java:191)
>   at 
> org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:594)
>   at 
> org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:472)
>   at 
> org.apache.catalina.startup.HostConfig.start(HostConfig.java:1610)
>   at 
> org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:318)
>   at 
> org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123)
>   at 
> org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:423)
>   at 
> org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:366)
>   at 
> org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:962)
>   at 
> org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:833)
>   at 
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
>   at 
> org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1427)
>   at 
> org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1417)
>   at 
> java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
>   at 
> java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
>   at 
> java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
>   at 
> java.base/java.lang.Thread.run(Thread.java:829)
> Caused by: java.lang.InternalError: Unexpected CryptoAPI failure generating 
> seed
>   at 
> java.base/sun.security.provider.NativeSeedGenerator.getSeedBytes(NativeSeedGenerator.java:62)
>   at 
> java.base/sun.security.provider.SeedGenerator.generateSeed(SeedGenerator.java:144)
>   at 
> java.base/sun.security.provider.SecureRandom$SeederHolder.(SecureRandom.java:204)
>   at 
> java.base/sun.security.provider.SecureRandom.engineNextBytes(SecureRandom.java:222)
>   at 
> java.base/java.security.SecureRandom.nextBytes(SecureRandom.java:751)
>   at 
> java.base/java.security.SecureRandom.next(SecureRandom.java:808)
>   at 
> java.base/java.util.Random.nextInt(Random.java:329)
>   at 
> org.apache.catalina.util.SessionIdGeneratorBase.createSecureRandom(SessionIdGeneratorBase.java:290)
>   at 
> org.apache.catalina.util.SessionIdGeneratorBase.getRandomBytes(SessionIdGeneratorBase.java:222)
>   at 
> org.apache.catalina.util.StandardSessionIdGenerator.generateSessionId(StandardSessionIdGenerator.java:34)
>   at 
> or

java.lang.InternalError: Unexpected CryptoAPI failure generating seed

2023-04-18 Thread Harri Pesonen 
Hello, we have:

Tomcat/8.5.83
Windows Server 2016
java.version=11.0.12
java.vendor=Azul Systems, Inc.
sun.arch.data.model=64

Sometimes Tomcat fails to start our application because of this error:

06:45:58.230 ERR> (Catalina-startStop-1) 
(org.apache.catalina.startup.HostConfig#deployDescriptors) Error waiting for 
multi-thread deployment of deployment descriptors to complete
java.util.concurrent.ExecutionException: java.lang.InternalError: Unexpected 
CryptoAPI failure generating seed
 at 
java.base/java.util.concurrent.FutureTask.report(FutureTask.java:122)
 at 
java.base/java.util.concurrent.FutureTask.get(FutureTask.java:191)
 at 
org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:594)
 at 
org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:472)
 at 
org.apache.catalina.startup.HostConfig.start(HostConfig.java:1610)
 at 
org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:318)
 at 
org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123)
 at 
org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:423)
 at 
org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:366)
 at 
org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:962)
 at 
org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:833)
 at 
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
 at 
org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1427)
 at 
org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1417)
 at 
java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
 at 
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
 at 
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
 at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: java.lang.InternalError: Unexpected CryptoAPI failure generating seed
 at 
java.base/sun.security.provider.NativeSeedGenerator.getSeedBytes(NativeSeedGenerator.java:62)
 at 
java.base/sun.security.provider.SeedGenerator.generateSeed(SeedGenerator.java:144)
 at 
java.base/sun.security.provider.SecureRandom$SeederHolder.(SecureRandom.java:204)
 at 
java.base/sun.security.provider.SecureRandom.engineNextBytes(SecureRandom.java:222)
 at 
java.base/java.security.SecureRandom.nextBytes(SecureRandom.java:751)
 at 
java.base/java.security.SecureRandom.next(SecureRandom.java:808)
 at 
java.base/java.util.Random.nextInt(Random.java:329)
 at 
org.apache.catalina.util.SessionIdGeneratorBase.createSecureRandom(SessionIdGeneratorBase.java:290)
 at 
org.apache.catalina.util.SessionIdGeneratorBase.getRandomBytes(SessionIdGeneratorBase.java:222)
 at 
org.apache.catalina.util.StandardSessionIdGenerator.generateSessionId(StandardSessionIdGenerator.java:34)
 at 
org.apache.catalina.util.SessionIdGeneratorBase.generateSessionId(SessionIdGeneratorBase.java:214)
 at 
org.apache.catalina.util.SessionIdGeneratorBase.startInternal(SessionIdGeneratorBase.java:310)
 at 
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
 at 
org.apache.catalina.session.ManagerBase.startInternal(ManagerBase.java:670)
 at 
org.apache.catalina.session.StandardManager.startInternal(StandardManager.java:352)
 at 
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
 at 
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5250)
 at 
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
 at 
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:753)
 at 
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:727)
 at 
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:695)
 at

RE: java.lang.AbstractMethodError: Receiver class org.apache.tomcat.websocket.server.WsSessionListener does not define or inherit an implementation

2023-03-20 Thread Harri Pesonen 
I think that I understand.
I need to change Servlet API from 3.1 to 4.0.
I was thinking that we can still use 3.1, and 4.0 would be compatible.

https://tomcat.apache.org/whichversion.html

Servlet SpecJSP SpecEL Spec WebSocket Spec  Authentication (JASPIC) 
SpecApache Tomcat Version   Latest Released Version Supported Java Versions
6.1 4.0 6.0 TBD TBD 11.0.x  11.0.0-M4 (alpha)   17 and 
later
6.0 3.1 5.0 2.1 3.0 10.1.x  10.1.7  11 and later
5.0 3.0 4.0 2.0 2.0 10.0.x (superseded) 10.0.27 
(superseded)8 and later
4.0 2.3 3.0 1.1 1.1 9.0.x   9.0.73  8 and later
3.1 2.3 3.0 1.1 1.1 8.5.x   8.5.87  7 and later

-Harri

-Original Message-
From: Rémy Maucherat  
Sent: maanantai 20. maaliskuuta 2023 16.10
To: Tomcat Users List 
Subject: Re: java.lang.AbstractMethodError: Receiver class 
org.apache.tomcat.websocket.server.WsSessionListener does not define or inherit 
an implementation

On Mon, Mar 20, 2023 at 1:59 PM Harri Pesonen  wrote:
>
> Hello,
>
> I changed:
>
>   *   source code target from Java 8 to Java 11
>   *   Tomcat from 8.5 to 9.0.73
>   *   Java runtime from Java 11 to Java 17
> and now I see extra error in Tomcat log, which did not happen before:

The Servlet API was changed so that in the HttpSessionListener interface the 
sessionCreated method is now a "default". So something is not right in this 
area after your upgrade.

Rémy

>
> (http-nio-8080-exec-8) 
> (org.apache.catalina.session.StandardSession#tellNew) Session event 
> listener threw exception
> java.lang.AbstractMethodError: Receiver class 
> org.apache.tomcat.websocket.server.WsSessionListener does not define or 
> inherit an implementation of the resolved method 'abstract void 
> sessionCreated(javax.servlet.http.HttpSessionEvent)' of interface 
> javax.servlet.http.HttpSessionListener.
>  at 
> org.apache.catalina.session.StandardSession.tellNew(StandardSession.java:390)
>  at 
> org.apache.catalina.session.StandardSession.setId(StandardSession.java:363)
>  at 
> org.apache.catalina.session.StandardSession.setId(StandardSession.java:342)
>  at 
> org.apache.catalina.session.ManagerBase.createSession(ManagerBase.java:763)
>  at 
> org.apache.catalina.connector.Request.doGetSession(Request.java:3008)
>  at 
> org.apache.catalina.connector.Request.getSession(Request.java:2422)
>  at 
> org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:650)
>  at 
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>  at 
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
>  at 
> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>  at 
> java.base/java.lang.reflect.Method.invoke(Method.java:568)
>  at 
> org.glassfish.hk2.utilities.reflection.ReflectionHelper.invoke(ReflectionHelper.java:1268)
>  at 
> org.jvnet.hk2.internal.MethodInterceptorImpl.internalInvoke(MethodInterceptorImpl.java:85)
>  at 
> org.jvnet.hk2.internal.MethodInterceptorImpl.invoke(MethodInterceptorImpl.java:101)
>  at 
> org.jvnet.hk2.internal.MethodInterceptorInvocationHandler.invoke(MethodInterceptorInvocationHandler.java:39)
>  at 
> jdk.proxy4/jdk.proxy4.$Proxy72.getSession(Unknown Source)
>  at 
> com.sap.cctr.ri.context.AuthenticationFilter.filter(AuthenticationFilter.java:341)
>  at 
> org.glassfish.jersey.server.ContainerFilteringStage.apply(ContainerFilteringStage.java:108)
>  at 
> org.glassfish.jersey.server.ContainerFilteringStage.apply(ContainerFilteringStage.java:44)
>  at 
> org.glassfish.jersey.process.internal.Stages.process(Stages.java:173)
>  at 
> org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:248)
>  at 
> org.glassfish.jersey.internal.Errors$1.call(Errors.java:248)
>  at 
> org.glassfish.jersey.internal.Errors$1.call(Errors.java:244)
>  at 
> org.glassfish.jersey.internal.Errors.process(Error

java.lang.AbstractMethodError: Receiver class org.apache.tomcat.websocket.server.WsSessionListener does not define or inherit an implementation

2023-03-20 Thread Harri Pesonen 
Hello,

I changed:

  *   source code target from Java 8 to Java 11
  *   Tomcat from 8.5 to 9.0.73
  *   Java runtime from Java 11 to Java 17
and now I see extra error in Tomcat log, which did not happen before:

(http-nio-8080-exec-8) (org.apache.catalina.session.StandardSession#tellNew) 
Session event listener threw exception
java.lang.AbstractMethodError: Receiver class 
org.apache.tomcat.websocket.server.WsSessionListener does not define or inherit 
an implementation of the resolved method 'abstract void 
sessionCreated(javax.servlet.http.HttpSessionEvent)' of interface 
javax.servlet.http.HttpSessionListener.
 at 
org.apache.catalina.session.StandardSession.tellNew(StandardSession.java:390)
 at 
org.apache.catalina.session.StandardSession.setId(StandardSession.java:363)
 at 
org.apache.catalina.session.StandardSession.setId(StandardSession.java:342)
 at 
org.apache.catalina.session.ManagerBase.createSession(ManagerBase.java:763)
 at 
org.apache.catalina.connector.Request.doGetSession(Request.java:3008)
 at 
org.apache.catalina.connector.Request.getSession(Request.java:2422)
 at 
org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:650)
 at 
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at 
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
 at 
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 at 
java.base/java.lang.reflect.Method.invoke(Method.java:568)
 at 
org.glassfish.hk2.utilities.reflection.ReflectionHelper.invoke(ReflectionHelper.java:1268)
 at 
org.jvnet.hk2.internal.MethodInterceptorImpl.internalInvoke(MethodInterceptorImpl.java:85)
 at 
org.jvnet.hk2.internal.MethodInterceptorImpl.invoke(MethodInterceptorImpl.java:101)
 at 
org.jvnet.hk2.internal.MethodInterceptorInvocationHandler.invoke(MethodInterceptorInvocationHandler.java:39)
 at 
jdk.proxy4/jdk.proxy4.$Proxy72.getSession(Unknown Source)
 at 
com.sap.cctr.ri.context.AuthenticationFilter.filter(AuthenticationFilter.java:341)
 at 
org.glassfish.jersey.server.ContainerFilteringStage.apply(ContainerFilteringStage.java:108)
 at 
org.glassfish.jersey.server.ContainerFilteringStage.apply(ContainerFilteringStage.java:44)
 at 
org.glassfish.jersey.process.internal.Stages.process(Stages.java:173)
 at 
org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:248)
 at 
org.glassfish.jersey.internal.Errors$1.call(Errors.java:248)
 at 
org.glassfish.jersey.internal.Errors$1.call(Errors.java:244)
 at 
org.glassfish.jersey.internal.Errors.process(Errors.java:292)
 at 
org.glassfish.jersey.internal.Errors.process(Errors.java:274)
 at 
org.glassfish.jersey.internal.Errors.process(Errors.java:244)
 at 
org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:265)
 at 
org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:235)
 at 
org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:684)
 at 
org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:394)
 at 
org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:346)
 at 
org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:358)
 at 
org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:311)
 at 
org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:205)
 at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:209)
 at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)
 at 
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
 at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)
 at

RE: Compatibility, 32 bit ..

2022-10-25 Thread Harri Pesonen 
Java 9 dropped 32-bit so it only has 64-bit by default.
Maybe you have Java 8 instead of Java 9.
Check this:

https://www.digitalocean.com/community/tutorials/how-to-install-java-with-apt-on-ubuntu-18-04

Try using Tomcat 8.5 if you want to have 32-bit.

-Harri

-Original Message-
From: John Dale (DB2DOM)  
Sent: maanantai 24. lokakuuta 2022 22.03
To: Tomcat Users List 
Subject: Re: Compatibility, 32 bit ..

[Et saa yleensä sähköpostia jcdw...@gmail.com. Lisätietoja siitä, miksi tämä on 
tärkeää, on osoitteessa https://aka.ms/LearnAboutSenderIdentification ]

Thank you.

Would you agree with me that this should be an ubuntu bug report?  I installed 
using apt-get.

John


On 10/24/22, Mark Thomas  wrote:
> On 24/10/2022 19:38, John Dale (DB2DOM) wrote:
>> Would Tomcat 10 work with Java 8?
>
> No. Tomcat 10.1.x requires a minimum of Java 11.
>
> Details of Tomcat versions, minimum Java versions and other useful
> information:
>
> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftomc
> at.apache.org%2Fwhichversion.htmldata=05%7C01%7Charri.pesonen%40s
> inch.com%7C14e753cc45db4bab086608dab5f28056%7C3b518aae89214a7b8497619d
> 756ce20e%7C0%7C0%7C638022350412584072%7CUnknown%7CTWFpbGZsb3d8eyJWIjoi
> MC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7
> C%7Csdata=m6n2gaXUVUU39CvV0AtbByiUWfqDCK%2F7w7pLsEzcSr8%3Dre
> served=0
>
> Mark
>
>
>>
>> Thinking I might downgrade the JDK.
>>
>>
>> On 10/24/22, Mark Thomas  wrote:
>>>
>>>
>>> On 24/10/2022 17:00, John Dale (DB2DOM) wrote:
 Hi Mark;

 Thanks for taking a look.

 Below is more information.

 Sincerely,

 John Dale, MS MIS
 Spearfish, SD USA

 -

 Tomcat version: 10.0.27 (unzipped, chmod 770 on catalina.sh before
 cli: catalina.sh run)
 java version: openjdk version "9-internal"
 uname -m: i686
 Ubuntu 18.0.4

 First error in logs:
 24-Oct-2022 09:52:24.411 SEVERE [main] 
 org.apache.tomcat.util.compat.Jre9Compat. Failed to create 
 references to Java 9 classes and methods
   java.lang.ClassNotFoundException: java.lang.ModuleLayer
>>>
>>> You appear to have a broken JRE. That class should always be present 
>>> in Java 9 onwards.
>>>
>>> Mark
>>>
>>>
   at
 java.net.URLClassLoader.findClass(java.base@9-internal/URLClassLoader.java:384)
   at
 java.lang.ClassLoader.loadClass(java.base@9-internal/ClassLoader.java:486)
   at
 java.lang.ClassLoader.loadClass(java.base@9-internal/ClassLoader.java:419)
   at
 java.lang.Class.forName0(java.base@9-internal/Native
 Method)
   at
 java.lang.Class.forName(java.base@9-internal/Class.java:294)
   at
 org.apache.tomcat.util.compat.Jre9Compat.(Jre9Compat.java:85)
   at
 org.apache.tomcat.util.compat.JreCompat.(JreCompat.java:72)
   at
 org.apache.catalina.core.JreMemoryLeakPreventionListener.lifecycleEvent(JreMemoryLeakPreventionListener.java:282)
   at
 org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123)
   at
 org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:423)
   at
 org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:135)
   at
 org.apache.catalina.startup.Catalina.load(Catalina.java:747)
   at
 org.apache.catalina.startup.Catalina.load(Catalina.java:769)
   at
 sun.reflect.NativeMethodAccessorImpl.invoke0(java.base@9-internal/N
 ative
 Method)
   at
 sun.reflect.NativeMethodAccessorImpl.invoke(java.base@9-internal/NativeMethodAccessorImpl.java:62)
   at
 sun.reflect.DelegatingMethodAccessorImpl.invoke(java.base@9-internal/DelegatingMethodAccessorImpl.java:43)
   at
 java.lang.reflect.Method.invoke(java.base@9-internal/Method.java:531)
   at
 org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:305)
   at
 org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475)



 On 10/24/22, Mark Thomas  wrote:
> On 24/10/2022 02:01, John Dale (DB2DOM) wrote:
>> Hi Everyone;
>>
>> I've had a few requests to refurbish some old 32 bit dell towers.
>>
>> So, I'm throwing ubuntu on them and bringing up a
>> MySQL->DB2DOM->Tomcat
>> stack.
>>
>> Unfortunately, Tomcat doesn't want to start with openjdk 9 that 
>> is packaged with 32 bit ubuntu.
>
> Tomcat works happily with 32-bit and 64-bit Java.
>
>> Can someone give me a pointer to what works best?
> Perhaps if you told us what Tomcat version you were using and 
> showed us what the error message was we'd be able to

RE: Reconfiguring Tomcat application without restart

2022-04-13 Thread Harri Pesonen 
Hello, so we have application that should get a new configuration, CORS in this 
case, on the fly, without restarting the application, because it can have 
thousands of active connections.
Currently the configuration is stored in this application configuration file

$CATALINA_HOME/conf/Catalina/localhost/app.xml

and application gets it on startup and implements CORS restrictions. We have a 
need to change the configuration every now and then.
For example, I could possibly read the file once a minute, parse XML etc. and 
update settings, unless Tomcat is prohibiting the file access.
Application does not necessarily know the file path though, so it should be 
hard coded, which would be bad.
Tomcat has the code somewhere to do it, but it is likely an internal class.
We can workaround this by saving the configuration elsewhere, like in Windows 
registry, and read it from there once a minute.
Or we could save it to database.
But currently the configuration is in this deployment descriptor file, so I am 
asking if this has come up before.
Is there any other "standard" way of having mutable configuration for Tomcat 
application?

-Harri

-Original Message-
From: Christopher Schultz  
Sent: keskiviikko 13. huhtikuuta 2022 19.20
To: users@tomcat.apache.org
Subject: Re: Reconfiguring Tomcat application without restart

Harri,

On 4/13/22 07:32, Harri Pesonen wrote:
> Hello, is it possible to change the context file in
> 
> $CATALINA_HOME/conf/Catalina/localhost/app.xml
> 
> so that application would get the new configuration without restarting?

Without restarting... what exactly? And what would you want to change? 
Usually the things in that deployment descriptor are pretty fundamental to how 
the application starts-up, etc.

> I could not find such thing in servlet specification.

The servlet spec doesn't have anything like this in there, but Tomcat does. 
Sort of, depending upon exactly what you are trying to accomplish.

> Or would it be possible to manually read the file from the application, for 
> example once a minute?
> Now the application gets the configuration from init():
> 
> javax.servlet.GenericServlet.java
> 
>  /**
>   * Called by the servlet container to indicate to a servlet that the
>   * servlet is being placed into service.  See {@link Servlet#init}.
>   *
>   * This implementation stores the {@link ServletConfig}
>   * object it receives from the servlet container for later use.
>   * When overriding this form of the method, call
>   * super.init(config).
>   *
>   * @param config 
> the ServletConfig object
>   *   
>   that 
> contains configutation
>   *   
>   information 
> for this servlet
>   *
>   * @exception ServletExceptionif an exception occurs 
> that
>   *   
>   interrupts 
> the servlet's normal
>   *   
>   operation
>   *
>   * @see  
>   UnavailableException
>   */
>  public void init(ServletConfig config) throws ServletException {
>   this.config = config;
>   this.init();
>  }
> 
> I suppose that getServletConfig() returns the same cached data without 
> re-reading it from disk?
> 
>  /**
>   * Returns this servlet's {@link ServletConfig} object.
>   *
>   * @return ServletConfigthe ServletConfig object
>   *   
>  that initialized this servlet
>   */
>  public ServletConfig getServletConfig() {
>   return config;
>  }

Can you be more specific about what you want to achieve? I have some ideas, but 
before I send you down a potentially confusing path, it would be good to 
understand your goals.

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reconfiguring Tomcat application without restart

2022-04-13 Thread Harri Pesonen 
Hello, is it possible to change the context file in

$CATALINA_HOME/conf/Catalina/localhost/app.xml

so that application would get the new configuration without restarting?
I could not find such thing in servlet specification.
Or would it be possible to manually read the file from the application, for 
example once a minute?
Now the application gets the configuration from init():

javax.servlet.GenericServlet.java

/**
 * Called by the servlet container to indicate to a servlet that the
 * servlet is being placed into service.  See {@link Servlet#init}.
 *
 * This implementation stores the {@link ServletConfig}
 * object it receives from the servlet container for later use.
 * When overriding this form of the method, call
 * super.init(config).
 *
 * @param config
 the ServletConfig object
 *  
   that contains 
configutation
 *  
   information for 
this servlet
 *
 * @exception ServletExceptionif an exception occurs 
that
 *  
   interrupts the 
servlet's normal
 *  
   operation
 *
 * @see 
   UnavailableException
 */
public void init(ServletConfig config) throws ServletException {
 this.config = config;
 this.init();
}

I suppose that getServletConfig() returns the same cached data without 
re-reading it from disk?

/**
 * Returns this servlet's {@link ServletConfig} object.
 *
 * @return ServletConfigthe ServletConfig object
 *  
  that initialized this servlet
 */
public ServletConfig getServletConfig() {
 return config;
}

-Harri

RE: Two context paths to same application

2022-04-05 Thread Harri Pesonen 
Ok, it is a bit disappointing that Tomcat does not support this in standard 
webapps folder.
But I found an easy workaround: create Windows junction app#latest that points 
to app#1 folder (both in webapps).

-Harri

-Original Message-
From: Mark Thomas  
Sent: perjantai 1. huhtikuuta 2022 18.46
To: users@tomcat.apache.org
Subject: Re: Two context paths to same application

On 01/04/2022 15:59, Harri Pesonen wrote:
> Hello,
> 
> while reading the documentation in
> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftomc
> at.apache.org%2Ftomcat-8.5-doc%2Fconfig%2Fcontext.html%23Namingda
> ta=04%7C01%7Charri.pesonen%40sinch.com%7Cdac1869da5b046b4f23e08da13f6c
> c02%7C3b518aae89214a7b8497619d756ce20e%7C0%7C0%7C637844248015649619%7C
> Unknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1h
> aWwiLCJXVCI6Mn0%3D%7C3000sdata=vHZmEqMaCuKbja9GN1vHfCgD5pEKVLzYsb
> L21ZaJtvg%3Dreserved=0 it is not clear to me how to achieve the 
> following:
> 
> Have one WAR file with corresponding directory, for example:
> 
> app#1.war => app#1 (directory) => /app/1 (context path)
> 
> But have another context path pointing to same application:
> 
> /app/latest (context path) => app#1 (directory)
> 
> I tried adding  to server.xml inside  like:
> 
> 
> 
> But Tomcat created another directory app#latest from this, and copied app#1 
> there.
> I would like to avoid having duplicate directories.
> 
> Doc says that:
> * To define multiple contexts that use a single WAR file or directory, use 
> one of the options described in the Naming section above for creating a 
> Context that has a path that is not related to the base file name.
> * If you want to deploy a WAR file or a directory using a context path that 
> is not related to the base file name then one of the following options must 
> be used to prevent double-deployment:
> ** Disable autoDeploy and deployOnStartup and define all Contexts in 
> server.xml
> ** Locate the WAR and/or directory outside of the Host's appBase and use a 
> context.xml file with a docBase attribute to define it.
> 
> Don't quite understand what to do.
> Do I need add  also to the existing application:
> 
> 
> 
> Or what does "define all Contexts in server.xml" mean?
> And what does the second option (Locate the WAR...) mean?

The key part is you need to locate the docBase (the web application WAR or 
directory) NOT under the appBase ($CATALINA_BASE/webapps). So something like 
this:

/opt/webapps/myapp-1

and then under $CATALINA_BASE/conf/Catlaina/localhost you'll need two context 
files:

myapp#1.xml


myapp#latest.xml


HTH,

MarK

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Two context paths to same application

2022-04-01 Thread Harri Pesonen 
Hello,

while reading the documentation in
https://tomcat.apache.org/tomcat-8.5-doc/config/context.html#Naming
it is not clear to me how to achieve the following:

Have one WAR file with corresponding directory, for example:

app#1.war => app#1 (directory) => /app/1 (context path)

But have another context path pointing to same application:

/app/latest (context path) => app#1 (directory)

I tried adding  to server.xml inside  like:



But Tomcat created another directory app#latest from this, and copied app#1 
there.
I would like to avoid having duplicate directories.

Doc says that:
* To define multiple contexts that use a single WAR file or directory, use one 
of the options described in the Naming section above for creating a Context 
that has a path that is not related to the base file name.
* If you want to deploy a WAR file or a directory using a context path that is 
not related to the base file name then one of the following options must be 
used to prevent double-deployment:
** Disable autoDeploy and deployOnStartup and define all Contexts in server.xml
** Locate the WAR and/or directory outside of the Host's appBase and use a 
context.xml file with a docBase attribute to define it.

Don't quite understand what to do.
Do I need add  also to the existing application:



Or what does "define all Contexts in server.xml" mean?
And what does the second option (Locate the WAR...) mean?

Thanks,

-Harri

RE: NullPointerException in Tomcat startup while parsing XML configuration file

2022-03-15 Thread Harri Pesonen 
Hello, that xml file is embedded in catalina.jar, so obviously I have not 
modified it:

jar:file:/C:/Tomcat/tomcat_home/lib/catalina.jar!/org/apache/catalina/mbeans/mbeans-descriptors.xml

It does not prevent Tomcat startup.
It only prevents me from finding the NullPointerException in my application 
startup.
But because NullPointerException is always a bug, I was thinking that someone 
might be interested.
You already have the important stack trace lines in this message, and you can 
easily reproduce the problem by starting Tomcat in debugger and having 
breakpoint in NullPointerException.

-Harri

-Original Message-
From: Christopher Schultz  
Sent: maanantai 14. maaliskuuta 2022 16.36
To: users@tomcat.apache.org
Subject: Re: NullPointerException in Tomcat startup while parsing XML 
configuration file

Harri,

On 3/14/22 10:23, Harri Pesonen wrote:
> Hello, I don't know if this is interesting, but while I started Tomcat 
> in IDEA debugger, when I had breakpoint set to NullPointerException (so that 
> it breaks on all of them), then it break here:
> 
> org\apache\tomcat\tomcat-util\8.5.75\tomcat-util-8.5.75.jar!\org\apach
> e\tomcat\util\IntrospectionUtils.class
> 
> public static String replaceProperties(String value, Hashtable Object> staticProp, IntrospectionUtils.PropertySource[] dynamicProp, 
> ClassLoader classLoader) {
>  if (value.indexOf(36) < 0) {
> 
> "value" is null.
> 
> A bit more up in stack trace, it is here:
> 
> org\apache\tomcat\tomcat-util-scan\8.5.75\tomcat-util-scan-8.5.75.jar!
> \org\apache\tomcat\util\digester\Digester.class
> 
> public InputSource resolveEntity(String name, String publicId, String 
> baseURI, String systemId) throws SAXException, IOException {
>  name = this.replace(name);
> 
> "name" is null.
> 
> One more up:
> 
> java.xml\com\sun\org\apache\xerces\internal\util\EntityResolver2Wrappe
> r.java
> 
> String name = null;
> if (resourceIdentifier instanceof XMLDTDDescription) {
>  name = "[dtd]";
> }
> else if (resourceIdentifier instanceof XMLEntityDescription) {
>  name = ((XMLEntityDescription) 
> resourceIdentifier).getEntityName();
> }
> 
> // When both pubId and sysId are null, the user's entity resolver // 
> can do nothing about it. We'd better not bother calling it.
> // This happens when the resourceIdentifier is a GrammarDescription, 
> // which describes a schema grammar of some namespace, but without // 
> any schema location hint. -Sg if (pubId == null && sysId == null) {
>  return null;
> }
> 
> // Resolve using EntityResolver2
> try {
>  InputSource inputSource =
>  fEntityResolver.resolveEntity(name, pubId, baseURI, sysId);
> 
> "name" is null.
> 
> It was parsing this:
> 
> jar:file:/C:/Tomcat/tomcat_home/lib/catalina.jar!/org/apache/catalina/
> mbeans/mbeans-descriptors.xml
> 
> So the problem seems to happen in org.apache.xerces XML parser, or in Tomcat.

Have you modified the stock mbeans-descriptors.xml file? Does this prevent 
startup in your environment? If so, please post the full stack trace. If this 
error is caught and ignored, than there is nothing to do.

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

NullPointerException in Tomcat startup while parsing XML configuration file

2022-03-14 Thread Harri Pesonen 
Hello, I don't know if this is interesting, but while I started Tomcat in IDEA 
debugger, when I had breakpoint set to NullPointerException (so that it breaks 
on all of them),
then it break here:

org\apache\tomcat\tomcat-util\8.5.75\tomcat-util-8.5.75.jar!\org\apache\tomcat\util\IntrospectionUtils.class

public static String replaceProperties(String value, Hashtable 
staticProp, IntrospectionUtils.PropertySource[] dynamicProp, ClassLoader 
classLoader) {
if (value.indexOf(36) < 0) {

"value" is null.

A bit more up in stack trace, it is here:

org\apache\tomcat\tomcat-util-scan\8.5.75\tomcat-util-scan-8.5.75.jar!\org\apache\tomcat\util\digester\Digester.class

public InputSource resolveEntity(String name, String publicId, String baseURI, 
String systemId) throws SAXException, IOException {
name = this.replace(name);

"name" is null.

One more up:

java.xml\com\sun\org\apache\xerces\internal\util\EntityResolver2Wrapper.java

String name = null;
if (resourceIdentifier instanceof XMLDTDDescription) {
name = "[dtd]";
}
else if (resourceIdentifier instanceof XMLEntityDescription) {
name = ((XMLEntityDescription) resourceIdentifier).getEntityName();
}

// When both pubId and sysId are null, the user's entity resolver
// can do nothing about it. We'd better not bother calling it.
// This happens when the resourceIdentifier is a GrammarDescription,
// which describes a schema grammar of some namespace, but without
// any schema location hint. -Sg
if (pubId == null && sysId == null) {
return null;
}

// Resolve using EntityResolver2
try {
InputSource inputSource =
fEntityResolver.resolveEntity(name, pubId, baseURI, sysId);

"name" is null.

It was parsing this:

jar:file:/C:/Tomcat/tomcat_home/lib/catalina.jar!/org/apache/catalina/mbeans/mbeans-descriptors.xml

So the problem seems to happen in org.apache.xerces XML parser, or in Tomcat.

-Harri

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Tomcat 9 Encrpytion of JDBC

2022-01-20 Thread Harri Pesonen 
Vault for Apache Tomcat:

https://github.com/web-servers/tomcat-vault

It hides the secrets in another encrypted file, and password for that file is 
then in another file...
So it just makes it more difficult to access the secrets, but at least they are 
not in plain text.

-Harri

-Original Message-
From: Orendt, John  
Sent: torstai 20. tammikuuta 2022 18.11
To: users@tomcat.apache.org
Subject: RE: Tomcat 9 Encrpytion of JDBC

[Et saa yleensä sähköpostia osoitteesta john.p.ore...@medtronic.com.invalid. 
Lue lisää siitä, miksi tämä on tärkeää, osoitteesta 
http://aka.ms/LearnAboutSenderIdentification.]

Hi

There are at least two types of mutual authentication.

1. Device Client A and Server B
2. Human A  via browser and Server B

All the scenarios you mention have been solved. You just need to know how.
X509 certs, the chain of trust, TPMs and HSMs are some the of parts of the 
solution for both types.

Internet Banking does exist.

John Orendt
john.p.ore...@medtronic.com

-Original Message-
From: Christopher Schultz 
Sent: Tuesday, January 18, 2022 11:32 AM
To: users@tomcat.apache.org
Subject: Re: Tomcat 9 Encrpytion of JDBC

John,

On 1/18/22 08:37, Orendt, John wrote:
> Secrets are more secure with the use of a Trusted Platform Module
> (TPM) and  / or a Hardware Security Module (HSM).
>
> Secrets need to be protected both at rest and in transit.
Sure. Where you put the password for the TPM or HSM? Or do you enter the 
password for your HSM/TPM every time you start a process that needs access to 
secrets? How do you handle unattended restarts?

How do you handle massive deployments? Do you manually-enter a password on 1000 
servers as they all launch together?

On all these kinds of deployments, you usually use a key server. But then how 
do you authenticate to the key server? With another secret.
It's secrets all the way down. At some point, you must trust something, and 
that something you trust can't be a human, because that doesn't scale or isn't 
practical for some other reason.

I'd love to hear a practical solution to the "secret at rest" problem that 
actually makes some sense and doesn't just hand-wave the problem off to another 
component that is Somebody Else's Problem.

-chris

> -Original Message-
> From: Alan F 
> Sent: Friday, January 14, 2022 2:05 PM
> To: Tomcat Users List 
> Subject: RE: Tomcat 9 Encrpytion of JDBC
>
> OK thanks Bill!
>
> -Original Message-
> From: Bill Stewart 
> Sent: 14 January 2022 19:02
> To: Tomcat Users List 
> Subject: Re: Tomcat 9 Encrpytion of JDBC
>
> On Fri, Jan 14, 2022 at 10:25 AM Alan F wrote:
>
>
>> Interested to know your best practices on securing jdbc plain text 
>> passwords, in my last place they used a mechanism to encrypt all passwords.
>> Is this the best method as I read some people don't recommend this.
>> Any details or procs on best practice appreciated.
>>
>
> The "best practice," generally speaking, is that doing so is basically 
> pointless from a security perspective.
>
> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Furld
> efense.com%2Fv3%2F__https%3A%2F%2Fcwiki.apache.org%2Fconfluence%2Fdisp
> ladata=04%7C01%7Charri.pesonen%40sinch.com%7C318adb49672e4fe13aa1
> 08d9dc2f9971%7C3b518aae89214a7b8497619d756ce20e%7C0%7C0%7C637782919266
> 275465%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJ
> BTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000sdata=mMjmECMDtbO%2Fa5ovQgdahIl
> aq%2FZdVBEnzoRAyy7oYQA%3Dreserved=0
> y/TOMCAT/Password__;!!NFcUtLLUcw!Bhr3E8c3AZFikCj4AHarnHl2emUxh99SUwhyn
> Fa-FKWZahvlpv0TmiVo5DveVMgMyg3NbQ$
>
> Bill
> [CONFIDENTIALITY AND PRIVACY NOTICE] Information transmitted by this 
> email is proprietary to Medtronic and is intended for use only by the 
> individual or entity to which it is addressed, and may contain 
> information that is private, privileged, confidential or exempt from 
> disclosure under applicable law. If you are not the intended recipient 
> or it appears that this mail has been forwarded to you without proper 
> authority, you are notified that any use or dissemination of this 
> information in any manner is strictly prohibited. In such cases, 
> please delete this mail from your records. To view this notice in 
> other languages you can either select the following link or manually 
> copy and paste the link into the address bar of a web browser:
> https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Femail
> disclaimer.medtronic.com%2Fdata=04%7C01%7Charri.pesonen%40sinch.c
> om%7C318adb49672e4fe13aa108d9dc2f9971%7C3b518aae89214a7b8497619d756ce2
> 0e%7C0%7C0%7C637782919266275465%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLj
> AwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000sdata=
> %2Fcv%2B6vRuz8ox1ipRnMTOWZxpz2%2BBKJ%2BHlfBh8iDg5m4%3Dreserved=0
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail:

Possible UpgradeInfo memory leak

2021-09-23 Thread Harri Pesonen 
Hello, while looking at Tomcat 8.5.61 heap dump in VisualVM, in Dominators by 
Retained Size, two biggest ones are:

org.apache.tomcat.util.net.NioEndpoint#1  12 382 781 B (13,7%)
org.apache.coyote.http11.upgrade.UpgradeGroupInfo#1  7 066 212 B (7,8%)

I am wondering about UpgradeGroupInfo, because it has very large array of 
UpgradeInfos:

oname = javax.management.ObjectName#1240 : 
Catalina:Upgrade=websocket,name="https-jsse-nio-10.8.35.86-8443",type=GlobalRequestProcessor
 31 B (0%)  363 B (0%)
upgradeInfos = java.util.ArrayList#10079 : 146 098 elements 
20 B (0%)  7 066 144 B (7,8%)
elementData = java.lang.Object[]#22702 : 160 065 items   640 276 B (0,7%)   
 7 066 124 B (7,8%)
[0] = org.apache.coyote.http11.upgrade.UpgradeInfo#144 B (0%)  44 B 
(0%)

Single UpgradeInfo is very small, but there are 146 098 of them.
org.apache.coyote.http11.upgrade.UpgradeInfo   146 098 (12,8%)

I am not sure what this UpgradeInfo is, it looks like some statistics about 
upgraded connection, in this case from http to websocket.
To me it looks like these UpgradeInfos are not removed when connection is 
closed.
Any comments?

Thanks, Harri