Re: [EXT] Re: Datadog _ JMX Integration facing connection issues.

[Thomas Meyer]

Hi,

Also newer jvm do have XX:+UseContainerSupport set as default, also when using 
XX:+UseContainerSupport setting -Xms and -Xmx do not really make sense at all, 
you either want the JVM to deduce the max heap size from the memory cgroup or 
not

Mfg
Thomas 

Am 4. Dezember 2023 18:52:13 MEZ schrieb Christopher Schultz 
:
>Sai Vamsi,
>
>On 12/4/23 03:53, Bodavula, Sai Vamsi Mohan Krishna (TR Technology) wrote:
>> Firstly thanks for adding a point me in asking me to check, if the 
>> annotations are reflecting in the Java process, which opened me a door to 
>> add the concerned annotations in correct place., by adding in 
>> java_tool_options in stead of Java_opts.
>
>You will probably want to use CATALINA_OPTS instead of any of the other ones. 
>JAVA_TOOL_OPTS isn't an environment variable regognized by Tomcat. You 
>certainly don't want to use JAVA_OPTS, because Tomcat uses JAVA_OPTS any time 
>it invokes a JVM. For example, running bind/digest.sh doesn't need to have the 
>JMX subsystem starting-up and trying to grab a port.
>
>JAVA_TOOL_OPTS is an environment variable used by JVM-launching processes, 
>like jps for example...
>
>> yeah they are reflecting and creating a Java Process.
>> but I am facing a problem here., while i am checking JSP, Thats :  the port 
>> i am using here to enable JMX is been opening a process with the mentioned 
>> port and at the same time shows port is being used.:
>> 
>> root@lab1workflow4scalsvc2zus1-deployment-577d856494-ftb22:/# jps
>> Picked up JAVA_TOOL_OPTIONS: -Xms2048M -Xmx10240M 
>> -XX:+UseStringDeduplication -XX:+UseContainerSupport 
>> -Dcom.sun.management.jmxremote 
>> -Dcom.sun.management.jmxremote.authenticate=false 
>> -Dcom.sun.management.jmxremote.ssl=false 
>> -Dcom.sun.management.jmxremote.local.only=false 
>> -Dcom.sun.management.jmxremote.port=49151 
>> -Djava.rmi.server.hostname=tomcat.default.svc.cluster.local 
>> -javaagent:/datadog-lib/dd-java-agent.jar 
>> -XX:OnError=/datadog-lib/continuousprofiler/tmp/dd_crash_uploader.sh 
>> -XX:ErrorFile=/datadog-lib/continuousprofiler/tmp/hs_err_pid_%p.log
>> Error: Exception thrown by the agent : java.rmi.server.ExportException: Port 
>> already in use: 49151; nested exception is:
>>  java.net.BindException: Address already in use (Bind failed)
>
>Yes: you have set JAVA_TOOL_OPTS and then run jps. jps is trying to bind to 
>your port which is aready bound by your Tomcat process.
>
>The solution is to use only CATALINA_OPTS to set these options.
>
>-chris
>
>-
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org
>

-- 
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.

Re: Updated Tomcat from 6.0.13 to 9.0.73 on IBMi, now the submitting job stays active.

[Thomas Meyer]

Hi,

What arguments do you give to catalina.sh?


Am 17. April 2023 13:08:43 MESZ schrieb "j...@nosnow.us" :
>Not a system job.  
>The submitting job is the qshell command interpreter and we should be able to 
>do the submit and exit.   But haven't got it to work yet. 
> 
>I was reviewing the catalina.sh file to see if there was anything preventing 
>the job from exiting as it does in the earlier version. 
>
>
>
>> On Apr 15, 2023, at 8:57 AM, Greg Huber  wrote:
>> 
>> Back in the day, you could look at the job to see what the processes are.
>> One may be a system job?
>> 
>>> On Fri, 14 Apr 2023 at 20:50, j...@nosnow.us  wrote:
>>> 
>>> Hello,
>>> 
>>> Our start process is a simple command that will submit a batch job that
>>> will use the qshell command to run the startup.sh script.
>>> 
>>> In version 6.0.13 this would leave 1 job running, QP0ZSPWT, running the
>>> application.
>>> In version 9.0.73 we have 2 jobs now running, QP0ZSPWT and the submitting
>>> job with the qshell commands.
>>> 
>>> We have both versions running on IBM i V7R3 systems. So that rules out
>>> qshell issues.
>>> 
>>> I am hoping someone knows a way to get the submitting job to end, without
>>> ending the application.
>>> Does anyone have any experience with this type of issue?
>>> 
>>> Thank you!
>>> Jean
>>> 
>
>
>-
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org
>

-- 
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.

Re: Tomcat 9.0.73 - Exception while accessing application

[Thomas Meyer]

Hi,

Do you use newrelic java agent?

Mfg
Thomas


Am 12. April 2023 21:07:27 MESZ schrieb jonmcalexan...@wellsfargo.com.INVALID:
>I have an application team that started receiving the following Exception:
>
>11-Apr-2023 09:26:01.396 SEVERE [https-jsse-nio-0.0.0.0-11510-exec-19] 
>org.apache.catalina.core.StandardHostValve.custom Exception Processing ErrorPa 
>   ge[exceptionType=java.lang.Exception, location=/jsp/sendMessage.jsp]
>java.lang.NoSuchFieldError: EMPTY_CHAR_ARRAY
>at 
> org.apache.catalina.core.ApplicationContext.getRequestDispatcher(ApplicationContext.java:459)
>   at 
> org.apache.catalina.core.ApplicationContextFacade.getRequestDispatcher(ApplicationContextFacade.java:215)
>   at 
> org.apache.catalina.core.StandardHostValve.custom(StandardHostValve.java:343)
>   at 
> org.apache.catalina.core.StandardHostValve.throwable(StandardHostValve.java:302)
>
>If did NOT do this with 9.0.70.
>
>We know that it may be something that changed between 9.0.70 and 9.0.73, but 
>we don't know.
>
>So far searching the Google isn't giving us much information, so reaching out 
>to the experts.
>
>Thanks,
>
>Dream * Excel * Explore * Inspire
>Jon McAlexander
>Senior Infrastructure Engineer
>Asst. Vice President
>He/His
>
>Middleware Product Engineering
>Enterprise CIO | EAS | Middleware | Infrastructure Solutions
>
>8080 Cobblestone Rd | Urbandale, IA 50322
>MAC: F4469-010
>Tel 515-988-2508 | Cell 515-988-2508
>
>jonmcalexan...@wellsfargo.com
>This message may contain confidential and/or privileged information. If you 
>are not the addressee or authorized to receive this for the addressee, you 
>must not use, copy, disclose, or take any action based on this message or any 
>information herein. If you have received this message in error, please advise 
>the sender immediately by reply e-mail and delete this message. Thank you for 
>your cooperation.
>

-- 
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.

Re: Fail Tomcat if any of the contexts fails?

[Thomas Meyer]

Hi,

Running Tomcat as pid 1 in k8s pod without readiness probes.

Mfg
Thomas

Am 29. März 2023 10:11:50 MESZ schrieb Kevin Huntly :
>So, I don't think there is - and I'm not sure of any servlet container that
>does this... what would be the case for it?
>
>On Wed, Mar 29, 2023, 04:04 Thomas Meyer  wrote:
>
>> Hi,
>>
>> Is it possible to shutdown/fail the Tomcat process if any of the deployed
>> context does fail?
>>
>> Mfg
>> Thomas

-- 
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.

Fail Timcat if any of the contexts fails?

[Thomas Meyer]

Hi,

Is it possible to shutdown/fail the Tomcat process if any of the deployed 
context does fail?

Mfg
Thomas

Re: Tomcat 9.0.72 and New Relic APM java agent issues

[Thomas Meyer]

Hi,

We may see something similar with tomcat 9.0.73 and jsp pages.

Need to test with newrelic app disabled. 

Did you already create a case with newrelic with this problem?

Mfg
Thomas

Am 13. März 2023 20:18:12 MEZ schrieb "Roe, Jennifer L" :
>We are using 9.0.73 Tomcat version and New Relic APM java agent 7.11.0, it 
>seems we are missing the injected New Relic script and the DOM looks much 
>different than in 9.0.71. Looks as though it's incorrectly escaping certain 
>html tags as if they're text (EG: changing < to "/")
>
>In our application login page is not fully displayed and we see the following 
>at the bottom:
>This field is required.", }, "j_password": { required: "This field is 
>required.", }, }, showErrors: function (errorMap, errorList) { var 
>numOfInvalids = this.numberOfInvalids(); if (numOfInvalids != 0) { 
>$("#loginErrorSummary").html("
>
>Version 9.0.72 is when this was first noticed, nothing seemed to change with 
>.73 and the New Relic version has remained the same 7.11.0.
>We have run a test with New Relic 8.01 agent with the same results
>
>System details:
>Ubuntu 20.04.5 LTS
>OpenJDK Runtime Environment Temurin-17.0.6+10
>
>Example of where it seems to be doing an incorrect escape on the html produced 
>from our .jsp
>
>Working page 9.0.71
>method="post" novalidate="novalidate">
>
>
>
>
>
>
>
>Not working 9.0.73
>method="post">
>"/
>
>
>Thanks
>
>
>[Nationwide is on your side.]
>Jennifer Roe
>Consultant, Technology Engineer
>Proud Nationwide Member
>Middleware Technology
>ro...@nationwide.com
>FORTUNE(r) and Time Inc. are not affiliated with, and do not endorse the 
>products or services of, Nationwide Mutual Insurance Company.
>
>

-- 
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.

Re: Did something JSP related change between 9.0.71 and 9.0.73

[Thomas Meyer]

Hi,

It looks like some parts of this is missing:

JSP snippet:
[...]


[...]

Will render into

configBaseString" />

Looks like the :
>Hello,
>
>> -Ursprüngliche Nachricht-
>> Von: Thomas Meyer 
>> Gesendet: Freitag, 17. März 2023 09:57
>> An: users@tomcat.apache.org
>> Betreff: Did something JSP related change between 9.0.71 and 9.0.73
>> 
>> Hi,
>> 
>> One of our jsp pages did start to render incorrectly in 9.0.73.
>> The same page does render correctly in 9.0.71.
>> We never did use 9.0.72.
>> 
>> Any ideas?
>
>Can you provide a JSP snippet and how it rendered before and afterwards?
>
>Thanks! Thomas
>
>-
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org
>
-- 
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.

Did something JSP related change between 9.0.71 and 9.0.73

[Thomas Meyer]

Hi,

One of our jsp pages did start to render incorrectly in 9.0.73.
The same page does render correctly in 9.0.71.
We never did use 9.0.72.

Any ideas?

-- 
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.

Re: Tomcat JDBC CP: Exponential backoff?

[Thomas Meyer]

Am 18. Januar 2023 23:20:29 MEZ schrieb Christopher Schultz 
:
>Thomas,
>
>On 1/17/23 13:33, Thomas Meyer wrote:
>> Does Tomcat's CP support exponential backoff in case DB is unavailable for 
>> some reason?
>> I didn't find anything in the documentation in this regards.
>
>I don't think is supports any such thing. What would be the purpose of 
>exponential back-off... don't you want to connect ASAP?

Hi,

Not really sure, but I think the idea is to protect the database from getting 
overloaded with requests once it's coming up again.

Sadly the description given in
https://cloud.google.com/sql/docs/postgres/manage-connections#backoff

Is very vague and I think won't really help much to mitigate above problem, if 
any.

I found this interesting article and test class that tries to demonstrate the 
resp. behavior of the situation:
https://github.com/brettwooldridge/HikariCP/wiki/Bad-Behavior:-Handling-Database-Down
https://github.com/brettwooldridge/HikariCP-benchmark/blob/master/src/test/java/com/zaxxer/hikari/benchmark/DbDownTest.java

There seems also to be an reply to above benchmark from the vibur dbcp author, 
which has some interesting points:
https://github.com/brettwooldridge/HikariCP/issues/230

While investigating the reason of why exponential backoff would make sense I 
also did stumble across this article:
https://aws.amazon.com/de/blogs/architecture/exponential-backoff-and-jitter/

This article make much more sense in my head, I.e. use exponential backoff with 
jitter to protect the restarting database from getting "flooded".

But HikariCP does only support plain exponential backoff and probably won't 
help much in above described situation, because once the database is starting 
to accept connections again, all HikariCP connections will probably align at 
the same time to start creating connections again.

>
>-chris
>
>-
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org
>

-- 
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Setting java.protocol.handler.pkgs for Tomcat

[Thomas Meyer]

The reason was class loader issues

Am 20. Januar 2023 13:37:11 MEZ schrieb Mark Thomas :
>From memory, there is a reason the Tomcat handler has to be first. I forget 
>exactly why that is. I'd need to dig into this some more (and I have my hands 
>full working on the RFC 9128 implementation at the moment).
>
>In your case, it looks like a custom LifecycleListener would work. In terms of 
>changes to Tomcat, I'd lean more towards a Tomcat specific system property you 
>could use instead of java.protocol.handler.pkgs
>for Tomcat 8.5.x - 10.1x with the whole lot being replaced by a ServiceLoader 
>in 11.0.x
>
>Mark
>
>
>On 20/01/2023 12:28, Dave Breeze wrote:
>> Thanks again Mark
>> I have no access to the source for the webapp.
>> what I was think was that if in catalina.sh the line:
>> 
>> JAVA_OPTS="$JAVA_OPTS
>> -Djava.protocol.handler.pkgs=org.apache.catalina.webresources"
>> 
>> was simply re-ordered to
>> 
>> JAVA_OPTS="-Djava.protocol.handler.pkgs=org.apache.catalina.webresources
>> $JAVA_OPTS "
>> 
>> then users could use JAVA_OPTS to set the value.
>> 
>> thanks
>> 
>> Dave Breeze
>> Linkedin:https://uk.linkedin.com/in/dabreeze
>> 
>> On Fri, 20 Jan 2023 at 12:17, Mark Thomas  wrote:
>>> 
>>> On 20/01/2023 11:18, Dave Breeze wrote:
 Many thanks Mark for the answers - appreciated.
 
 Just to be clear I am running 9.0.71 simply by invoking startup.sh
 (currently testing). I am not running embedded. I am not too sure
 therefore about the "Call
 org.apache.catalina.webresources.TomcatURLStreamHandlerFactory#addUserFactory(URLStreamHandlerFactory)"
 Could you please explain further
>>> 
>>> You'd need to call it from your application code (probably a
>>> ServletContextListener).
>>> 
>>> Alternatively, you could write a Tomcat level LifecycleListener to add
>>> it if the JAR with the handler is in $CATALINA_BASE/lib
>>> 
>>> Hmm. It looks like we can remove this in Tomcat 10 onwards and use the
>>> ServiceLoader mechanism. (OK, may need to deprecate this in 10 and
>>> remove it in Tomcat 11).
>>> 
>>> Mark
>>> 
>>> 
 
 thanks again
 Dave Breeze
 Linkedin:https://uk.linkedin.com/in/dabreeze
 
 Dave Breeze
 Linkedin:https://uk.linkedin.com/in/dabreeze
 
 
 On Fri, 20 Jan 2023 at 11:01, Mark Thomas  wrote:
> 
> On 20/01/2023 09:53, Dave Breeze wrote:
>> Tomcat 9.0.71
>> 
>> I need to use a custom protocol handler. I set JAVA_OPTS to:
>> 
>> -Djava.protocol.handler.pkgs=com.ibm.crypto.provider
>> 
>> My JAVA_OPTS setting,however, is ignored. This is due to catalina.sh
>> containing
>> 
>> JAVA_OPTS="$JAVA_OPTS
>> -Djava.protocol.handler.pkgs=org.apache.catalina.webresources"
>> 
>> The result of catalina.sh is that the jvm has
>> 2  -Djava.protocol.handler.pkgs settings - first  the custom protocol
>> then org.apache.catalina.webresources. The net result being that Tomcat 
>> is
>> started with 
>> -Djava.protocol.handler.pkgs=org.apache.catalina.webresources.
>> 
>> 
>>   1. What is the best way of setting java.protocol.handler.pkgs 
>> other than
>>   modifying catalina.sh
> 
> Call
> org.apache.catalina.webresources.TomcatURLStreamHandlerFactory#addUserFactory(URLStreamHandlerFactory)
> 
> to add your custom handler.
> 
>>   2. do i need to set java.protocol.handler.pkgs to just my custom 
>> handler
>>   or should it be set to a concatenation of
>>   custom + org.apache.catalina.webresources
> 
> If you do it that way, it needs to be both.
> 
>>   3. if a concatenation of handlers is required what is the syntax
> 
> | delimited
> 
> Mark
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
>>> 
>>> -
>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>> 
>> 
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>> 
>
>-
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org
>

-- 
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.

Tomcat JDBC CP: Exponential backoff?

[Thomas Meyer]

Hi,

Does Tomcat's CP support exponential backoff in case DB is unavailable for some 
reason?
I didn't find anything in the documentation in this regards.

Mfg
Thomas


-- 
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.

RE: Getting error on Tomcat Start

[Thomas Meyer]

Hi,


Sadly this still does not contain the stacktrace which shows why you servlet 
crashes, probably some missing bean in spring framework.

All below stacktraces seems to come from AppDynamics java agents which tries to 
load classes from webapo class loader after your webapp was already stopped. 
This is probably a bug in AppDynamics java agents.

Anyway this very much looks like an application problem and not a Tomcat 
problem.

Mfg
Thomas 

Am 17. August 2022 10:48:17 MESZ schrieb Mohan T :
>Dear Thomas,
>
>See below the full stack
>
>-Aug-2022 21:43:35.731 INFO [main] org.apache.coyote.AbstractProtocol.start 
>Starting ProtocolHandler ["https-jsse-nio2-169.21.198.159-8082"]
>16-Aug-2022 21:43:35.733 INFO [main] 
>org.apache.catalina.startup.Catalina.start Server startup in 182478 ms
>16-Aug-2022 21:43:44.725 INFO [AD Thread Pool-Global1] 
>org.apache.catalina.loader.WebappClassLoaderBase.checkStateForResourceLoading 
>Illegal access: this web application instance has been stopped already. Could 
>not load [org.springframework.context.ApplicationContextInitializer]. The 
>following stack trace is thrown for debugging purposes as well as to attempt 
>to terminate the thread which caused the illegal access.
> java.lang.IllegalStateException: Illegal access: this web application 
> instance has been stopped already. Could not load 
> [org.springframework.context.ApplicationContextInitializer]. The following 
> stack trace is thrown for debugging purposes as well as to attempt to 
> terminate the thread which caused the illegal access.
>at 
> org.apache.catalina.loader.WebappClassLoaderBase.checkStateForResourceLoading(WebappClassLoaderBase.java:1348)
>at 
> org.apache.catalina.loader.WebappClassLoaderBase.checkStateForClassLoading(WebappClassLoaderBase.java:1336)
>at 
> org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1195)
>at 
> org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1156)
>at java.lang.Class.getDeclaredMethods0(Native Method)
>at java.lang.Class.privateGetDeclaredMethods(Class.java:2701)
>at java.lang.Class.getDeclaredMethods(Class.java:1975)
>at 
> com.singularity.ee.agent.appagent.services.retransformation.BCIFixerService.isCandidateForRetransform(BCIFixerService.java:460)
>at 
> com.singularity.ee.agent.appagent.services.retransformation.BCIFixerService.access$900(BCIFixerService.java:94)
>at 
> com.singularity.ee.agent.appagent.services.retransformation.BCIFixerService$BCIBatchRunner.processRetransformationBatch(BCIFixerService.java:856)
>at 
> com.singularity.ee.agent.appagent.services.retransformation.BCIFixerService$BCIBatchRunner.run(BCIFixerService.java:746)
>at 
> com.singularity.ee.util.javaspecific.scheduler.AgentScheduledExecutorServiceImpl$SafeRunnable.run(AgentScheduledExecutorServiceImpl.java:122)
>at 
> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
>at 
> com.singularity.ee.util.javaspecific.scheduler.ADFutureTask$Sync.innerRunAndReset(ADFutureTask.java:335)
>at 
> com.singularity.ee.util.javaspecific.scheduler.ADFutureTask.runAndReset(ADFutureTask.java:152)
>at 
> com.singularity.ee.util.javaspecific.scheduler.ADScheduledThreadPoolExecutor$ADScheduledFutureTask.access$101(ADScheduledThreadPoolExecutor.java:119)
>at 
> com.singularity.ee.util.javaspecific.scheduler.ADScheduledThreadPoolExecutor$ADScheduledFutureTask.runPeriodic(ADScheduledThreadPoolExecutor.java:206)
>at 
> com.singularity.ee.util.javaspecific.scheduler.ADScheduledThreadPoolExecutor$ADScheduledFutureTask.run(ADScheduledThreadPoolExecutor.java:236)
>at 
> com.singularity.ee.util.javaspecific.scheduler.ADThreadPoolExecutor$Worker.runTask(ADThreadPoolExecutor.java:694)
>at 
> com.singularity.ee.util.javaspecific.scheduler.ADThreadPoolExecutor$Worker.run(ADThreadPoolExecutor.java:726)
>at java.lang.Thread.run(Unknown Source)
>
>16-Aug-2022 21:43:44.727 INFO [AD Thread Pool-Global1] 
>org.apache.catalina.loader.WebappClassLoaderBase.checkStateForResourceLoading 
>Illegal access: this web application instance has been stopped already. Could 
>not load [org.springframework.beans.BeanWrapper]. The following stack trace is 
>thrown for debugging purposes as well as to attempt to terminate the thread 
>which caused the illegal access.
> java.lang.IllegalStateException: Illegal access: this web application 
> instance has been stopped already. Could not load 
> [org.springframework.beans.BeanWrapper]. The following stack trace is thrown 
> for debugging purposes as well as to attempt to terminate the thread which 
> caused the illegal access.
>at 
> org.apache.catalina.loader.WebappClassLoaderBase.checkStateForResourceLoading(WebappClassLoaderBase.java:1348)
>at 
> 

Re: Tomcat 9.0.65 Clustering in Azure Kubernetes Service (AKS)

[Thomas Meyer]

Am 15. August 2022 03:47:18 MESZ schrieb Chew Kok Hoor :
>Hi Thomas,

Hi,

>Thanks for pointing me to another option which is the
>DNSMembershipService.
>
>Hope you can help to clarify two things in the dns-membership-service.yml:
>
>1. For spec.port, is port  mandatory? Or can it be any other number? I
>checked the source code for DNSMembershipService.java and can't find
>reference to the port number in it.

I think the port number is mandatory in k8s manifest, and is not used in tomcat 
DNS membership service.
So any valid tcp port number will do.

>2. For spec.selector.app, is this the name to my tomcat app name (
>metadata.labels.app) ?
Yes, the selector must match your pods label, to pick up all pods that will 
belong to your tomcat cluster.

>
>Thanks.
>
>Regards,
>Kok Hoor
>
>
>[image: width=]
><https://www.avast.com/sig-email?utm_medium=email_source=link_campaign=sig-email_content=webmail>
>Virus-free.www.avast.com
><https://www.avast.com/sig-email?utm_medium=email_source=link_campaign=sig-email_content=webmail>
><#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>
>On Sun, 14 Aug 2022 at 17:01, Thomas Meyer  wrote:
>
>> Hi,
>>
>> Two remarks from my side:
>> 1. CloudMembershipService is not so usable, and seems to originally target
>> OpenShift. To make it work you need to create ServiceAccount and give read
>> permission for listing all pods in namespace. This seems to be missing in
>> your case. It also has some assumptions about namespaces and naming of k8s
>> manifests/objects.
>>
>> 2. DNSMembershipService is much easier to use, I suggest you to have a
>> look at this instead:
>> https://tomcat.apache.org/tomcat-9.0-doc/api/org/apache/catalina/tribes/membership/cloud/DNSMembershipProvider.html
>> For this Membership Provider you only need to add headless Service
>> manifest, I.e. ClusterIP: none.
>>
>> Mfg
>> Thomas
>>
>> Am 14. August 2022 09:52:52 MESZ schrieb Chew Kok Hoor > >:
>>>
>>> Hi,
>>>
>>> I am trying to setup Tomcat clustering running in AKS, however the
>>> standard settings don't seem to work.
>>>
>>> As per the documentation I have setup following Cluster configuration in
>>> server.xml inside my  tag:
>>>  
>>>>> className="org.apache.catalina.tribes.group.GroupChannel">
>>>  >> className="org.apache.catalina.tribes.membership.cloud.CloudMembershipService"/>
>>>
>>>  
>>>
>>> But I received a 'Failed connection to
>>> https://10.0.0.1:443/api/v1/namespaces/tomcat/pods' error. Is there any way
>>> to resolve this?
>>>
>>> Error message:
>>>
>>> INFO: Cluster is about to start
>>> Aug 14, 2022 3:44:26 PM org.apache.catalina.tribes.transport.ReceiverBase
>>> bind
>>> INFO: Receiver Server Socket bound to:[/10.240.0.76:4000]
>>> Aug 14, 2022 3:44:26 PM
>>> org.apache.catalina.tribes.membership.cloud.CloudMembershipProvider
>>> getNamespace
>>> WARNING: Namespace not set
>>> Aug 14, 2022 3:44:26 PM
>>> org.apache.catalina.tribes.membership.cloud.KubernetesMembershipProvider
>>> fetchMembers
>>> SEVERE: Failed to open stream
>>> java.io.IOException: Failed connection to [
>>> https://10.0.0.1:443/api/v1/namespaces/tomcat/pods] with token
>>> [--redacted--]
>>> at
>>> org.apache.catalina.tribes.membership.cloud.TokenStreamProvider.openStream(TokenStreamProvider.java:56)
>>> at
>>> org.apache.catalina.tribes.membership.cloud.KubernetesMembershipProvider.fetchMembers(KubernetesMembershipProvider.java:136)
>>> at
>>> org.apache.catalina.tribes.membership.cloud.CloudMembershipProvider.heartbeat(CloudMembershipProvider.java:127)
>>> at
>>> org.apache.catalina.tribes.membership.cloud.KubernetesMembershipProvider.start(KubernetesMembershipProvider.java:116)
>>> at
>>> org.apache.catalina.tribes.membership.cloud.CloudMembershipService.start(CloudMembershipService.java:152)
>>> at
>>> org.apache.catalina.tribes.group.ChannelCoordinator.internalStart(ChannelCoordinator.java:192)
>>> at
>>> org.apache.catalina.tribes.group.ChannelCoordinator.start(ChannelCoordinator.java:106)
>>> at
>>> org.apache.catalina.tribes.group.ChannelInterceptorBase.start(ChannelInterceptorBase.java:190)
>>> at
>&g

Re: Tomcat 9.0.65 Clustering in Azure Kubernetes Service (AKS)

[Thomas Meyer]

Hi,

Two remarks from my side:
1. CloudMembershipService is not so usable, and seems to originally target 
OpenShift. To make it work you need to create ServiceAccount and give read 
permission for listing all pods in namespace. This seems to be missing in your 
case. It also has some assumptions about namespaces and naming of k8s 
manifests/objects.

2. DNSMembershipService is much easier to use, I suggest you to have a look at 
this instead: 
https://tomcat.apache.org/tomcat-9.0-doc/api/org/apache/catalina/tribes/membership/cloud/DNSMembershipProvider.html
For this Membership Provider you only need to add headless Service manifest, 
I.e. ClusterIP: none.

Mfg
Thomas

Am 14. August 2022 09:52:52 MESZ schrieb Chew Kok Hoor :
>Hi,
>
>I am trying to setup Tomcat clustering running in AKS, however the
>standard settings don't seem to work.
>
>As per the documentation I have setup following Cluster configuration in
>server.xml inside my  tag:
> 
>   className="org.apache.catalina.tribes.group.GroupChannel">
> className="org.apache.catalina.tribes.membership.cloud.CloudMembershipService"/>
>   
> 
>
>But I received a 'Failed connection to
>https://10.0.0.1:443/api/v1/namespaces/tomcat/pods' error. Is there any way
>to resolve this?
>
>Error message:
>
>INFO: Cluster is about to start
>Aug 14, 2022 3:44:26 PM org.apache.catalina.tribes.transport.ReceiverBase
>bind
>INFO: Receiver Server Socket bound to:[/10.240.0.76:4000]
>Aug 14, 2022 3:44:26 PM
>org.apache.catalina.tribes.membership.cloud.CloudMembershipProvider
>getNamespace
>WARNING: Namespace not set
>Aug 14, 2022 3:44:26 PM
>org.apache.catalina.tribes.membership.cloud.KubernetesMembershipProvider
>fetchMembers
>SEVERE: Failed to open stream
>java.io.IOException: Failed connection to [
>https://10.0.0.1:443/api/v1/namespaces/tomcat/pods] with token
>[--redacted--]
>at
>org.apache.catalina.tribes.membership.cloud.TokenStreamProvider.openStream(TokenStreamProvider.java:56)
>at
>org.apache.catalina.tribes.membership.cloud.KubernetesMembershipProvider.fetchMembers(KubernetesMembershipProvider.java:136)
>at
>org.apache.catalina.tribes.membership.cloud.CloudMembershipProvider.heartbeat(CloudMembershipProvider.java:127)
>at
>org.apache.catalina.tribes.membership.cloud.KubernetesMembershipProvider.start(KubernetesMembershipProvider.java:116)
>at
>org.apache.catalina.tribes.membership.cloud.CloudMembershipService.start(CloudMembershipService.java:152)
>at
>org.apache.catalina.tribes.group.ChannelCoordinator.internalStart(ChannelCoordinator.java:192)
>at
>org.apache.catalina.tribes.group.ChannelCoordinator.start(ChannelCoordinator.java:106)
>at
>org.apache.catalina.tribes.group.ChannelInterceptorBase.start(ChannelInterceptorBase.java:190)
>at
>org.apache.catalina.tribes.group.ChannelInterceptorBase.start(ChannelInterceptorBase.java:190)
>at
>org.apache.catalina.tribes.group.interceptors.MessageDispatchInterceptor.start(MessageDispatchInterceptor.java:224)
>at
>org.apache.catalina.tribes.group.ChannelInterceptorBase.start(ChannelInterceptorBase.java:190)
>at
>org.apache.catalina.tribes.group.GroupChannel.start(GroupChannel.java:504)
>at
>org.apache.catalina.ha.tcp.SimpleTcpCluster.startInternal(SimpleTcpCluster.java:564)
>at
>org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
>at
>org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:908)
>at
>org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:835)
>at
>org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
>at
>org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1396)
>at
>org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1386)
>at java.base/java.util.concurrent.FutureTask.run(Unknown Source)
>at
>org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
>at
>java.base/java.util.concurrent.AbstractExecutorService.submit(Unknown
>Source)
>at
>org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:919)
>at
>org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:265)
>at
>org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
>at
>org.apache.catalina.core.StandardService.startInternal(StandardService.java:432)
>at
>org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
>at
>org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:930)
>at
>org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
>at org.apache.catalina.startup.Catalina.start(Catalina.java:772)
>at
>java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
>Method)
>at

Tomcat in distroless image

[Thomas Meyer]

Hi,

Sadly currently Tomcat startup relies on shell script to bootstrap JVM process.

In the light of distroless images (e.g. 
https://blog.chainguard.dev/introducing-apko-bringing-distroless-nirvana-to-alpine-linux/)
 what are you thoughts on packaging tomcat in distroless base OCI images that 
doesn't even contain any shell anymore?

Would it be possible to provide an alternative start mechanism which directly 
starts JVM process which setup/prepare env like the current catalina.sh shell 
script does?

What are your thoughts on above topic?

Mfg
Thomas

Per context heap usage

[Thomas Meyer]

Hi,

Is it possible to find out the per deployed context heap usage in tomcat?

Mfg
Thomas

Re: CVE-2021-44228 Log4j 2 Vulnerability -- How does this affect Tomcat?

[Thomas Meyer]

Hi,

Interesting. I know a bit off topic.. 

Does it make a difference for the vulnerability if I log with:

a) log.warn("log msg param {}", userControlledParam);

Or

b) log.warn(log msg param " + userControlledParam);

Mfg
Thomas

Am 13. Dezember 2021 19:53:04 MEZ schrieb Mark Thomas :
>On 13/12/2021 18:31, James H. H. Lampert wrote:
>> The thing I'm still utterly unclear about is how simply logging traffic 
>> could, by itself, create a vulnerability.
>> 
>> In our case, the log entries are not even viewable unless you are signed 
>> on to a command line session on the server (ssh for headless Linux; a 
>> physical Twinax terminal, or a 5250 emulator of some sort, for IBM 
>> Midrange).
>> 
>> How can a log entry be executed as a command, anyway?
>
>Log4j2 supports a log message format syntax that includes JNDI lookups.
>
>Log4j2 processes log messages repeatedly until it doesn't find any more 
>format strings. This means the output of one format string can insert a 
>new format string.
>
>So, if the application is logging some user provided string verbatim 
>then the user can do the following:
>- provide input that includes the log4j2 format string for a JNDI lookup
>- on the first iteration log4j2 builds the log message that includes
>   the user provided string
>- on the second iteration log4j processes the user provided format
>   string and performs a JNDI lookup
>
>For an example of how a JNDI lookup can be leveraged to trigger code 
>execution in Tomcat see this article:
>https://www.veracode.com/blog/research/exploiting-jndi-injections-java
>
>That isn't the only way to use JNDI to trigger code execution and I am 
>sure security researchers will find a bunch of new ways as a result of 
>this vulnerability.
>
>HTH,
>
>Mark
>
>-
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org
>

-- 
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.

Re: [OT?] caching DB items in startup listener

[Thomas Meyer]

Hi,

What happens when the DB has problems when the webapp starts? Will the startup 
fail then?

I think doing lazy init is the better approach, when db comes back it will work 
again after the webapp did start.

Mfg
Thomas 

Am 8. April 2021 13:54:46 MESZ schrieb "Berneburg, Cris J. - US" 
:
>Hi Folks
>
>I'm working on an old legacy app and noticed something.  It caches a
>bunch of info (lookup table data) from the database using a
>ServletContextListener.  I think opening DB connections in a listener
>is reasonable.  While there is no business logic in the listener, I'm
>not sure doing a bunch of DB heavy-lifting operations in a context
>listener is a "good thing", although I don't really have a concrete
>reason why.  Perhaps I'm just being fussy.
>
>Anyway, in your opinion:
>
>1.  Is performing DB heavy-lifting operations in ServletContextListener
>a "reasonable" practice?
>2.  Is there a "better" way of caching said items at application
>startup?
>
>Thanks for your time and consideration.  :-)
>
>--
>Cris Berneburg
>CACI Senior Software Engineer
>
>
>
>
>This electronic message contains information from CACI International
>Inc or subsidiary companies, which may be company sensitive,
>proprietary, privileged or otherwise protected from disclosure. The
>information is intended to be used solely by the recipient(s) named
>above. If you are not an intended recipient, be aware that any review,
>disclosure, copying, distribution or use of this transmission or its
>contents is prohibited. If you have received this transmission in
>error, please notify the sender immediately.

-- 
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.

AccessLog implementation via logging subsystem?

[Thomas Meyer]

Hi,

as far as I can see there seems to be no AccessLog interface implementation 
that is using the standard tomcat logging subsystem.
Is there a reason for this?
I have a use case were I want to forward access log to splunk via http event 
collector endpoint.
The idea is to log access log via tomcat logging and configure tomcat logging 
to use HttpEventCollectorLog4jAppender to forward all access logs to splunk.

mfg
thomas

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Weirdest Tomcat Behavior Ever?

[Thomas Meyer]

Am 13. November 2020 10:06:18 MEZ schrieb Mark Thomas :
>On 12/11/2020 14:19, Eric Robinson wrote:
>>> From: Mark Thomas 
>
>
>
>>> I keep coming back to this. Something triggered this problem (note
>that
>>> trigger not necessarily the same as root cause). Given that the app,
>Tomcat
>>> and JVM versions didn't change that again points to some other
>component.
>>>
>> 
>> Perfectly understandable. It's the oldest question in the diagnostic
>playbook. What changed? I wish I had an answer. Whatever it was, if
>impacted both upstream servers.
>> 
>>> Picking just one of the wild ideas I've had is there some sort of
>firewall, IDS,
>>> IPS etc. that might be doing connection tracking and is, for some
>reason,
>>> getting it wrong and closing the connection in error?
>>>
>> 
>> Three is no firewall or IDS software running on the upstreams. The
>only thing that comes to mind that may have been installed during that
>timeframe is Sophos antivirus and Solar Winds RMM. Sophos was the first
>thing I disabled when I saw the packet issues.
>
>ACK.
>
> The aim with this logging is to provide evidence of whether or not
> there is a file descriptor handling problem in the JRE. My
> expectation is that with these logs we will have reached the limit
>of
> what we can do with Tomcat but will be able to point you in the
>right
>>> direction for further investigation.
>
>I've had a chance to review these logs.
>
>To answer your (offlist) question about the HTTP/1.1 vs. HTTP/1.0 in
>the
>Nginx logs I *think* the Nginx logs are showing that the request
>received by Nginx is using HTTP/1.1.
>
>The logging does not indicate any issue with Java's handling of file
>descriptors. The file descriptor associated with the socket where the
>request fails is only observed to be associated with the socket where
>the request fails. There is no indication that the file descriptor is
>corrupted nor is there any indication that another thread tries to use
>the same file descriptor.
>
>I dug a little into the exception where the write fails:
>
>java.net.SocketException: Bad file descriptor (Write failed)
>   at java.net.SocketOutputStream.socketWrite0(Native Method)
>   at
>java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:111)
>   at java.net.SocketOutputStream.write(SocketOutputStream.java:155)
>   at
>org.apache.tomcat.util.net.JIoEndpoint$DebugOutputStream.write(JIoEndpoint.java:1491)
>   at
>org.apache.coyote.http11.InternalOutputBuffer.realWriteBytes(InternalOutputBuffer.java:247)
>   at
>org.apache.tomcat.util.buf.ByteChunk.flushBuffer(ByteChunk.java:480)
>   at
>org.apache.coyote.http11.InternalOutputBuffer.endRequest(InternalOutputBuffer.java:183)
>...
>
>
>I took a look at the JRE source code. That exception is triggered by an
>OS level error (9, EBADF, "Bad file descriptor") when the JRE makes the
>OS call to write to the socket.
>
>Everything I have found online points to one of two causes for such an
>error:
>a) the socket has already been closed
>b) the OS has run out of file descriptors

Was it mentioned what OS is used? What Linux kernel version?
Are any security modules like SELinux or similar is in use?
It's maybe possible that a tracepoint exists that can be activated to get 
better understanding when the OS closes the socket.

>
>There is no indication that the JRE or Tomcat or the application is
>doing a)
>Previous investigations have ruled out b)
>
>The wireshark trace indicates that the socket is closed before the
>write
>takes place which suggests a) rather more than b). Even so, I'd be
>tempted to double check b) and maybe try running Tomcat with
>-XX:+MaxFDLimit just to be sure.
>
>If you haven't already, I think now is the time to follow Paul
>Carter-Brown's advice from earlier in this thread and use strace to see
>what is going on between the JRE and the OS. The aim being to answer
>the
>question "what is triggering the socket close"
>
>I can try and help interpret that log but I am far from an expert. You
>may want to seek help elsewhere.
>
>Mark
>
>-
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org

-- 
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: RFC7807 ErrorReportValve

[Thomas Meyer]

Am 5. Juli 2020 11:28:40 MESZ schrieb Michael Osipov :
>Am 2020-07-02 um 21:30 schrieb Thomas Meyer:
>> Hi,
>> 
>> What are your opinions on providing a RFC7807 based ErrorReportValve
>as part of Tomcat default distribution?
>
>Thomas, this has been bugging me for a while. Let me share some
>thoughts 
>on this, I'll limit my experiences with Tomcat, Spring Web and Zalando 
>Problem (including it's web module):
>
>Mark, please correct me if my citation of the Servlet API is wrong.
>
>* The Servlet API has been designed where the only clients where
>browsers
>* The Servlet API mandates that all invocations of 
>HttpServletResponse#setError() must yield in a HTML page and this 
>*cannot* be changed by defult
>* Even if you write a REST API or explicitly use @RestController Spring
>
>will still invoke #setError() although it makes no sense. I consider 
>this to be a conceptual flaw in the Spring framework.
>
>Before we continue which issue do you want to solve? Tomcat produced 
>errors or by a framework?

It's about tomcat produced errors:

There are multiple webapps deployed to tomcat all under non-root context path.

Some webapps use spring framework, for these webapps an CustomErrorController 
is installed so always a JSON response in a given JSON layout is done.

Some webapps are pure servlet based, here an error-page entry in web.xml and an 
ErrrorSerlvet is used to also have the same JSON layout as above for all 
possible errors.

But because of some race condition in deployment scripts for multi node setup, 
some class files weren't copies correctly, and tomcat ErrorReportValve was 
triggered with NoClassDef error.

So much for the context.

I guess I'll write an JsonErrorReportValve and install it in lib/ so deployment 
will always response with same JSON layout in all circumstances, e.g. failed 
deployment or access to unknown context path.

>  As for the framework, I would prefer to file
>
>an issue with Spring Framework first and see what the devs say because 
>this would solely solve a symptom.
>
>Michael
>
>-
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Add custom Authenticator in context.xml

[Thomas Meyer]

Am 6. Juli 2020 14:14:59 MESZ schrieb Mark Thomas :
>On 04/07/2020 19:54, Thomas Meyer wrote:
>> Hi,
>> 
>> a while ago I did write a little POC of how to add a custom
>> authenticator scheme to tomcat.
>> 
>> this is what I did come up with:
>> https://github.com/thomasmey/BearerTokenAuthenticator
>> 
>> It's rather complicated solution!
>> Is there an more easy solution to add a custom authenticator scheme
>to a Context/context.xml? 
>
>How about:
>
>1. Extract the Authenticators.properties file from catalina.jar
>   (or from source)
>2. Edit it to reference the custom Authenticator
>3. Place it at $CATALINA_BASE/lib/org/apache/catalina/startup
>4. Add the JAR with the custom authenticator to $CATALINA_BASE/lib
>
>which would make it generally available to use in WEB-INF/web.xml

Okay, understand! Nice trick.

>
>Or
>
>1. Add it directly to context.xml as:
>
>
>   className="de.m3y3r.catalina.authenticator.BearerTokenAuthenticator" />
>

Ah, okay an Authenticator is also a Valve, I didn't think about this!

I will play around with this setup a bit. thanks for the hint!

>
>which you would need to do for each app that wants to use it (or set it
>in the global web.xml for all apps).
>
>Mark
>
>-
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Add custom Authenticator in context.xml

[Thomas Meyer]

Hi,

a while ago I did write a little POC of how to add a custom
authenticator scheme to tomcat.

this is what I did come up with:
https://github.com/thomasmey/BearerTokenAuthenticator

It's rather complicated solution!
Is there an more easy solution to add a custom authenticator scheme to a 
Context/context.xml? 

Mfg
thomas


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: RFC7807 ErrorReportValve

[Thomas Meyer]

Am 2. Juli 2020 21:45:53 MESZ schrieb Mark Thomas :
>On 02/07/2020 20:30, Thomas Meyer wrote:
>> Hi,
>> 
>> What are your opinions on providing a RFC7807 based ErrorReportValve
>as part of Tomcat default distribution?
>
>RFC 7807 looks to be application specific so support for that RFC looks
>to be better handled at the application level.

Mhh, okay, sad to hear.

The basic idea was to provide an ErrorReportValve that always responds with an 
JSON, given the use case that tomcat is sometimes used purely as an HTTP JSON 
based API server, aka. REST, this Valve would always return an JSON object and 
not suddenly an HTML page if for any reason something goes horrible wrong.

It would be a nice to have for tomcat to provide an out of the box support for 
this use case.

But yes the format of the JSON is hard to define generally, above RFC was one 
of the first search results :-)

Mfg
Thomas


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RFC7807 ErrorReportValve

[Thomas Meyer]

Hi,

What are your opinions on providing a RFC7807 based ErrorReportValve as part of 
Tomcat default distribution?

With kind regards
Thomas

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat session replication

[Thomas Meyer]

Am 1. Juli 2020 12:21:46 MESZ schrieb Mark Thomas :
>On 01/07/2020 11:19, Thomas Meyer wrote:
>> Am 30. Juni 2020 11:07:36 MESZ schrieb Mark Thomas
>:
>>> On 29/06/2020 21:41, Christopher Schultz wrote:
>>>> Mark,
>>>>
>>>> On 6/27/20 05:29, Mark Thomas wrote:
>>>>> On 27/06/2020 10:19, Thomas Meyer wrote:
>>>>>> Hi,
>>>>>>
>>>>>> A few questions regarding tomcat session replication:
>>>>
>>>>> load-balancing and session replication are two separate parts of
>>>>> an overall clustering solution.
>>>>
>>>>>> 1) is the jvmRoute attribute on Engine object necessary for
>>>>>> session replication to work correctly?
>>>>
>>>>> No, but if you don't use it it places a number of restrictions on
>>>>> the web application behaviour and on the configuration of session
>>>>> replication.
>>>>
>>>>> The limitations are: - you need to use the DeltaManager (which
>>>>> doesn't scale as well as the BackupManager); - any requests made
>by
>>>>> the client that depend on the session MUST be issued in series,
>not
>>>>> in parallel; and
>>>>
>>>> This is only true of requests that would modify the session-state
>in
>>> a
>>>> way that needed to be deterministic, right? A bunch of GET requests
>>>> that don't change the session ought to be okay in parallel (as long
>>> as
>>>> any prior state-changing requests have completed _ those changes
>>>> replicated).
>>>
>>> Yes.
>>> You don't want state changes in parallel on different nodes.
>>> Any request that depends on a previous change in state can't be
>issued
>>> until the state changing request has completed and the changes
>>> replicated.
>>>
>>>>> - the session Manager must be configured to update all the other
>>>>> nodes in the cluster BEFORE the current request returns to the
>>>>> client.
>>>>
>>>> Same (negative) caveat here, right?
>>>
>>> Yes.
>>>
>>> Essentially you want channelSendOptions="6".
>> 
>> Hi,
>> 
>> Yes I'm using that option. But it still gives an error, but I may now
>found some hints what's going wrong:
>> 
>> When using Spring's ChangeSessionIdAuthStrategy it fails with unknown
>CSRF token.
>> 
>> It looks like the node fails to replicate, i.e. doesn't export, the
>session data after a changeSessionId call.
>> 
>> When using Spring's SessionFixationProtectionStrategy (which
>basically creates a new session and copy all attributes to the new
>session) it works correctly with tomcats session replication.
>> 
>> So it looks like calling changeSessionId fails to somehow replication
>the new session state to the remote nodes.
>> 
>> Looking at ManagerBase "session" attribute it's unclear if it
>contains only "internal session IDs" or external session IDs which do
>change.
>> 
>> The ReplicationValve seems to call manager.findSession with the
>internal ID.
>> 
>> Maybe somewhere something mixes up internal and external session IDs
>or forgets to update ManagerBase.session map.
>> 
>> Opinions?
>
>Maybe this:
>https://bz.apache.org/bugzilla/show_bug.cgi?id=64560


Yes, that's seems to be exactly the same problem!

And it's already fixed!

Thank you very much!

I'll update our tomcat version from 9.0.34 to the fixed version.

Regards
Thomas



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat session replication

[Thomas Meyer]

Am 30. Juni 2020 11:07:36 MESZ schrieb Mark Thomas :
>On 29/06/2020 21:41, Christopher Schultz wrote:
>> Mark,
>> 
>> On 6/27/20 05:29, Mark Thomas wrote:
>>> On 27/06/2020 10:19, Thomas Meyer wrote:
>>>> Hi,
>>>>
>>>> A few questions regarding tomcat session replication:
>> 
>>> load-balancing and session replication are two separate parts of
>>> an overall clustering solution.
>> 
>>>> 1) is the jvmRoute attribute on Engine object necessary for
>>>> session replication to work correctly?
>> 
>>> No, but if you don't use it it places a number of restrictions on
>>> the web application behaviour and on the configuration of session
>>> replication.
>> 
>>> The limitations are: - you need to use the DeltaManager (which
>>> doesn't scale as well as the BackupManager); - any requests made by
>>> the client that depend on the session MUST be issued in series, not
>>> in parallel; and
>> 
>> This is only true of requests that would modify the session-state in
>a
>> way that needed to be deterministic, right? A bunch of GET requests
>> that don't change the session ought to be okay in parallel (as long
>as
>> any prior state-changing requests have completed _ those changes
>> replicated).
>
>Yes.
>You don't want state changes in parallel on different nodes.
>Any request that depends on a previous change in state can't be issued
>until the state changing request has completed and the changes
>replicated.
>
>>> - the session Manager must be configured to update all the other
>>> nodes in the cluster BEFORE the current request returns to the
>>> client.
>> 
>> Same (negative) caveat here, right?
>
>Yes.
>
>Essentially you want channelSendOptions="6".

Hi,

Yes I'm using that option. But it still gives an error, but I may now found 
some hints what's going wrong:

When using Spring's ChangeSessionIdAuthStrategy it fails with unknown CSRF 
token.

It looks like the node fails to replicate, i.e. doesn't export, the session 
data after a changeSessionId call.

When using Spring's SessionFixationProtectionStrategy (which basically creates 
a new session and copy all attributes to the new session) it works correctly 
with tomcats session replication.

So it looks like calling changeSessionId fails to somehow replication the new 
session state to the remote nodes.

Looking at ManagerBase "session" attribute it's unclear if it contains only 
"internal session IDs" or external session IDs which do change.

The ReplicationValve seems to call manager.findSession with the internal ID.

Maybe somewhere something mixes up internal and external session IDs or forgets 
to update ManagerBase.session map.

Opinions?



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Small patch for mod_proxy_ajp

[Thomas Meyer]

Am 29. Juni 2020 22:13:10 MESZ schrieb Christopher Schultz 
:
>-BEGIN PGP SIGNED MESSAGE-
>Hash: SHA256
>
>All,
>
>IMO mod_proxy_balancer is missing an important feature, and that's the
>ability to tell the back-end Tomcat node the current status of the
>worke
>r.

Why would a tomcat Backend node want to have this information, what do you want 
to do?

Can you give an example please.

So when a node is disabled in mod proxy it won't receive any requests any more 
so how will this info reach the Backend Tomcat.

What is your goal?
>
>I've filed an enhancement in Bugzilla
>(https://bz.apache.org/bugzilla/show_bug.cgi?id=64338) for this and
>attached a small patch.
>
>I'd love for anyone who is interested in this to:
>
>1. Try the patch
>2. Try to get the status sent to Tomcat
>3. Vote for the patch (if it works!)
>4. Vote for back-port to 2.4.x branch
>
>Thanks!
>
>- -chris
>-BEGIN PGP SIGNATURE-
>Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
>iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl76S1YACgkQHPApP6U8
>pFgXNxAAhEX5ND4dIwfAjfoXCI016Elt8o3zGMiNi2KYS9KSZ0L5c/GkU1sBMjNF
>IcSHKzCTOiMC+IA/Z+2lS0pHi7ysAKgpnfklXcyneuEaY0/PpPpQ3MHtK7+v7VYA
>floLy/qzFK8PnYwEWFiwFKq1HEDES2mXiltwHva0TEhMf+N8Pny81avsLjri8hMA
>URHGW1+Pov101tf8pB0fxOz7Ts2iuytEEGFUAIz3ATq9VtStsXbhhZ1R4JFlj81o
>l75pxyhh72P8ZztJF6M/yWDP8tV8UO0XTjs6kSzcFiKDt3dC43aO9zkhRFCj/kMY
>gLylbQj8HJlv3r4+BZH0o+giVY/bmJ3ULQwFzxl/Bjj00UvK0PCan5DTIhhneBv+
>kTxcRUAZobP367QK3HWoQWsl0VMzrjBCxBaEXtVbW1fFqzw2gilg2GBok7RZe38p
>Ehu0WHgKpV0hRKtwWwZaAsdADqLbwaRCnwtZafdY8RwaeSp3eVaDlPQTjKPQ+Vzf
>XoTbh1SUKZQem77HBMpARMWNxp6bG22WhaZ+0aAuurs6mAzwAxuenjzjzlDC+nAS
>G50IDbkW1ukU/tBJtuhoRk1F7mMopTYLB4bHKnoc2kmSUiQlWhvkOP6FEE6gz5Fh
>osyvKMQfhtD9UcOktXTurNBpl6ZQNCxxZBdEMNr2kjv5QRtuKgA=
>=h+2E
>-END PGP SIGNATURE-
>
>-
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org


-- 
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat session replication

[Thomas Meyer]

Am 29. Juni 2020 22:54:12 MESZ schrieb Christopher Schultz 
:
>-BEGIN PGP SIGNED MESSAGE-
>Hash: SHA256
>
>Thomas,

Hi,

>
>On 6/27/20 05:52, Thomas Meyer wrote:
>> Am 27. Juni 2020 11:29:03 MESZ schrieb Mark Thomas
>> :
>>> On 27/06/2020 10:19, Thomas Meyer wrote:
>>>> Hi,
>>>>
>>>> A few questions regarding tomcat session replication:
>>>
>>> load-balancing and session replication are two separate parts of
>>> an overall clustering solution.
>>>
>>>> 1) is the jvmRoute attribute on Engine object necessary for
>>>> session
>>> replication to work correctly?
>>>
>>> No, but if you don't use it it places a number of restrictions on
>>> the web application behaviour and on the configuration of
>>> session replication.
>>>
>>> The limitations are: - you need to use the DeltaManager (which
>>> doesn't scale as well as the BackupManager);
>>
>> Yes, I'm using default DeltaManager as I will only have two pods
>> running Tomcat.
>>
>>> - any requests made by the client that depend on the session MUST
>>> be issued in series, not in parallel; and
>>
>> Not sure about this one, the app uses spring default security for
>> login. So need to check this one.
>
>This has more to do with how your web application itself works and
>less about your security framework. For example, if you have a
>web-1.0-style web application which is mostly user-driven GET and POST
>requests, then you are probably fine with the occasional
>user-initiated page RELOAD or STOP/RELOAD or STOP/RETRY event.
>
>But if you have a web-2.0 style
>websocket/AJAX/many-things-happening-at-once-style application, then
>you are probably going to have problems without sticky sessions.

Yes, okay understood.
Webapp is a traditional request/reply jsp app. So nothing fancy going on.

>
>>> - the session Manager must be configured to update all the other
>>> nodes in the cluster BEFORE the current request returns to the
>>> client.
>>
>> How to do that? I did have a look at Manager/DeltaManager
>> attributes but didn't see something that looks like above setting.
>> Can you plea point me in the right direction?
>
>http://tomcat.apache.org/tomcat-9.0-doc/cluster-howto.html#Cluster_Infor
>mation
>
>This is done using channelSendOptions on the  and
>mapSendOptions on the ReplicationValve. The default value is to be
>synchronous, which would be required, here. Synchronous means that the
>data is replicated before the response is completed to the client. You
>could also do asynchronous which would allow the request to complete
>and queue the replication for "later" (but probably pretty shortly
>thereafter).

Yes I also found out that simple tcp cluster had this option, but async is the 
default for some reason:

https://github.com/apache/tomcat/blob/master/java/org/apache/catalina/ha/tcp/SimpleTcpCluster.java#L152

I tried ack and sync-ack but I still see "session not found errors".

I'll check replication valve setting.

In the meantime I also did enable tribes message logging, and tried to find out 
what goes wrong, but have not yet fully understand the problem.

The error seems to happen in springs csrf filter which stores a uuid token in 
the http sessions.
Also a change session id happens in between. Everything looks actually okay, 
but it doesn't work.

>
>>>> 2) does session replication only work correctly with sticky
>>>> load
>>> balancer routing?
>>>
>>> No. It works quite happily without it.
>>
>> Good to know.
>
>You might want to use sticky-sessions anyway.
>
>>>> My setup is 1) load balancer without sticky session routing
>>>> into kubernetes 2) two pods running tomcat with cloud member
>>>> provider, which see and
>>> find each other
>>>>
>>>> No jvmRoute attribute is set.
>>
>> Another question regarding jvmRoute: Even if my load balancer has
>> no sticky sessions, should I add jvmRoute attribute? I think I
>> could easily add the pod's name as jvmRoute.
>
>If it's no particular trouble, I would:
>
>1. Add jvmRoute
>2. Enable sticky sessions
>
>#2 just means that all requests for an session-holding client will be
>directed to a single Tomcat node. If fail-over is necessary, the other
>node will have the session-information that was last sent successfully
>and should be relatively up-to-date. The session-id will be changed
>upon fail-over and the user shouldn't really notice unless some
>replication message was lost.
>
>IMHO the o

Re: Tomcat session replication

[Thomas Meyer]

Am 27. Juni 2020 11:29:03 MESZ schrieb Mark Thomas :
>On 27/06/2020 10:19, Thomas Meyer wrote:
>> Hi,
>> 
>> A few questions regarding tomcat session replication:
>
>load-balancing and session replication are two separate parts of an
>overall clustering solution.
>
>> 1) is the jvmRoute attribute on Engine object necessary for session
>replication to work correctly?
>
>No, but if you don't use it it places a number of restrictions on the
>web application behaviour and on the configuration of session
>replication.
>
>The limitations are:
>- you need to use the DeltaManager (which doesn't scale as well as the
>  BackupManager);

Yes, I'm using default DeltaManager as I will only have two pods running Tomcat.

>- any requests made by the client that depend on the session MUST be
>  issued in series, not in parallel; and

Not sure about this one, the app uses spring default security for login. So 
need to check this one.

>- the session Manager must be configured to update all the other nodes
>  in the cluster BEFORE the current request returns to the client.

How to do that? I did have a look at Manager/DeltaManager attributes but didn't 
see something that looks like above setting. Can you plea point me in the right 
direction?

>
>> 2) does session replication only work correctly with sticky load
>balancer routing?
>
>No. It works quite happily without it.

Good to know.

>
>> 
>> My setup is
>> 1) load balancer without sticky session routing into kubernetes
>> 2) two pods running tomcat with cloud member provider, which see and
>find each other
>> 
>> No jvmRoute attribute is set.

Another question regarding jvmRoute:
Even if my load balancer has no sticky sessions, should I add jvmRoute 
attribute? I think I could easily add the pod's name as jvmRoute.

>> 
>> Above setup doesn't work and give strange errors for the distributed
>webapp which relies on http sessions.
>> 
>> Should above setup work? If not why and what do I need to fix?
>> 
>> Any hints of what logging to enable to debug the problem if any at
>all?
>
>Please show us how you have configured the session manager and
>clustering.

My setup is just go with the defaults:







In the logs I can see the member appears/disappears messages, which is a good 
thing I guess.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Tomcat session replication

[Thomas Meyer]

Hi,

A few questions regarding tomcat session replication:

1) is the jvmRoute attribute on Engine object necessary for session replication 
to work correctly?
2) does session replication only work correctly with sticky load balancer 
routing?

My setup is
1) load balancer without sticky session routing into kubernetes
2) two pods running tomcat with cloud member provider, which see and find each 
other

No jvmRoute attribute is set.

Above setup doesn't work and give strange errors for the distributed webapp 
which relies on http sessions.

Should above setup work? If not why and what do I need to fix?

Any hints of what logging to enable to debug the problem if any at all?
Mfg
Thomas

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: JNI memory leak?

[Thomas Meyer]

Am 4. April 2020 14:53:17 MESZ schrieb calder :
>On Fri, Apr 3, 2020 at 8:48 PM Mark Boon 
>wrote:
>>
>> For the past few months we’ve been trying to trace what looks like
>gradual memory creep. After some long-running experiments it seems due
>to memory leaking when
>> jni_invoke_static(JNIEnv_*, JavaValue*, _jobject*, JNICallType,
>_jmethodID*, JNI_ArgumentPusher*, Thread*) is invoked. Somewhere.
>>
>> My environment is Tomcat running a proxy webapp. It does TLS
>termination,  authentication and then forwards the call to local
>services. It doesn’t do much else, it’s a relatively small application.
>>
>> Some (possibly relevant) versions and config parameters:
>> Tomcat 8.5
>> Java 8u241 (Oracle)
>> Heap size = 360Mb
>> MAX_ALLOC_ARENA=2
>> MALLOC_TRIM_THRESHOLD_=250048
>> jdk.nio.maxCachedBufferSize=25600
>>
>> We couldn’t find any proof of memory leaking on the Java side.
>> When we turn on NativeMemoryTracking=detail and we take a snapshot
>shortly after starting, we see (just one block shown):
>>
>> [0x03530e462f9a] JNIHandleBlock::allocate_block(Thread*)+0xaa
>> [0x03530e3f759a] JavaCallWrapper::JavaCallWrapper(methodHandle,
>Handle, JavaValue*, Thread*)+0x6a
>> [0x03530e3fa000] JavaCalls::call_helper(JavaValue*,
>methodHandle*, JavaCallArguments*, Thread*)+0x8f0
>> [0x03530e4454a1] jni_invoke_static(JNIEnv_*, JavaValue*,
>_jobject*, JNICallType, _jmethodID*, JNI_ArgumentPusher*, Thread*)
>[clone .isra.96] [clone .constprop.117]+0x1e1
>>  (malloc=33783KB type=Internal #110876)
>>
>> Then we run it under heavy load for a few weeks and take another
>snapshot:
>>
>> [0x03530e462f9a] JNIHandleBlock::allocate_block(Thread*)+0xaa
>> [0x03530e3f759a] JavaCallWrapper::JavaCallWrapper(methodHandle,
>Handle, JavaValue*, Thread*)+0x6a
>> [0x03530e3fa000] JavaCalls::call_helper(JavaValue*,
>methodHandle*, JavaCallArguments*, Thread*)+0x8f0
>> [0x03530e4454a1] jni_invoke_static(JNIEnv_*, JavaValue*,
>_jobject*, JNICallType, _jmethodID*, JNI_ArgumentPusher*, Thread*)
>[clone .isra.96] [clone .constprop.117]+0x1e1
>>  (malloc=726749KB type=Internal #2385226)
>>
>> While other blocks also show some variation, none show growth like
>this one. When I do some math on the number (726749KB - 33783KB) /
>(2385226 – 110876) it comes down to a pretty even 312 bytes per
>allocation.
>> And we leaked just under 700Mb. While not immediately problematic,
>this does not bode well for our customers who run this service for
>months.
>>
>> I’d like to avoid telling them they need to restart this service
>every two weeks to reclaim memory. Has anyone seen something like this?
>Any way it could be avoided?
>
>I'm a bit confused. Your stated title is "JNI Memory Leak?"
>Tomcat, to my intimate knowledge, does not use JNI (correct me if I'm
>rwong)
>( quick check
> user@stimpy:~/Desktop/tomcat-source/apache-tomcat-8.5.53-src> find .
>-name *.c -ls
> user@stimpy:~/Desktop/tomcat-source/apache-tomcat-8.5.53-src> find .
>-name *.cpp -ls
> user@stimpy:~/Desktop/tomcat-source/apache-tomcat-8.5.53-src> find .
>-name *.asm -ls
> user@stimpy:~/Desktop/tomcat-source/apache-tomcat-8.5.53-src> find .
>-name *.pas -ls
>}
>
>a) for the "snapshots" provided, there is NO reference to their
>association, ie, "what" code are those related to?
>b) could you run Mission Control or jvisualvm to locate a stack trace
>for this?
>
>We have two apps that use JNI and run via Tomcat (and another app
>server) - one is "so old" that it is limited to 32-bit . the one
>memory leak we have encountered was related to the "native side" (for
>us, the native-compiled Pascal side of things (we also use Assembly
>code) via Java's JNI code).
>
>So, ultimately, I'm confused why we think Tomcat is "to blame" as
>there is no evidence it uses JNI.
>It's my experience JNI memory issues are related to the Java JNI or
>proprietary native code.
>
>-
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org

Hi,

I think jni is used via apr in tomcat.

Do you use apr http connector?
-- 
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Client cert auth on demand

[Thomas Meyer]

Am 29. Februar 2020 13:10:13 MEZ schrieb Mark Thomas :
>On 29/02/2020 11:23, Michael Osipov wrote:
>> Am 2020-02-29 um 12:13 schrieb Mark Thomas:
>>> On 29/02/2020 11:07, Michael Osipov wrote:
 Am 2020-02-29 um 12:05 schrieb Mark Thomas:
> On 29/02/2020 10:40, Michael Osipov wrote:
>>>
>>> 
>>>
>> Tomcat does not support renegotiation of TLS contexts based
>> on URLs like HTTPd.
>
> Yes it does.
>
> If you specify CLIENT-CERT auth for a sub-set of URLs Tomcat will
> trigger a renegotiation when one of those URLs is requested.
>
> You don't have the same fine-grained control you have in httpd but
>you
> can replicate the typical use cases.

 Really? If I say require client cert auth on the connector, it will
>be
 enforced even on those contexts which do not require
>authentication?!
>>>
>>> If you required auth on the connector it always applies.
>>>
>>> However, if you don't require it at the connector level you can
>require
>>> it for a subset of URLs with security constraints and Tomcat will
>>> trigger any required renegotiations.
>> 
>> Mark,
>> 
>> this makes me wonder whether Tomcat properly implements RFC 7540,
>> section 9.2.1 and RFC 8740, section 3. From my understanding the
>> configuration you have described MUST fail here.
>
>Those aspects of those specs are implemented correctly. Authentication
>will fail for both HTTP/2 and TLS 1.3 if a web application level
>security constraint tries to trigger renegotiation.
>
>For HTTP/2 and/or TLS 1/3 you can only configure client certificate
>authentication on the Connector.

Hi,

Oh, I didn't know that. Why exactly is that? Becaus of the multiplexing on 
http2 or something in tls1.3, or asked the oth way around, will it fail only 
for http2 && tls1.3 or for http2 || tls1.3

>
>Mark
>
>-
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org


-- 
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Client cert auth on demand

[Thomas Meyer]

Am 27. Februar 2020 10:58:01 MEZ schrieb "Martynas Jusevičius" 
:
>Hi list,
>
>I'm using a Docker image based on tomcat:8.0-jre8. It serves as an
>end-user facing webapp but also as a REST API which authenticates
>using client certificates. The same URLs serve both purposes, however
>only administrators are using the API.
>
>The Connector is configured using clientAuth="want".
>This works fine with API calls which are run from shell scripts.
>In the browser however it prompts a certificate selection (if there
>are any client certs). This would not be a problem if the webapp would
>not be user-facing, but since it is the certificate prompt can be
>confusing to many users and increase our bounce rate.
>
>I'm looking for some workaround that would not require changing the
>whole design. For example asking for the client cert only when a
>certain flag is set, such as a query param or request header.
>Or somehow not asking for it but still accepting it :) But I guess
>that's not how TLS works...
>
>Any ideas? Thanks.
>
>
>Martynas
>atomgraph.com
>
>-
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org

Hi,

Instead of configuring the container for client cert Auth change the webapp:
1) define a realm in local context.xml
2) add resp security constraint only for rest api calls

-- 
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: PooledConnection#connectUsingDriver, Thread.currentThread().getContextClassLoader() is null

[Thomas Meyer]

Am 25. Juli 2019 08:07:18 MESZ schrieb Clemens Wyss DEV :
>Note: I have moved this "issue" over to the tomcat-dev mailinglist ...
>
>-Ursprüngliche Nachricht-
>Von: Clemens Wyss DEV  
>Gesendet: Mittwoch, 24. Juli 2019 11:07
>An: 'Tomcat Users List' 
>Betreff: PooledConnection#connectUsingDriver,
>Thread.currentThread().getContextClassLoader() is null
>
>Context:
>Debian GNU/Linux 9 \n \l
>java version 1.8.0_162
>Tomcat 8.5.35
>
>From time to time we are facing the follwing exception (call stack):
>...
>Caused by: java.sql.SQLException: Unable to load class:
>org.mariadb.jdbc.Driver from
>ClassLoader:java.net.URLClassLoader@4c873330;ClassLoader:null
>at
>org.apache.tomcat.jdbc.pool.PooledConnection.connectUsingDriver(PooledConnection.java:292)
>at
>org.apache.tomcat.jdbc.pool.PooledConnection.connect(PooledConnection.java:212)
>at
>org.apache.tomcat.jdbc.pool.ConnectionPool.createConnection(ConnectionPool.java:736)
>at
>org.apache.tomcat.jdbc.pool.ConnectionPool.borrowConnection(ConnectionPool.java:668)
>at
>org.apache.tomcat.jdbc.pool.ConnectionPool.getConnection(ConnectionPool.java:198)
>at
>org.apache.tomcat.jdbc.pool.DataSourceProxy.getConnection(DataSourceProxy.java:132)
>at org.apache.torque.Torque.getConnection(Torque.java:924)
>... 53 common frames omitted
>Caused by: java.lang.ClassNotFoundException: Unable to load class:
>org.mariadb.jdbc.Driver from
>ClassLoader:java.net.URLClassLoader@4c873330;ClassLoader:null
>at
>org.apache.tomcat.jdbc.pool.ClassLoaderUtil.loadClass(ClassLoaderUtil.java:56)
>at
>org.apache.tomcat.jdbc.pool.PooledConnection.connectUsingDriver(PooledConnection.java:280)
>... 59 common frames omitted
>Caused by: java.lang.ClassNotFoundException: Classloader is null
>at
>org.apache.tomcat.jdbc.pool.ClassLoaderUtil.loadClass(ClassLoaderUtil.java:40)
>... 60 common frames omitted
>
>According to the code (in PooledConnection# connectUsingDriver)
>Thread.currentThread().getContextClassLoader() returns null
>
>Googling for " Thread.currentThread().getContextClassLoader() is null"
>the common demoniator seems to be `getContextClassLoader can be null`.
>If this is true there should be
>a) a null-check in PooledConnection# connectUsingDriver
>b) if null, then there should be a fallback-Classloader (the system
>class laoder?)
>
>WDYT ?
>
>Or any ideas why the given exception pops up from time to time
>
>Thx
>Clemens
>B�CB��[��X��ܚX�KK[XZ[
>�\�\��][��X��ܚX�P�X�]
>�\X�K�ܙ�B��܈Y][ۘ[��[X[��K[XZ[
>�\�\��Z[�X�]
>�\X�K�ܙ�B�
>
>-
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org
>>

Hi,

Is the driver part of the web app or installed in tomcat's lib directory?

Does the error happen after startup of tomcat or after running for some time?

With kind regards
Thomas
-- 
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [ANN] Apache Tomcat 8.5.43 available

[Thomas Meyer]

Am 10. Juli 2019 13:06:50 MESZ schrieb Mark Thomas :

Hi,

>The notable changes since 8.5.42
>include:
>- Update to Tomcat Native 1.2.23 including Windows binaries built
>  with OpenSSL 1.1.1c

Btw. are the prebuild tomcat native libraries are also available from maven 
central?
If not, could they be made available?


With kind regards
Thomas

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

AW: Tomcat Hackathon - Brussels Belgium - 4/5 May 2019

[Thomas Meyer]

Hi,

a PropertySource that uses environment variables as source would be nice.
I.e. an OpenShift/Kubernetes Secret mapped into environemnt variables that can 
be used in server.xml or context.xml!

With Kind regards
Thomas


Von: Mark Thomas
Gesendet: Donnerstag, 4. April 2019 16:29
An: Tomcat Users List
Cc: Tomcat Developers List
Betreff: Tomcat Hackathon - Brussels Belgium - 4/5 May 2019

All,

You are invited!

As part of the EU-FOSSA 2 project[1], there will be a Tomcat Hackathon 
in Brussels, Belgium on 4-5 May 2019.[2]

The outline of the schedule is:
- general update on the status of the project
- hacking
- wrap-up
with the majority of the time spent hacking.

We are currently collating potential tasks on the wiki [3].

The EU-FOSSA 2 project is providing accommodation (on the basis of 2 
people sharing - you can request a single room if you want to pay the 
difference) and might be able to help with transport costs.

Space is limited so we are asking anyone who would like to attend this 
hackathon and contribute to the development of Tomcat to send an e-mail 
to priv...@tomcat.apache.org with the following information:

- First name
- Last name
- Email address
- Phone number
- City of departure
- Area you would like to work on
   (Feel free to add ideas directly to the wiki as well)

Time is fairly tight so if you are interested please let us know ASAP.

We hope to see you in Brussels

Mark
on behalf of the Apache Tomcat PMC


[1] https://joinup.ec.europa.eu/collection/eu-fossa-2
[2] https://eufossahackathon.bemyapp.com/
[3] https://cwiki.apache.org/confluence/display/TOMCAT/EU+FOSSA+May+2019


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

How to add an header field to all requests unconditionally

[Thomas Meyer]

Hi,

what would be the easiest way to uncoditionally add an header field to  
all requests coming from a given connector?
I searched the provided Valves but there seems to be no support for my  
requirment.


with kind regards
thomas




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Thread.sleep CPU time

[Thomas Meyer]

> Am 10.05.2017 um 12:02 schrieb Oliver Fernandez 
> :
> 
> But, is it correct Thread to be sleep?

Basically yes. But Brendan Gregg had yesterday an interesting article about CPU 
utilization in modern OSes -  
http://brendangregg.com/blog/2017-05-09/cpu-utilization-is-wrong.html


> 
>> On 10 May 2017 at 10:43, Oliver Fernandez  
>> wrote:
>> So basically we can consider this time as CPU being idle, right?
>> 
>> 
>>> On 10 May 2017 at 10:15, Mark Thomas  wrote:
>>> On 10/05/17 09:02, Oliver Fernandez wrote:
>>> > Sorry about the image. Here's in text format
>>> >
>>> > 
>>> >
>>> >  - org.apache.tomcat.utils.trheads.TaskThreadWrappingRunnable.run() --->
>>> > 42% CPU. This is my webapp code. It's OK
>>> >
>>> >  - org.apache.coyote.AbstractProtocol$AsyncTimeout.run()
>>> > - AbstractProtocol.java:1138 [Wall Time]
>>> > java.lang.Thread.sleep(long) > 38% CPU
>>> >
>>> >  - 
>>> > org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run()
>>> > - ContainerBase.java:1355 [Wall Time] java.lang.Thread.sleep(long)
>>> > --> 19%
>>> 
>>> You are looking at wall time, not CPU time so those values look fine.
>>> For an explanation of the differences see the YourKit docs:
>>> https://www.yourkit.com/docs/java/help/times.jsp
>>> 
>>> Mark
>>> 
>>> 
>>> >
>>> >
>>> > I'm not sure what this means. is it just that the CPU is IDLE waiting
>>> > for other tasks to complete?
>>> >
>>> >
>>> > On 10 May 2017 at 09:53, Stevo Slavić >> > > wrote:
>>> >
>>> > Maybe sleep call is in a loop - busy waiting, and sleeping too
>>> > short. Sleep
>>> > longer, observe latency after the change. In Java 9 there will be 
>>> > extra
>>> > option
>>> > 
>>> > http://download.java.net/java/jdk9/docs/api/java/lang/Thread.html#onSpinWait--
>>> > 
>>> > 
>>> >
>>> > On Wed, May 10, 2017 at 9:44 AM, Oliver Fernandez <
>>> > oliver.fernan...@marfeel.com >
>>> > wrote:
>>> >
>>> > > While profiling my Tomcat app using YourKit, I noticed two Threads,
>>> > > consuming 57% of total CPU, in the method Thread.sleep()
>>> > >
>>> > > [image: Inline images 1]
>>> > >
>>> > > What's this Thread.sleep() about?
>>> > >
>>> > >
>>> > >
>>> >
>>> >
>>> >
>>> >
>>> > --
>>> >
>>> > *Óliver Fernández*
>>> >
>>> > Principal Architect
>>> >
>>> >
>>> > Inline image 2
>>> >
>>> >
>>> >
>>> >
>>> > Marfeel Solutions S.L.
>>> >
>>> > Rambla Catalunya 35, Principal 2ª
>>> >
>>> > 08007 Barcelona, Spain
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > ES: (+34) 93 178 59 50  ext. 106
>>> >
>>> > US: (+1) 917-341-2540  ext. 106
>>> >
>>> > UK: (+44) 207-048-37-28  ext. 106
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > www.marfeel.com 
>>> >
>>> 
>>> 
>>> -
>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>> 
>> 
>> 
>> 
>> -- 
>> Óliver Fernández
>> Principal Architect
>> 
>> 
>> 
>> 
>> Marfeel Solutions S.L.
>> Rambla Catalunya 35, Principal 2ª
>> 08007 Barcelona, Spain
>> 
>> 
>> 
>> ES: (+34) 93 178 59 50 ext. 106
>> US: (+1) 917-341-2540 ext. 106
>> UK: (+44) 207-048-37-28 ext. 106
>> 
>> 
>> www.marfeel.com  
> 
> 
> 
> -- 
> Óliver Fernández
> Principal Architect
> 
> 
> 
> 
> Marfeel Solutions S.L.
> Rambla Catalunya 35, Principal 2ª
> 08007 Barcelona, Spain
> 
> 
> 
> ES: (+34) 93 178 59 50 ext. 106
> US: (+1) 917-341-2540 ext. 106
> UK: (+44) 207-048-37-28 ext. 106
> 
> 
> www.marfeel.com  

Tomcat base directory layout

[Thomas Meyer]

Hi,

Does there exists a small helper tool that can create the minimum necessary 
directories and files in a new CATALINA-BASE directory ? Or a template zip file 
or something like this?

Such a tool would be helpful, because I always struggle what directories are 
minimum necessary to  start a new instance.


With kind regards
Thomas

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 8/Redhat Linux 6.6 /Kernal 2.6.32 - Memory Won't Release

[Thomas Meyer]

With kind regards
Thomas
> Am 17.03.2017 um 14:54 schrieb Christopher Schultz 
> :
>> Note that Java *never* gives any memory back to the OS, even when the
> heap-usage goes down. This is a Java thing, not a Tomcat thing.
> 

Are you sure about this? I think I've read otherwise somewhere. A quick google 
showed up this: http://stackoverflow.com/a/30464183

With kind regards
Thomas



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Spring fails with Tomcat 8.0.41 and unpackWARs=false

[Thomas Meyer]

Hi,

if anybody else is hitting this:

This commit seems to have broken the Spring when running under Tomcat  
with unpackWARs=false -  
https://github.com/apache/tomcat80/commit/7e767cc6efe79cdd367213da3c1f88711a29ad7a#diff-a72fb99b0729353084d2c437f749e718


I did open a Jira Bug report against Spring  
https://jira.spring.io/browse/SPR-15332 to track the issue.


with kind regards
thomas




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Best way to find out how many DB connections that are open at any given time

[Thomas Meyer]

You may also want to have a look at flexy pool - 
https://github.com/vladmihalcea/flexy-pool 

With kind regards
Thomas


With kind regards
Thomas

> Am 11.01.2017 um 01:36 schrieb Joleen Barker :
> 
> As always, thank you Christopher, I'll take a look at the slides.
> 
> And Thank you to the other for pointing me in some directions for this.
> 
> -Joleen
> 
> On Tue, Jan 10, 2017 at 3:19 PM, Christopher Schultz <
> ch...@christopherschultz.net> wrote:
> 
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA256
>> 
>> Joleen,
>> 
>>> On 1/10/17 11:10 AM, Joleen Barker wrote:
>>> Hello All,
>>> 
>>> Details: Tomcat Version: 7.0.64.0 Java Version: 1.8.0 OS: AIX 6.1
>>> Database: Oracle 11
>>> 
>>> The web application installed on the server above makes data
>>> connections to run file transfers from point A to point B. The
>>> default Database connection setting that are set when the
>>> application server comes up are as follows:
>>> 
>>> DataBasePoolingFlag - APACHE MaxActive - 400 MaxIdle - 20 MinIdle -
>>> 10
>>> 
>>> We had an incident where all these connections were actually used
>>> up due to a script someone had that looped. I need to determine at
>>> any given point in time how many DB connections exist from the web
>>> application to the DB. There may be more than one way to do this. I
>>> am sure there is a DB command that could be run against the schema
>>> but the schema is pointed to by many servers. I am  wondering if
>>> there is a java command of some kind that I could run that may tell
>>> me how many connections are open at that time or possibly a tomcat
>>> or apache command.
>> 
>> This may be helpful:
>> 
>> http://people.apache.org/~schultz/ApacheCon%20NA%202016/Monitoring%20Apa
>> che%20Tomcat%20with%20JMX.pdf
>> 
>> Slides 15-16 show you where you can find the DataSource information
>> via JMX, and then later on in the presentation there are slides to
>> show how you can get that information via HTTP instead of JMX. Scripts
>> are provided to fetch a value at intervals, track values over time, etc.
>> 
>> - -chris
>> -BEGIN PGP SIGNATURE-
>> Comment: GPGTools - http://gpgtools.org
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>> 
>> iQIcBAEBCAAGBQJYdUHCAAoJEBzwKT+lPKRY8lAP/0C6wfLboz4K2MxaHR/86moX
>> sKIev9jV+wQ17n0nf1Wj1UA7GDGALye485Z2XMgIjlOaXmufVClfa3MWY07z+bv2
>> R67AmDQ797jlCwTAAhpaRtB0FJmX4cd0EnJkC9r03NCH+kPRIK8G91bkgn8ehw4L
>> x0jrgKO/N0UEpshNI/baPxRJRX7yr83g2ZHiKVoFAXM25rEcJNSPOkvlTkBxZ5Yv
>> RCQuobinJa9X64p8beYXSkO/9wbP+b5/wcUxpewfvByK9Hits+n33/Mbq5RpKlR7
>> vIHpwDJKlTo2/8ivIDHngIPiRQetlXEgwSWwN+5Fsr+V4bFSh6XnzIBAiB8SNoua
>> A9m71pyOoyQhdAAQzNfWwtLPWg9jrDaIRB7bj+HnbrKnCUa4rDyWfUDm4IwanfLW
>> QcDUggAgD151UstbSAQafLKJb0TBCWqHpIAvsJwCziOb6LnvtIf5xoLe7s48JZE9
>> 44YfDFI4qg0NSdP59vF/Z1Ho5sveScHrcgmB03BGWVunj9caclqKOWWnJOscAVLJ
>> UXQG0B6VvboLJRgKUU4/z0s1a2sOcTLRUz+H1Ib9giqLirI6NVYUSg0lEZdVm5BA
>> 0Ctwd6qD7G1j8e4ZiuChC3paCA0nYVhEea0dAVHXB+ZYER89yeoBzPkZnc/vWLEe
>> LO1AZaxZ2nDebk0ubBn9
>> =JgPw
>> -END PGP SIGNATURE-
>> 
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>> 
>> 


smime.p7s
Description: S/MIME cryptographic signature

Re: Custom Authenticator

[Thomas Meyer]

Am Mittwoch, den 01.06.2016, 09:29 -0400 schrieb Christopher Schultz:
> Thomas,
> 
> On 6/1/16 7:15 AM, Thomas Meyer wrote:
> > 
> > Hi,
> > 
> > How do I get a custom mapping set in 
> > ContextConfig.setCustomAuthenticators? ( 
> > https://tomcat.apache.org/tomcat-8.0-doc/api/org/apache/catalina/st
> > art
> up/ContextConfig.html#setCustomAuthenticators(java.util.Map)
> > 
> > 
> > 
> )
> > 
> > 
> > I want to add a custom mapping for lets say BEARER to a my
> > Authenticator. I searched the source code but nobody seems to call
> > this method. So how and where should this map be configured?
> Do you mean that you want to replace FORM or CLIENT-CERT in web.xml
> with BEARER and have it use your authenticator?
> 
> Would you be okay if you just ignored the  and installed
> your own authenticator? Because you can do that just by registering
> your CustomAuthenticatorValve in your valve chain for your
> application.


Hi,

I came up with this solution:

1.) use custom host implementation

in conf/server.xml in  add
className="de.m3y3r.catalina.core.CustomStandardHost" attribute

2.) webapp's web.xml - add login-config


  BEARER
  OAuthRealm


Apply security-constraint as usual. use role "**" if you just want
authentication.

3.) in webapp's context.xml define a suitable realm

https://localhost:8080/path/to/endpoint;
    clientId="username"
    clientSecret="password"/>

Code is here: https://github.com/thomasmey/BearerTokenAuthenticator

Feedback is welcome.

with kind regard
Thomas


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Custom Authenticator

[Thomas Meyer]

Hi,

How do I get a custom mapping set in  
ContextConfig.setCustomAuthenticators? (  
https://tomcat.apache.org/tomcat-8.0-doc/api/org/apache/catalina/startup/ContextConfig.html#setCustomAuthenticators(java.util.Map)  
)


I want to add a custom mapping for lets say BEARER to a my Authenticator.
I searched the source code but nobody seems to call this method. So  
how and where should this map be configured?


With kind regards
Thomas


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Question regarding parseRequestLine

[Thomas Meyer]

Hi,

I noticed that I can block tomcat 8 by opening 200 connection to the
http 1.1 connector and send 512 bytes of zero in each connection.

Tomcat 8 seems to block in parseRequestLine() method for 20 seconds
(connectionTimeout) and times out after that.

The blocking seems to happen while waiting for the http method name.

I looked up RFC 2616 and byte zero is as far as I understand not a
legal character for the http method name which are GET, PUT and so on
and extension token which is defined as token which is defined as all
characters excluding 0-31 and 127.
So why doesn't tomcat trash the connection when it detects an invalid
http method name?

Is this behaviour just a super tolerant implementation?

Bug or feature? I'm curious to know the background of this
behaviour/implementation!

With kind regards
Thomas

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org