RE: Tomcat closes connections on unexpected status codes
I have developed a restful web service, which uses HTTP response codes 200 OK, 201 Created, 204 No Content and 404 Not Found. It does not use 400 Bad Request or 500 Internal Server Error normally. 400 Bad Request is more common than 500 Internal Server Error, which should basically never happen. 400 Bad Request is the best response in many cases, if client gives some query parameter which is not supported by the application logic. I think that it would be better not to close connection in this case, if the error comes from application. I wonder if there is option for application to define that connection should be closed or not after the response has been sent? Or is the option only from the client. For me this 404 Not Found is also a small problem, as it is error, but it can happen quite often. HTTP errors are not nice in logs. Normally if you try to fetch some restful resource, which does not exist, then it returns 404 Not Found. GET /service/resource/id => 404 Not Found If I now had an option to rewrite the service, I would probably use 204 No Content in this case as well, to avoid errors. 204 No Content is normally used with PUT and DELETE requests. -Harri -Original Message- From: Christopher Schultz Sent: perjantai 19. huhtikuuta 2024 14.27 To: users@tomcat.apache.org Subject: Re: Tomcat closes connections on unexpected status codes Mark, On 4/18/24 11:38, Mark Thomas wrote: > On 18/04/2024 15:16, Adwait Kumar Singh wrote: >> I think we should *always* close connections in cases where it can >> lead to request smuggling vulnerabilities like when there is an error >> during header or request line parsing, but allowing the user to >> control connection close when the status is being set by the user, >> should be safe? > > I'm not (yet) convinced distinguishing between those scenarios is > always going to be possible. > >> It allows users to send back responses like InvalidInputException >> with a >> 400 status without being forced to close the connection. > > I appreciate why a 400 is used here but 400 has always struck me as > more for protocol level issues rather than application level issues. Didn't someone tell me recently that, technically, ANY client-error is allowed to trigger a 400 response without being more specific? > That is the fundamental problem here. The status codes are being used > for two completely different purposes. +1 I've always found it distasteful when REST services do this. To me, 400 means "the request was actually malformed". If you need authentication, that's a 401. If you aren't allowed, that's 403. If you didn't provide a required header, that's a 412, etc. I've usually found the "correct" response code to use for every situation and I've never written an application that returns a 400 response directly. -chris >> On Thu, Apr 18, 2024 at 6:41 AM Rémy Maucherat wrote: >> >>> On Thu, Apr 18, 2024 at 1:17 PM Mark Thomas wrote: On 18/04/2024 09:07, Stefan Ansing wrote: > Hi, > > We've observed some unexpected behaviour in Apache Tomcat (version >>> 10.1.19) > where we see that HTTP/1.1 connections are closed whenever a > servlet application returns the following status codes: 400, 408, > 411, 414, >>> 500, > 503, 501. This causes client applications to rapidly reconnect and >>> induce > high server-side CPU load due to doing TLS handshakes. > > The 400 and 500 status codes are commonly used in RESTful >>> microservices to > communicate errors. Reviewing RFC 9112 I couldn't find any > requirement >>> for > closing connections on these status codes. > > After testing with Undertow (version 2.3.12), where we didn't see > the >>> same > behaviour, we believe that these status codes do not necessitate a > new connection. The Tomcat developers disagree. Connections are closed after these status codes to avoid various forms of request smuggling attacks. > Checking the Tomcat sources makes me believe that the behaviour is > hard-coded[1]. I'm reaching out here to re-evaluate the list of > status codes and to discuss the possibilities of making the > behaviour >>> configurable. Making this list of status codes configurable seems reasonable. The default can stay as current and if users want to change it then they have to accept the associated security risks. >>> >>> If it's insecure, then it would still be a valid CVE even if the >>> configuration is optional. We don't have an "allowSmuggling" >>> attribute on the connector to relax header or status line parsing, >>> even though many would have wanted it in the past ... >>> >>> Rémy >>> Mark > > A colleague of mine reported a bug for this issue: > https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2F > bz.apache.org%2Fbugzilla%2Fshow_bug.cgi%3Fid%3D68901=05%7C02% >
RE: Tomcat Internal Architect for JSP compilation?
Linux has "auditd" tool to log file system changes: https://www.redhat.com/sysadmin/configure-linux-auditing-auditd -Harri -Original Message- From: Subodh Joshi Sent: perjantai 22. maaliskuuta 2024 7.36 To: Tomcat Users List Subject: Re: Tomcat Internal Architect for JSP compilation? [Et saa yleensä sähköpostia subodhcjosh...@gmail.com. Lisätietoja siitä, miksi tämä on tärkeää, on osoitteessa https://aka.ms/LearnAboutSenderIdentification ] Hi Chris Thanks for your response. So i added below properties in application.properties file > spring.mvc.cache-control.cache-allowed=false > > and then Deleted the /tmp/tomcat directory . So now when i restart the server A.jsp only fail with 500 error (ClassNotFoundException) as this is first page which i was trying to load, rest JSP pages working fine without any issue . Why i am doing this exercise? In our some of the deployed linux environment many clients are complaining about this issue , We tried to monitor who actually deleting these /tmp/tomcat folder but still we are not able to figure it out and we are not able to reproduce it . So i have to do reproduce it manually deleting the /tmp/tomcat directory. thanks & regards On Thu, Mar 21, 2024 at 7:24 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > Subudh, > > On 3/21/24 07:32, Subodh Joshi wrote: > > Expert, > > > > Recently i came across a issue and i was getting no clue what was > > going > on > > wrong with the Application. > > > > So here is the issue , we were getting following issue in our web > > application(Springboot+Embedded Tomcat) which is deployed into Linux > machine > > > > java.lang.ClassNotFoundException: > >> org.apache.jsp.WEB_002dINF.jsp.ImportTab_jsp > >> at > >> java.base/java.net.URLClassLoader.findClass(URLClassLoader.java:445) > >> at > >> org.apache.jasper.servlet.JasperLoader.loadClass(JasperLoader.java:129) > >> at > >> org.apache.jasper.servlet.JasperLoader.loadClass(JasperLoader.java:58) > >> at > >> > org.apache.catalina.core.DefaultInstanceManager.newInstance(DefaultIns > tanceManager.java:151) > >> at > >> > org.apache.jasper.servlet.JspServletWrapper.getServlet(JspServletWrapp > er.java:189) > >> at > >> > org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper. > java:410) > >> at > >> org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:380) > >> at > >> org.apache.jasper.servlet.JspServlet.service(JspServlet.java:328) > >> at > jakarta.servlet.http.HttpServlet.service(HttpServlet.java:658) > >> at > >> > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appli > cationFilterChain.java:205) > >> at > >> > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFi > lterChain.java:149) > >> at > >> org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51) > >> at > >> > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appli > cationFilterChain.java:174) > >> at > >> > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFi > lterChain.java:149) > >> at > >> > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRe > questFilter.java:110) > >> at > >> > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appli > cationFilterChain.java:174) > >> at > >> > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFi > lterChain.java:149) > >> at > >> > org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFi > lter(CompositeFilter.java:108) > >> at > >> > org.springframework.security.web.FilterChainProxy.lambda$doFilterInter > nal$3(FilterChainProxy.java:231) > >> at > >> > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.d > oFilter(FilterChainProxy.java:365) > >> at > >> > org.springframework.security.web.access.intercept.AuthorizationFilter. > doFilter(AuthorizationFilter.java:100) > >> at > >> > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.d > oFilter(FilterChainProxy.java:374) > >> at > >> > org.springframework.security.web.access.ExceptionTranslationFilter.doF > ilter(ExceptionTranslationFilter.java:126) > >> at > >> > org.springframework.security.web.access.ExceptionTranslationFilter.doF > ilter(ExceptionTranslationFilter.java:120) > >> at > >> > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.d > oFilter(FilterChainProxy.java:374) > >> at > >> > org.springframework.security.web.authentication.AnonymousAuthenticatio > nFilter.doFilter(AnonymousAuthenticationFilter.java:100) > >> at > >> > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.d > oFilter(FilterChainProxy.java:374) > >> at > >> >
RE: When does Tomcat add and remove threads?
Yes the standard JDK ThreadPoolExecutor behavior is bad. Here is a good thread describing how to fix ThreadPoolExecutor to behave how it should be. https://stackoverflow.com/questions/19528304/how-to-get-the-threadpoolexecutor-to-increase-threads-to-max-before-queueing Obviously Tomcat had to do similar thing. I wish that JDK would add some kind of easy option to ThreadPoolExecutor to add more threads instead of adding to queue, when all existing threads are busy, because the current behavior does not make sense. -Harri -Original Message- From: john.e.gr...@wellsfargo.com.INVALID Sent: tiistai 12. maaliskuuta 2024 18.54 To: users@tomcat.apache.org Subject: RE: When does Tomcat add and remove threads? [Et saa yleensä sähköpostia john.e.gr...@wellsfargo.com.invalid. Lisätietoja siitä, miksi tämä on tärkeää, on osoitteessa https://aka.ms/LearnAboutSenderIdentification ] All, > -Original Message- > From: Christopher Schultz > Sent: Tuesday, March 12, 2024 8:31 AM > To: users@tomcat.apache.org > Subject: Re: When does Tomcat add and remove threads? > > John, > > On 3/11/24 18:14, john.e.gr...@wellsfargo.com.INVALID wrote: > > From: Christopher Schultz > > Sent: Monday, March 11, 2024 5:09 PM > > > >> On 3/11/24 17:47, john.e.gr...@wellsfargo.com.INVALID wrote: > >>> I am using Tomcat 9.x. > >>> > >>> When does Tomcat add and remove threads from its internal thread > >>> pool? I'm talking about the threads with names like > >>> http-nio-8080-exec-1. It appears the thread pool is Tomcat's own > >>> ThreadPoolExecutor but I don't see the exact behavior documented. > >>> I'm familiar with how java.util.concurrent does it, but it looks > >>> like Tomcat's version is a little different. > >> > >> Are you looking for a technical explanation with code references, > >> or a plain-English description of when threads are created and > >> added? > > > Mostly plain English like the j.u.c. ThreadPoolExecutor Java doc has. > > What happens when all core threads are in use? When do tasks go on > > the queue? When does core thread + 1 get added? When do threads > > get removed? > Tomcat will create thread pools under two separate circumstances. They > are related, but behave somewhat differently. > > First, if you declare an in your server.xml, then a thread > pool will be created. You can control the number of threads and their > retention policy such as "keep X spare threads around" and "retire > threads after N seconds without being used." > > Second, if you declare a without specifying an "executor", > a thread pool will be configured for you but you don't really have > control over it because all those nice configuration options for an > are not available on the . If you want to > control those settings, use a linked with an . > To be clear, if you declare a without an "executor" > attribute, your thread pool will be of a fixed size and threads will > never be released. (I think the thread pool starts small and grows but > will never shrink.) > > An is implemented in the StandardThreadExecutor and > ThreadPoolExecutor classes, which I believe were adaptations of > classes from java.util.concurrent introduced into Tomcat before > java.util.concurrent was actually available -- which is why it wasn't > used directly in Tomcat. (NB: The ThreadPoolExecutor class in Tomcat > contains an "@author Doug Lea" tag. The Tomcat source is licensed > under AL2, the JDK source is licensed under GPL2, but the original was > released by Doug Lea into the public domain under a CC0 > 1.0 Deed license.) > > The re-sizing occurs in the ThreadPoolExecutor class if you'd like to > read it. It is not entirely straightforward. You could start by > reading the code for the runWorker(Worker w) method where, at the end, > processWorkerExit is called. > > But since Tomcat's ThreadPoolExecutor is basically Java's > ThreadPoolExecutor, they work the same. > > -chris > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org I took matters in to my own hands and wrote a test to see what was happening. Unlike java.util.concurrent.ThreadPoolExecutor, Tomcat's TPE adds threads when all core threads are busy. It only adds tasks to the queue when max threads are busy. I prefer this behavior to the JDK behavior. Threads are removed when idle for 60 seconds. This appears to be hard-coded in AbstreactEndpoint.createExecutor(). Thanks B CB [ X ܚX KK[XZ[ \ \ ][ X ܚX P X ] \X K ܙ B ܈Y][ۘ[ [X[ K[XZ[ \ \ Z[ X ] \X K ܙ B
RE: java.lang.InternalError: Unexpected CryptoAPI failure generating seed
Thanks. This has quite good explanation of the issue: https://www.baeldung.com/java-security-egd It seems that there is no easy workaround for this in Windows at least. Problem is with entropy, the native Windows random number generator does not always have enough randomness available. I think that JDK should catch this error and have some fallback mechanism to generate random seed from process ID, UTC time and ticks, for example. -Harri -Original Message- From: Thomas Worster Sent: perjantai 21. huhtikuuta 2023 22.04 To: Tomcat Users List Subject: Re: java.lang.InternalError: Unexpected CryptoAPI failure generating seed [Et saa yleensä sähköpostia tho...@worster.net. Lisätietoja siitä, miksi tämä on tärkeää, on osoitteessa https://aka.ms/LearnAboutSenderIdentification ] That document is mostly about a corrupted install in Weblogic, but after that, it suggests making sure you are using the urandom (non-blocking) random number generator. If you're using the blocking RNG, it would explain why the issue is not easily repeatable. -Djava.security.egd=file:/dev/./urandom I can't recall if the format of that string is the same in Windows, but it should be similar. Tom On Fri, Apr 21, 2023 at 2:15 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > Harri, > > On 4/21/23 04:39, Harri Pesonen wrote: > > No, I think that I have seen this only once now, but of course it > > might > have happened more than once. > > Googling says that other people have seen this as well, but very > randomly. > > Apparently the problem happens in Windows function, but JNI call > > does > not tell the reason for failure. > > This happened in AWS cloud, perhaps the server was busy or something. > > Or there is some kind of bug in JDK. > > Probably this would need JDK developer to look at. > > There might be solution here: > > https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsu > > pport.oracle.com%2Fknowledge%2FMiddleware%2F1492450_1.html%23FIX > > a=05%7C01%7Charri.pesonen%40sinch.com%7C2edaa7818d1d44ae08bd08db429b > > 4338%7C3b518aae89214a7b8497619d756ce20e%7C0%7C0%7C638177006836670213 > > %7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI > > 6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=MWDK3tgFxX5JRqgfCXvggg > > xAr7MAGQotu%2BGGcCXdz6w%3D=0 > > But I can't see it. > > I can't see it, either; I'm not an Oracle customer. > > > If this is rare, and Tomcat can't really do anything about it, I would > say "monitor your servers and restart them if necessary." > > Sorry... it doesn't look like we really have any other choices, here. > > -chris > > > -Original Message- > > From: Christopher Schultz > > Sent: torstai 20. huhtikuuta 2023 19.35 > > To: users@tomcat.apache.org > > Subject: Re: java.lang.InternalError: Unexpected CryptoAPI failure > generating seed > > > > Harri, > > > > On 4/18/23 07:43, Harri Pesonen wrote: > >> Hello, we have: > >> > >> Tomcat/8.5.83 > >> Windows Server 2016 > >> java.version=11.0.12 > >> java.vendor=Azul Systems, Inc. > >> sun.arch.data.model=64 > >> > >> Sometimes Tomcat fails to start our application because of this error: > >> > >> 06:45:58.230 ERR> (Catalina-startStop-1) > (org.apache.catalina.startup.HostConfig#deployDescriptors) Error > waiting for multi-thread deployment of deployment descriptors to > complete > >> java.util.concurrent.ExecutionException: java.lang.InternalError: > Unexpected CryptoAPI failure generating seed > >>at > java.base/java.util.concurrent.FutureTask.report(FutureTask.java:122) > >>at > java.base/java.util.concurrent.FutureTask.get(FutureTask.java:191) > >>at > org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.ja > va:594) > >>at > org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:472) > >>at > org.apache.catalina.startup.HostConfig.start(HostConfig.java:1610) > >>at > org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java: > 318) > >>at > org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBas > e.java:123) > >>at > org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase. > java:423) > >>at > org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:366 > )
RE: java.lang.InternalError: Unexpected CryptoAPI failure generating seed
No, I think that I have seen this only once now, but of course it might have happened more than once. Googling says that other people have seen this as well, but very randomly. Apparently the problem happens in Windows function, but JNI call does not tell the reason for failure. This happened in AWS cloud, perhaps the server was busy or something. Or there is some kind of bug in JDK. Probably this would need JDK developer to look at. There might be solution here: https://support.oracle.com/knowledge/Middleware/1492450_1.html#FIX But I can't see it. -Harri -Original Message- From: Christopher Schultz Sent: torstai 20. huhtikuuta 2023 19.35 To: users@tomcat.apache.org Subject: Re: java.lang.InternalError: Unexpected CryptoAPI failure generating seed Harri, On 4/18/23 07:43, Harri Pesonen wrote: > Hello, we have: > > Tomcat/8.5.83 > Windows Server 2016 > java.version=11.0.12 > java.vendor=Azul Systems, Inc. > sun.arch.data.model=64 > > Sometimes Tomcat fails to start our application because of this error: > > 06:45:58.230 ERR> (Catalina-startStop-1) > (org.apache.catalina.startup.HostConfig#deployDescriptors) Error waiting for > multi-thread deployment of deployment descriptors to complete > java.util.concurrent.ExecutionException: java.lang.InternalError: Unexpected > CryptoAPI failure generating seed > at > java.base/java.util.concurrent.FutureTask.report(FutureTask.java:122) > at > java.base/java.util.concurrent.FutureTask.get(FutureTask.java:191) > at > org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:594) > at > org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:472) > at > org.apache.catalina.startup.HostConfig.start(HostConfig.java:1610) > at > org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:318) > at > org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123) > at > org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:423) > at > org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:366) > at > org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:962) > at > org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:833) > at > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) > at > org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1427) > at > org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1417) > at > java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) > at > java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) > at > java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) > at > java.base/java.lang.Thread.run(Thread.java:829) > Caused by: java.lang.InternalError: Unexpected CryptoAPI failure generating > seed > at > java.base/sun.security.provider.NativeSeedGenerator.getSeedBytes(NativeSeedGenerator.java:62) > at > java.base/sun.security.provider.SeedGenerator.generateSeed(SeedGenerator.java:144) > at > java.base/sun.security.provider.SecureRandom$SeederHolder.(SecureRandom.java:204) > at > java.base/sun.security.provider.SecureRandom.engineNextBytes(SecureRandom.java:222) > at > java.base/java.security.SecureRandom.nextBytes(SecureRandom.java:751) > at > java.base/java.security.SecureRandom.next(SecureRandom.java:808) > at > java.base/java.util.Random.nextInt(Random.java:329) > at > org.apache.catalina.util.SessionIdGeneratorBase.createSecureRandom(SessionIdGeneratorBase.java:290) > at > org.apache.catalina.util.SessionIdGeneratorBase.getRandomBytes(SessionIdGeneratorBase.java:222) > at > org.apache.catalina.util.StandardSessionIdGenerator.generateSessionId(StandardSessionIdGenerator.java:34) > at > or
java.lang.InternalError: Unexpected CryptoAPI failure generating seed
Hello, we have: Tomcat/8.5.83 Windows Server 2016 java.version=11.0.12 java.vendor=Azul Systems, Inc. sun.arch.data.model=64 Sometimes Tomcat fails to start our application because of this error: 06:45:58.230 ERR> (Catalina-startStop-1) (org.apache.catalina.startup.HostConfig#deployDescriptors) Error waiting for multi-thread deployment of deployment descriptors to complete java.util.concurrent.ExecutionException: java.lang.InternalError: Unexpected CryptoAPI failure generating seed at java.base/java.util.concurrent.FutureTask.report(FutureTask.java:122) at java.base/java.util.concurrent.FutureTask.get(FutureTask.java:191) at org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:594) at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:472) at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1610) at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:318) at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123) at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:423) at org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:366) at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:962) at org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:833) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1427) at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1417) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at java.base/java.lang.Thread.run(Thread.java:829) Caused by: java.lang.InternalError: Unexpected CryptoAPI failure generating seed at java.base/sun.security.provider.NativeSeedGenerator.getSeedBytes(NativeSeedGenerator.java:62) at java.base/sun.security.provider.SeedGenerator.generateSeed(SeedGenerator.java:144) at java.base/sun.security.provider.SecureRandom$SeederHolder.(SecureRandom.java:204) at java.base/sun.security.provider.SecureRandom.engineNextBytes(SecureRandom.java:222) at java.base/java.security.SecureRandom.nextBytes(SecureRandom.java:751) at java.base/java.security.SecureRandom.next(SecureRandom.java:808) at java.base/java.util.Random.nextInt(Random.java:329) at org.apache.catalina.util.SessionIdGeneratorBase.createSecureRandom(SessionIdGeneratorBase.java:290) at org.apache.catalina.util.SessionIdGeneratorBase.getRandomBytes(SessionIdGeneratorBase.java:222) at org.apache.catalina.util.StandardSessionIdGenerator.generateSessionId(StandardSessionIdGenerator.java:34) at org.apache.catalina.util.SessionIdGeneratorBase.generateSessionId(SessionIdGeneratorBase.java:214) at org.apache.catalina.util.SessionIdGeneratorBase.startInternal(SessionIdGeneratorBase.java:310) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.session.ManagerBase.startInternal(ManagerBase.java:670) at org.apache.catalina.session.StandardManager.startInternal(StandardManager.java:352) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5250) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:753) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:727) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:695) at
RE: java.lang.AbstractMethodError: Receiver class org.apache.tomcat.websocket.server.WsSessionListener does not define or inherit an implementation
I think that I understand. I need to change Servlet API from 3.1 to 4.0. I was thinking that we can still use 3.1, and 4.0 would be compatible. https://tomcat.apache.org/whichversion.html Servlet SpecJSP SpecEL Spec WebSocket Spec Authentication (JASPIC) SpecApache Tomcat Version Latest Released Version Supported Java Versions 6.1 4.0 6.0 TBD TBD 11.0.x 11.0.0-M4 (alpha) 17 and later 6.0 3.1 5.0 2.1 3.0 10.1.x 10.1.7 11 and later 5.0 3.0 4.0 2.0 2.0 10.0.x (superseded) 10.0.27 (superseded)8 and later 4.0 2.3 3.0 1.1 1.1 9.0.x 9.0.73 8 and later 3.1 2.3 3.0 1.1 1.1 8.5.x 8.5.87 7 and later -Harri -Original Message- From: Rémy Maucherat Sent: maanantai 20. maaliskuuta 2023 16.10 To: Tomcat Users List Subject: Re: java.lang.AbstractMethodError: Receiver class org.apache.tomcat.websocket.server.WsSessionListener does not define or inherit an implementation On Mon, Mar 20, 2023 at 1:59 PM Harri Pesonen wrote: > > Hello, > > I changed: > > * source code target from Java 8 to Java 11 > * Tomcat from 8.5 to 9.0.73 > * Java runtime from Java 11 to Java 17 > and now I see extra error in Tomcat log, which did not happen before: The Servlet API was changed so that in the HttpSessionListener interface the sessionCreated method is now a "default". So something is not right in this area after your upgrade. Rémy > > (http-nio-8080-exec-8) > (org.apache.catalina.session.StandardSession#tellNew) Session event > listener threw exception > java.lang.AbstractMethodError: Receiver class > org.apache.tomcat.websocket.server.WsSessionListener does not define or > inherit an implementation of the resolved method 'abstract void > sessionCreated(javax.servlet.http.HttpSessionEvent)' of interface > javax.servlet.http.HttpSessionListener. > at > org.apache.catalina.session.StandardSession.tellNew(StandardSession.java:390) > at > org.apache.catalina.session.StandardSession.setId(StandardSession.java:363) > at > org.apache.catalina.session.StandardSession.setId(StandardSession.java:342) > at > org.apache.catalina.session.ManagerBase.createSession(ManagerBase.java:763) > at > org.apache.catalina.connector.Request.doGetSession(Request.java:3008) > at > org.apache.catalina.connector.Request.getSession(Request.java:2422) > at > org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:650) > at > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) > at > java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at > java.base/java.lang.reflect.Method.invoke(Method.java:568) > at > org.glassfish.hk2.utilities.reflection.ReflectionHelper.invoke(ReflectionHelper.java:1268) > at > org.jvnet.hk2.internal.MethodInterceptorImpl.internalInvoke(MethodInterceptorImpl.java:85) > at > org.jvnet.hk2.internal.MethodInterceptorImpl.invoke(MethodInterceptorImpl.java:101) > at > org.jvnet.hk2.internal.MethodInterceptorInvocationHandler.invoke(MethodInterceptorInvocationHandler.java:39) > at > jdk.proxy4/jdk.proxy4.$Proxy72.getSession(Unknown Source) > at > com.sap.cctr.ri.context.AuthenticationFilter.filter(AuthenticationFilter.java:341) > at > org.glassfish.jersey.server.ContainerFilteringStage.apply(ContainerFilteringStage.java:108) > at > org.glassfish.jersey.server.ContainerFilteringStage.apply(ContainerFilteringStage.java:44) > at > org.glassfish.jersey.process.internal.Stages.process(Stages.java:173) > at > org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:248) > at > org.glassfish.jersey.internal.Errors$1.call(Errors.java:248) > at > org.glassfish.jersey.internal.Errors$1.call(Errors.java:244) > at > org.glassfish.jersey.internal.Errors.process(Error
java.lang.AbstractMethodError: Receiver class org.apache.tomcat.websocket.server.WsSessionListener does not define or inherit an implementation
Hello, I changed: * source code target from Java 8 to Java 11 * Tomcat from 8.5 to 9.0.73 * Java runtime from Java 11 to Java 17 and now I see extra error in Tomcat log, which did not happen before: (http-nio-8080-exec-8) (org.apache.catalina.session.StandardSession#tellNew) Session event listener threw exception java.lang.AbstractMethodError: Receiver class org.apache.tomcat.websocket.server.WsSessionListener does not define or inherit an implementation of the resolved method 'abstract void sessionCreated(javax.servlet.http.HttpSessionEvent)' of interface javax.servlet.http.HttpSessionListener. at org.apache.catalina.session.StandardSession.tellNew(StandardSession.java:390) at org.apache.catalina.session.StandardSession.setId(StandardSession.java:363) at org.apache.catalina.session.StandardSession.setId(StandardSession.java:342) at org.apache.catalina.session.ManagerBase.createSession(ManagerBase.java:763) at org.apache.catalina.connector.Request.doGetSession(Request.java:3008) at org.apache.catalina.connector.Request.getSession(Request.java:2422) at org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:650) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:568) at org.glassfish.hk2.utilities.reflection.ReflectionHelper.invoke(ReflectionHelper.java:1268) at org.jvnet.hk2.internal.MethodInterceptorImpl.internalInvoke(MethodInterceptorImpl.java:85) at org.jvnet.hk2.internal.MethodInterceptorImpl.invoke(MethodInterceptorImpl.java:101) at org.jvnet.hk2.internal.MethodInterceptorInvocationHandler.invoke(MethodInterceptorInvocationHandler.java:39) at jdk.proxy4/jdk.proxy4.$Proxy72.getSession(Unknown Source) at com.sap.cctr.ri.context.AuthenticationFilter.filter(AuthenticationFilter.java:341) at org.glassfish.jersey.server.ContainerFilteringStage.apply(ContainerFilteringStage.java:108) at org.glassfish.jersey.server.ContainerFilteringStage.apply(ContainerFilteringStage.java:44) at org.glassfish.jersey.process.internal.Stages.process(Stages.java:173) at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:248) at org.glassfish.jersey.internal.Errors$1.call(Errors.java:248) at org.glassfish.jersey.internal.Errors$1.call(Errors.java:244) at org.glassfish.jersey.internal.Errors.process(Errors.java:292) at org.glassfish.jersey.internal.Errors.process(Errors.java:274) at org.glassfish.jersey.internal.Errors.process(Errors.java:244) at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:265) at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:235) at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:684) at org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:394) at org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:346) at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:358) at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:311) at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:205) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:209) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178) at
RE: Compatibility, 32 bit ..
Java 9 dropped 32-bit so it only has 64-bit by default. Maybe you have Java 8 instead of Java 9. Check this: https://www.digitalocean.com/community/tutorials/how-to-install-java-with-apt-on-ubuntu-18-04 Try using Tomcat 8.5 if you want to have 32-bit. -Harri -Original Message- From: John Dale (DB2DOM) Sent: maanantai 24. lokakuuta 2022 22.03 To: Tomcat Users List Subject: Re: Compatibility, 32 bit .. [Et saa yleensä sähköpostia jcdw...@gmail.com. Lisätietoja siitä, miksi tämä on tärkeää, on osoitteessa https://aka.ms/LearnAboutSenderIdentification ] Thank you. Would you agree with me that this should be an ubuntu bug report? I installed using apt-get. John On 10/24/22, Mark Thomas wrote: > On 24/10/2022 19:38, John Dale (DB2DOM) wrote: >> Would Tomcat 10 work with Java 8? > > No. Tomcat 10.1.x requires a minimum of Java 11. > > Details of Tomcat versions, minimum Java versions and other useful > information: > > https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftomc > at.apache.org%2Fwhichversion.htmldata=05%7C01%7Charri.pesonen%40s > inch.com%7C14e753cc45db4bab086608dab5f28056%7C3b518aae89214a7b8497619d > 756ce20e%7C0%7C0%7C638022350412584072%7CUnknown%7CTWFpbGZsb3d8eyJWIjoi > MC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7 > C%7Csdata=m6n2gaXUVUU39CvV0AtbByiUWfqDCK%2F7w7pLsEzcSr8%3Dre > served=0 > > Mark > > >> >> Thinking I might downgrade the JDK. >> >> >> On 10/24/22, Mark Thomas wrote: >>> >>> >>> On 24/10/2022 17:00, John Dale (DB2DOM) wrote: Hi Mark; Thanks for taking a look. Below is more information. Sincerely, John Dale, MS MIS Spearfish, SD USA - Tomcat version: 10.0.27 (unzipped, chmod 770 on catalina.sh before cli: catalina.sh run) java version: openjdk version "9-internal" uname -m: i686 Ubuntu 18.0.4 First error in logs: 24-Oct-2022 09:52:24.411 SEVERE [main] org.apache.tomcat.util.compat.Jre9Compat. Failed to create references to Java 9 classes and methods java.lang.ClassNotFoundException: java.lang.ModuleLayer >>> >>> You appear to have a broken JRE. That class should always be present >>> in Java 9 onwards. >>> >>> Mark >>> >>> at java.net.URLClassLoader.findClass(java.base@9-internal/URLClassLoader.java:384) at java.lang.ClassLoader.loadClass(java.base@9-internal/ClassLoader.java:486) at java.lang.ClassLoader.loadClass(java.base@9-internal/ClassLoader.java:419) at java.lang.Class.forName0(java.base@9-internal/Native Method) at java.lang.Class.forName(java.base@9-internal/Class.java:294) at org.apache.tomcat.util.compat.Jre9Compat.(Jre9Compat.java:85) at org.apache.tomcat.util.compat.JreCompat.(JreCompat.java:72) at org.apache.catalina.core.JreMemoryLeakPreventionListener.lifecycleEvent(JreMemoryLeakPreventionListener.java:282) at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123) at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:423) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:135) at org.apache.catalina.startup.Catalina.load(Catalina.java:747) at org.apache.catalina.startup.Catalina.load(Catalina.java:769) at sun.reflect.NativeMethodAccessorImpl.invoke0(java.base@9-internal/N ative Method) at sun.reflect.NativeMethodAccessorImpl.invoke(java.base@9-internal/NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(java.base@9-internal/DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(java.base@9-internal/Method.java:531) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:305) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475) On 10/24/22, Mark Thomas wrote: > On 24/10/2022 02:01, John Dale (DB2DOM) wrote: >> Hi Everyone; >> >> I've had a few requests to refurbish some old 32 bit dell towers. >> >> So, I'm throwing ubuntu on them and bringing up a >> MySQL->DB2DOM->Tomcat >> stack. >> >> Unfortunately, Tomcat doesn't want to start with openjdk 9 that >> is packaged with 32 bit ubuntu. > > Tomcat works happily with 32-bit and 64-bit Java. > >> Can someone give me a pointer to what works best? > Perhaps if you told us what Tomcat version you were using and > showed us what the error message was we'd be able to
RE: Reconfiguring Tomcat application without restart
Hello, so we have application that should get a new configuration, CORS in this case, on the fly, without restarting the application, because it can have thousands of active connections. Currently the configuration is stored in this application configuration file $CATALINA_HOME/conf/Catalina/localhost/app.xml and application gets it on startup and implements CORS restrictions. We have a need to change the configuration every now and then. For example, I could possibly read the file once a minute, parse XML etc. and update settings, unless Tomcat is prohibiting the file access. Application does not necessarily know the file path though, so it should be hard coded, which would be bad. Tomcat has the code somewhere to do it, but it is likely an internal class. We can workaround this by saving the configuration elsewhere, like in Windows registry, and read it from there once a minute. Or we could save it to database. But currently the configuration is in this deployment descriptor file, so I am asking if this has come up before. Is there any other "standard" way of having mutable configuration for Tomcat application? -Harri -Original Message- From: Christopher Schultz Sent: keskiviikko 13. huhtikuuta 2022 19.20 To: users@tomcat.apache.org Subject: Re: Reconfiguring Tomcat application without restart Harri, On 4/13/22 07:32, Harri Pesonen wrote: > Hello, is it possible to change the context file in > > $CATALINA_HOME/conf/Catalina/localhost/app.xml > > so that application would get the new configuration without restarting? Without restarting... what exactly? And what would you want to change? Usually the things in that deployment descriptor are pretty fundamental to how the application starts-up, etc. > I could not find such thing in servlet specification. The servlet spec doesn't have anything like this in there, but Tomcat does. Sort of, depending upon exactly what you are trying to accomplish. > Or would it be possible to manually read the file from the application, for > example once a minute? > Now the application gets the configuration from init(): > > javax.servlet.GenericServlet.java > > /** > * Called by the servlet container to indicate to a servlet that the > * servlet is being placed into service. See {@link Servlet#init}. > * > * This implementation stores the {@link ServletConfig} > * object it receives from the servlet container for later use. > * When overriding this form of the method, call > * super.init(config). > * > * @param config > the ServletConfig object > * > that > contains configutation > * > information > for this servlet > * > * @exception ServletExceptionif an exception occurs > that > * > interrupts > the servlet's normal > * > operation > * > * @see > UnavailableException > */ > public void init(ServletConfig config) throws ServletException { > this.config = config; > this.init(); > } > > I suppose that getServletConfig() returns the same cached data without > re-reading it from disk? > > /** > * Returns this servlet's {@link ServletConfig} object. > * > * @return ServletConfigthe ServletConfig object > * > that initialized this servlet > */ > public ServletConfig getServletConfig() { > return config; > } Can you be more specific about what you want to achieve? I have some ideas, but before I send you down a potentially confusing path, it would be good to understand your goals. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Reconfiguring Tomcat application without restart
Hello, is it possible to change the context file in $CATALINA_HOME/conf/Catalina/localhost/app.xml so that application would get the new configuration without restarting? I could not find such thing in servlet specification. Or would it be possible to manually read the file from the application, for example once a minute? Now the application gets the configuration from init(): javax.servlet.GenericServlet.java /** * Called by the servlet container to indicate to a servlet that the * servlet is being placed into service. See {@link Servlet#init}. * * This implementation stores the {@link ServletConfig} * object it receives from the servlet container for later use. * When overriding this form of the method, call * super.init(config). * * @param config the ServletConfig object * that contains configutation * information for this servlet * * @exception ServletExceptionif an exception occurs that * interrupts the servlet's normal * operation * * @see UnavailableException */ public void init(ServletConfig config) throws ServletException { this.config = config; this.init(); } I suppose that getServletConfig() returns the same cached data without re-reading it from disk? /** * Returns this servlet's {@link ServletConfig} object. * * @return ServletConfigthe ServletConfig object * that initialized this servlet */ public ServletConfig getServletConfig() { return config; } -Harri
RE: Two context paths to same application
Ok, it is a bit disappointing that Tomcat does not support this in standard webapps folder. But I found an easy workaround: create Windows junction app#latest that points to app#1 folder (both in webapps). -Harri -Original Message- From: Mark Thomas Sent: perjantai 1. huhtikuuta 2022 18.46 To: users@tomcat.apache.org Subject: Re: Two context paths to same application On 01/04/2022 15:59, Harri Pesonen wrote: > Hello, > > while reading the documentation in > https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftomc > at.apache.org%2Ftomcat-8.5-doc%2Fconfig%2Fcontext.html%23Namingda > ta=04%7C01%7Charri.pesonen%40sinch.com%7Cdac1869da5b046b4f23e08da13f6c > c02%7C3b518aae89214a7b8497619d756ce20e%7C0%7C0%7C637844248015649619%7C > Unknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1h > aWwiLCJXVCI6Mn0%3D%7C3000sdata=vHZmEqMaCuKbja9GN1vHfCgD5pEKVLzYsb > L21ZaJtvg%3Dreserved=0 it is not clear to me how to achieve the > following: > > Have one WAR file with corresponding directory, for example: > > app#1.war => app#1 (directory) => /app/1 (context path) > > But have another context path pointing to same application: > > /app/latest (context path) => app#1 (directory) > > I tried adding to server.xml inside like: > > > > But Tomcat created another directory app#latest from this, and copied app#1 > there. > I would like to avoid having duplicate directories. > > Doc says that: > * To define multiple contexts that use a single WAR file or directory, use > one of the options described in the Naming section above for creating a > Context that has a path that is not related to the base file name. > * If you want to deploy a WAR file or a directory using a context path that > is not related to the base file name then one of the following options must > be used to prevent double-deployment: > ** Disable autoDeploy and deployOnStartup and define all Contexts in > server.xml > ** Locate the WAR and/or directory outside of the Host's appBase and use a > context.xml file with a docBase attribute to define it. > > Don't quite understand what to do. > Do I need add also to the existing application: > > > > Or what does "define all Contexts in server.xml" mean? > And what does the second option (Locate the WAR...) mean? The key part is you need to locate the docBase (the web application WAR or directory) NOT under the appBase ($CATALINA_BASE/webapps). So something like this: /opt/webapps/myapp-1 and then under $CATALINA_BASE/conf/Catlaina/localhost you'll need two context files: myapp#1.xml myapp#latest.xml HTH, MarK - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Two context paths to same application
Hello, while reading the documentation in https://tomcat.apache.org/tomcat-8.5-doc/config/context.html#Naming it is not clear to me how to achieve the following: Have one WAR file with corresponding directory, for example: app#1.war => app#1 (directory) => /app/1 (context path) But have another context path pointing to same application: /app/latest (context path) => app#1 (directory) I tried adding to server.xml inside like: But Tomcat created another directory app#latest from this, and copied app#1 there. I would like to avoid having duplicate directories. Doc says that: * To define multiple contexts that use a single WAR file or directory, use one of the options described in the Naming section above for creating a Context that has a path that is not related to the base file name. * If you want to deploy a WAR file or a directory using a context path that is not related to the base file name then one of the following options must be used to prevent double-deployment: ** Disable autoDeploy and deployOnStartup and define all Contexts in server.xml ** Locate the WAR and/or directory outside of the Host's appBase and use a context.xml file with a docBase attribute to define it. Don't quite understand what to do. Do I need add also to the existing application: Or what does "define all Contexts in server.xml" mean? And what does the second option (Locate the WAR...) mean? Thanks, -Harri
RE: NullPointerException in Tomcat startup while parsing XML configuration file
Hello, that xml file is embedded in catalina.jar, so obviously I have not modified it: jar:file:/C:/Tomcat/tomcat_home/lib/catalina.jar!/org/apache/catalina/mbeans/mbeans-descriptors.xml It does not prevent Tomcat startup. It only prevents me from finding the NullPointerException in my application startup. But because NullPointerException is always a bug, I was thinking that someone might be interested. You already have the important stack trace lines in this message, and you can easily reproduce the problem by starting Tomcat in debugger and having breakpoint in NullPointerException. -Harri -Original Message- From: Christopher Schultz Sent: maanantai 14. maaliskuuta 2022 16.36 To: users@tomcat.apache.org Subject: Re: NullPointerException in Tomcat startup while parsing XML configuration file Harri, On 3/14/22 10:23, Harri Pesonen wrote: > Hello, I don't know if this is interesting, but while I started Tomcat > in IDEA debugger, when I had breakpoint set to NullPointerException (so that > it breaks on all of them), then it break here: > > org\apache\tomcat\tomcat-util\8.5.75\tomcat-util-8.5.75.jar!\org\apach > e\tomcat\util\IntrospectionUtils.class > > public static String replaceProperties(String value, Hashtable Object> staticProp, IntrospectionUtils.PropertySource[] dynamicProp, > ClassLoader classLoader) { > if (value.indexOf(36) < 0) { > > "value" is null. > > A bit more up in stack trace, it is here: > > org\apache\tomcat\tomcat-util-scan\8.5.75\tomcat-util-scan-8.5.75.jar! > \org\apache\tomcat\util\digester\Digester.class > > public InputSource resolveEntity(String name, String publicId, String > baseURI, String systemId) throws SAXException, IOException { > name = this.replace(name); > > "name" is null. > > One more up: > > java.xml\com\sun\org\apache\xerces\internal\util\EntityResolver2Wrappe > r.java > > String name = null; > if (resourceIdentifier instanceof XMLDTDDescription) { > name = "[dtd]"; > } > else if (resourceIdentifier instanceof XMLEntityDescription) { > name = ((XMLEntityDescription) > resourceIdentifier).getEntityName(); > } > > // When both pubId and sysId are null, the user's entity resolver // > can do nothing about it. We'd better not bother calling it. > // This happens when the resourceIdentifier is a GrammarDescription, > // which describes a schema grammar of some namespace, but without // > any schema location hint. -Sg if (pubId == null && sysId == null) { > return null; > } > > // Resolve using EntityResolver2 > try { > InputSource inputSource = > fEntityResolver.resolveEntity(name, pubId, baseURI, sysId); > > "name" is null. > > It was parsing this: > > jar:file:/C:/Tomcat/tomcat_home/lib/catalina.jar!/org/apache/catalina/ > mbeans/mbeans-descriptors.xml > > So the problem seems to happen in org.apache.xerces XML parser, or in Tomcat. Have you modified the stock mbeans-descriptors.xml file? Does this prevent startup in your environment? If so, please post the full stack trace. If this error is caught and ignored, than there is nothing to do. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
NullPointerException in Tomcat startup while parsing XML configuration file
Hello, I don't know if this is interesting, but while I started Tomcat in IDEA debugger, when I had breakpoint set to NullPointerException (so that it breaks on all of them), then it break here: org\apache\tomcat\tomcat-util\8.5.75\tomcat-util-8.5.75.jar!\org\apache\tomcat\util\IntrospectionUtils.class public static String replaceProperties(String value, Hashtable staticProp, IntrospectionUtils.PropertySource[] dynamicProp, ClassLoader classLoader) { if (value.indexOf(36) < 0) { "value" is null. A bit more up in stack trace, it is here: org\apache\tomcat\tomcat-util-scan\8.5.75\tomcat-util-scan-8.5.75.jar!\org\apache\tomcat\util\digester\Digester.class public InputSource resolveEntity(String name, String publicId, String baseURI, String systemId) throws SAXException, IOException { name = this.replace(name); "name" is null. One more up: java.xml\com\sun\org\apache\xerces\internal\util\EntityResolver2Wrapper.java String name = null; if (resourceIdentifier instanceof XMLDTDDescription) { name = "[dtd]"; } else if (resourceIdentifier instanceof XMLEntityDescription) { name = ((XMLEntityDescription) resourceIdentifier).getEntityName(); } // When both pubId and sysId are null, the user's entity resolver // can do nothing about it. We'd better not bother calling it. // This happens when the resourceIdentifier is a GrammarDescription, // which describes a schema grammar of some namespace, but without // any schema location hint. -Sg if (pubId == null && sysId == null) { return null; } // Resolve using EntityResolver2 try { InputSource inputSource = fEntityResolver.resolveEntity(name, pubId, baseURI, sysId); "name" is null. It was parsing this: jar:file:/C:/Tomcat/tomcat_home/lib/catalina.jar!/org/apache/catalina/mbeans/mbeans-descriptors.xml So the problem seems to happen in org.apache.xerces XML parser, or in Tomcat. -Harri - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 9 Encrpytion of JDBC
Vault for Apache Tomcat: https://github.com/web-servers/tomcat-vault It hides the secrets in another encrypted file, and password for that file is then in another file... So it just makes it more difficult to access the secrets, but at least they are not in plain text. -Harri -Original Message- From: Orendt, John Sent: torstai 20. tammikuuta 2022 18.11 To: users@tomcat.apache.org Subject: RE: Tomcat 9 Encrpytion of JDBC [Et saa yleensä sähköpostia osoitteesta john.p.ore...@medtronic.com.invalid. Lue lisää siitä, miksi tämä on tärkeää, osoitteesta http://aka.ms/LearnAboutSenderIdentification.] Hi There are at least two types of mutual authentication. 1. Device Client A and Server B 2. Human A via browser and Server B All the scenarios you mention have been solved. You just need to know how. X509 certs, the chain of trust, TPMs and HSMs are some the of parts of the solution for both types. Internet Banking does exist. John Orendt john.p.ore...@medtronic.com -Original Message- From: Christopher Schultz Sent: Tuesday, January 18, 2022 11:32 AM To: users@tomcat.apache.org Subject: Re: Tomcat 9 Encrpytion of JDBC John, On 1/18/22 08:37, Orendt, John wrote: > Secrets are more secure with the use of a Trusted Platform Module > (TPM) and / or a Hardware Security Module (HSM). > > Secrets need to be protected both at rest and in transit. Sure. Where you put the password for the TPM or HSM? Or do you enter the password for your HSM/TPM every time you start a process that needs access to secrets? How do you handle unattended restarts? How do you handle massive deployments? Do you manually-enter a password on 1000 servers as they all launch together? On all these kinds of deployments, you usually use a key server. But then how do you authenticate to the key server? With another secret. It's secrets all the way down. At some point, you must trust something, and that something you trust can't be a human, because that doesn't scale or isn't practical for some other reason. I'd love to hear a practical solution to the "secret at rest" problem that actually makes some sense and doesn't just hand-wave the problem off to another component that is Somebody Else's Problem. -chris > -Original Message- > From: Alan F > Sent: Friday, January 14, 2022 2:05 PM > To: Tomcat Users List > Subject: RE: Tomcat 9 Encrpytion of JDBC > > OK thanks Bill! > > -Original Message- > From: Bill Stewart > Sent: 14 January 2022 19:02 > To: Tomcat Users List > Subject: Re: Tomcat 9 Encrpytion of JDBC > > On Fri, Jan 14, 2022 at 10:25 AM Alan F wrote: > > >> Interested to know your best practices on securing jdbc plain text >> passwords, in my last place they used a mechanism to encrypt all passwords. >> Is this the best method as I read some people don't recommend this. >> Any details or procs on best practice appreciated. >> > > The "best practice," generally speaking, is that doing so is basically > pointless from a security perspective. > > https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Furld > efense.com%2Fv3%2F__https%3A%2F%2Fcwiki.apache.org%2Fconfluence%2Fdisp > ladata=04%7C01%7Charri.pesonen%40sinch.com%7C318adb49672e4fe13aa1 > 08d9dc2f9971%7C3b518aae89214a7b8497619d756ce20e%7C0%7C0%7C637782919266 > 275465%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJ > BTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000sdata=mMjmECMDtbO%2Fa5ovQgdahIl > aq%2FZdVBEnzoRAyy7oYQA%3Dreserved=0 > y/TOMCAT/Password__;!!NFcUtLLUcw!Bhr3E8c3AZFikCj4AHarnHl2emUxh99SUwhyn > Fa-FKWZahvlpv0TmiVo5DveVMgMyg3NbQ$ > > Bill > [CONFIDENTIALITY AND PRIVACY NOTICE] Information transmitted by this > email is proprietary to Medtronic and is intended for use only by the > individual or entity to which it is addressed, and may contain > information that is private, privileged, confidential or exempt from > disclosure under applicable law. If you are not the intended recipient > or it appears that this mail has been forwarded to you without proper > authority, you are notified that any use or dissemination of this > information in any manner is strictly prohibited. In such cases, > please delete this mail from your records. To view this notice in > other languages you can either select the following link or manually > copy and paste the link into the address bar of a web browser: > https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Femail > disclaimer.medtronic.com%2Fdata=04%7C01%7Charri.pesonen%40sinch.c > om%7C318adb49672e4fe13aa108d9dc2f9971%7C3b518aae89214a7b8497619d756ce2 > 0e%7C0%7C0%7C637782919266275465%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLj > AwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000sdata= > %2Fcv%2B6vRuz8ox1ipRnMTOWZxpz2%2BBKJ%2BHlfBh8iDg5m4%3Dreserved=0 > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail:
Possible UpgradeInfo memory leak
Hello, while looking at Tomcat 8.5.61 heap dump in VisualVM, in Dominators by Retained Size, two biggest ones are: org.apache.tomcat.util.net.NioEndpoint#1 12 382 781 B (13,7%) org.apache.coyote.http11.upgrade.UpgradeGroupInfo#1 7 066 212 B (7,8%) I am wondering about UpgradeGroupInfo, because it has very large array of UpgradeInfos: oname = javax.management.ObjectName#1240 : Catalina:Upgrade=websocket,name="https-jsse-nio-10.8.35.86-8443",type=GlobalRequestProcessor 31 B (0%) 363 B (0%) upgradeInfos = java.util.ArrayList#10079 : 146 098 elements 20 B (0%) 7 066 144 B (7,8%) elementData = java.lang.Object[]#22702 : 160 065 items 640 276 B (0,7%) 7 066 124 B (7,8%) [0] = org.apache.coyote.http11.upgrade.UpgradeInfo#144 B (0%) 44 B (0%) Single UpgradeInfo is very small, but there are 146 098 of them. org.apache.coyote.http11.upgrade.UpgradeInfo 146 098 (12,8%) I am not sure what this UpgradeInfo is, it looks like some statistics about upgraded connection, in this case from http to websocket. To me it looks like these UpgradeInfos are not removed when connection is closed. Any comments? Thanks, Harri