Re: JVM crashing with caCertificatePath in server.xml

[Christopher Schultz]

Michael,

On 5/20/24 06:52, Michael Osipov wrote:

On 2024/05/17 15:11:58 Christopher Schultz wrote:

Michael,

On 5/17/24 03:42, Michael Osipov wrote:

On 2024/05/16 21:37:34 Christopher Schultz wrote:

Michael,

On 5/16/24 12:00, Michael Osipov wrote:

On 2024/05/16 15:55:04 Andy Arismendi wrote:

Ok great! Thank you for taking the time and making the effort to look into this 
Michael, much appreciated!


Here is a dynamically linked, patched version until there is an official 
release: http://home.apache.org/~michaelo/issues/tomcat/openssl-crash/

Please give it a try.


Since you have produced a debug build of tcnative (and other
components?) could you post the debug trace of the native stack?


Unfortunately I can't. While I have the files with debug symbols I am limited 
by https://github.com/mturk/cmsc?tab=readme-ov-file#warning. I don't have a 
full blown Visual Studio installed.


Okay. If you did build with VS, can you get a debug build with a backtrace?


Unfortunately not. Currently, I don't have the capacity to do so.


I guess you already tracked the crash to openssl_fopen. When I did a
decompile of the official binary, I can see the code but it's very
difficult to read:

void FUN_1800cccd0(char *param_1,char *param_2)

{
char cVar1;
longlong lVar2;
int iVar3;
DWORD DVar4;
char *pcVar5;
FILE *pFVar6;
int *piVar7;
ulonglong uVar8;
uint uVar9;
int cbMultiByte;
undefined *puVar10;
undefined *puVar11;
uint uVar12;
undefined8 uStackY_80;
undefined auStackY_78 [32];
wchar_t local_48 [8];
ulonglong local_38;
undefined8 uStack_30;

uStack_30 = 0x1800ccce3;
local_38 = DAT_18033f868 ^ (ulonglong)local_48;
cVar1 = *param_1;
uVar12 = 0;
pcVar5 = param_1;
for (uVar9 = uVar12; (cVar1 != '\0' && (uVar9 < 0x8000)); uVar9 =
uVar9 + 1) {
  pcVar5 = pcVar5 + 1;
  cVar1 = *pcVar5;
}
cbMultiByte = (uVar9 & 0x7fff) + 1;
uStackY_80 = 0x1800ccd50;
iVar3 = MultiByteToWideChar(0xfde9,8,param_1,cbMultiByte,(LPWSTR)0x0,0);
DVar4 = 8;
if (iVar3 < 1) {
  uStackY_80 = 0x1800ccd5d;
  DVar4 = GetLastError();
  if (DVar4 == 0x3ec) {
uStackY_80 = 0x1800ccd84;
iVar3 =
MultiByteToWideChar(0xfde9,0,param_1,cbMultiByte,(LPWSTR)0x0,0);
DVar4 = 0;
if (0 < iVar3) goto LAB_1800ccdac;
  }
  uStackY_80 = 0x1800ccd91;
  DVar4 = GetLastError();
  puVar10 = auStackY_78;
  puVar11 = auStackY_78;
  if (DVar4 != 0x459) goto LAB_1800cce89;
}
else {
LAB_1800ccdac:
  uVar8 = (longlong)iVar3 * 2 + 0xf;
  if (uVar8 <= (ulonglong)((longlong)iVar3 * 2)) {
uVar8 = 0xff0;
  }
  uStackY_80 = 0x1800ccdd1;
  lVar2 = -(uVar8 & 0xfff0);
  *(int *)( + lVar2) = iVar3;
  *(wchar_t **)( + lVar2) = (wchar_t
*)((longlong)local_48 + lVar2);
  *(undefined8 *)(auStackY_78 + lVar2 + -8) = 0x1800ccdf7;
  iVar3 = MultiByteToWideChar(0xfde9,DVar4,param_1,cbMultiByte,
  *(LPWSTR *)( +
lVar2),
  *(int *)( +
lVar2));
  puVar11 = auStackY_78 + lVar2;
  if (iVar3 == 0) goto LAB_1800cce89;
  cVar1 = *param_2;
  pcVar5 = param_2;
  for (; (cVar1 != '\0' && (uVar12 < 0x8000)); uVar12 = uVar12 + 1) {
pcVar5 = pcVar5 + 1;
cVar1 = *pcVar5;
  }
  *(undefined4 *)( + lVar2) = 8;
  *(wchar_t **)( + lVar2) = local_48;
  *(undefined8 *)(auStackY_78 + lVar2 + -8) = 0x1800cce4d;
  iVar3 = MultiByteToWideChar(0xfde9,0,param_2,(uVar12 & 0x7fff) + 1,
  *(LPWSTR *)( +
lVar2),
  *(int *)( +
lVar2));
  puVar11 = auStackY_78 + lVar2;
  if (iVar3 == 0) goto LAB_1800cce89;
  *(undefined8 *)(auStackY_78 + lVar2 + -8) = 0x1800cce5d;
  pFVar6 = _wfopen((wchar_t *)((longlong)local_48 + lVar2),local_48);
  puVar11 = auStackY_78 + lVar2;
  if (pFVar6 != (FILE *)0x0) goto LAB_1800cce89;
  *(undefined8 *)(auStackY_78 + lVar2 + -8) = 0x1800cce6a;
  piVar7 = _errno();
  puVar10 = auStackY_78 + lVar2;
  if (*piVar7 != 2) {
*(undefined8 *)(auStackY_78 + lVar2 + -8) = 0x1800cce78;
piVar7 = _errno();
puVar10 = auStackY_78 + lVar2;
puVar11 = auStackY_78 + lVar2;
if (*piVar7 != 9) goto LAB_1800cce89;
  }
}
*(undefined8 *)(puVar10 + -8) = 0x1800ccda7;
fopen(param_1,param_2);
puVar11 = puVar10;
LAB_1800cce89:
uVar8 = local_38 ^ (ulonglong)local_48;
*(undefined8 *)(puVar11 + -8) = 0x1800cce95;
FUN_180263660(uVar8);
return;
}

Thanks for helping to at least link it to this openssl source:

https://github.com/openssl/openssl/blob/45f5d51b72a262bf85c4461fbded91485ce6b9da/crypto/o_fopen.c#L38

Since libtcnative.dll is statically-linked, it doesn't even need a
symbol table for internal calls so the openssl_fopen token is completely
lost. 

Re: JVM crashing with caCertificatePath in server.xml

[Michael Osipov]

On 2024/05/17 15:11:58 Christopher Schultz wrote:
> Michael,
> 
> On 5/17/24 03:42, Michael Osipov wrote:
> > On 2024/05/16 21:37:34 Christopher Schultz wrote:
> >> Michael,
> >>
> >> On 5/16/24 12:00, Michael Osipov wrote:
> >>> On 2024/05/16 15:55:04 Andy Arismendi wrote:
>  Ok great! Thank you for taking the time and making the effort to look 
>  into this Michael, much appreciated!
> >>>
> >>> Here is a dynamically linked, patched version until there is an official 
> >>> release: http://home.apache.org/~michaelo/issues/tomcat/openssl-crash/
> >>>
> >>> Please give it a try.
> >>
> >> Since you have produced a debug build of tcnative (and other
> >> components?) could you post the debug trace of the native stack?
> > 
> > Unfortunately I can't. While I have the files with debug symbols I am 
> > limited by https://github.com/mturk/cmsc?tab=readme-ov-file#warning. I 
> > don't have a full blown Visual Studio installed.
> 
> Okay. If you did build with VS, can you get a debug build with a backtrace?

Unfortunately not. Currently, I don't have the capacity to do so.

> I guess you already tracked the crash to openssl_fopen. When I did a 
> decompile of the official binary, I can see the code but it's very 
> difficult to read:
> 
> void FUN_1800cccd0(char *param_1,char *param_2)
> 
> {
>char cVar1;
>longlong lVar2;
>int iVar3;
>DWORD DVar4;
>char *pcVar5;
>FILE *pFVar6;
>int *piVar7;
>ulonglong uVar8;
>uint uVar9;
>int cbMultiByte;
>undefined *puVar10;
>undefined *puVar11;
>uint uVar12;
>undefined8 uStackY_80;
>undefined auStackY_78 [32];
>wchar_t local_48 [8];
>ulonglong local_38;
>undefined8 uStack_30;
> 
>uStack_30 = 0x1800ccce3;
>local_38 = DAT_18033f868 ^ (ulonglong)local_48;
>cVar1 = *param_1;
>uVar12 = 0;
>pcVar5 = param_1;
>for (uVar9 = uVar12; (cVar1 != '\0' && (uVar9 < 0x8000)); uVar9 = 
> uVar9 + 1) {
>  pcVar5 = pcVar5 + 1;
>  cVar1 = *pcVar5;
>}
>cbMultiByte = (uVar9 & 0x7fff) + 1;
>uStackY_80 = 0x1800ccd50;
>iVar3 = MultiByteToWideChar(0xfde9,8,param_1,cbMultiByte,(LPWSTR)0x0,0);
>DVar4 = 8;
>if (iVar3 < 1) {
>  uStackY_80 = 0x1800ccd5d;
>  DVar4 = GetLastError();
>  if (DVar4 == 0x3ec) {
>uStackY_80 = 0x1800ccd84;
>iVar3 = 
> MultiByteToWideChar(0xfde9,0,param_1,cbMultiByte,(LPWSTR)0x0,0);
>DVar4 = 0;
>if (0 < iVar3) goto LAB_1800ccdac;
>  }
>  uStackY_80 = 0x1800ccd91;
>  DVar4 = GetLastError();
>  puVar10 = auStackY_78;
>  puVar11 = auStackY_78;
>  if (DVar4 != 0x459) goto LAB_1800cce89;
>}
>else {
> LAB_1800ccdac:
>  uVar8 = (longlong)iVar3 * 2 + 0xf;
>  if (uVar8 <= (ulonglong)((longlong)iVar3 * 2)) {
>uVar8 = 0xff0;
>  }
>  uStackY_80 = 0x1800ccdd1;
>  lVar2 = -(uVar8 & 0xfff0);
>  *(int *)( + lVar2) = iVar3;
>  *(wchar_t **)( + lVar2) = (wchar_t 
> *)((longlong)local_48 + lVar2);
>  *(undefined8 *)(auStackY_78 + lVar2 + -8) = 0x1800ccdf7;
>  iVar3 = MultiByteToWideChar(0xfde9,DVar4,param_1,cbMultiByte,
>  *(LPWSTR *)( + 
> lVar2),
>  *(int *)( + 
> lVar2));
>  puVar11 = auStackY_78 + lVar2;
>  if (iVar3 == 0) goto LAB_1800cce89;
>  cVar1 = *param_2;
>  pcVar5 = param_2;
>  for (; (cVar1 != '\0' && (uVar12 < 0x8000)); uVar12 = uVar12 + 1) {
>pcVar5 = pcVar5 + 1;
>cVar1 = *pcVar5;
>  }
>  *(undefined4 *)( + lVar2) = 8;
>  *(wchar_t **)( + lVar2) = local_48;
>  *(undefined8 *)(auStackY_78 + lVar2 + -8) = 0x1800cce4d;
>  iVar3 = MultiByteToWideChar(0xfde9,0,param_2,(uVar12 & 0x7fff) + 1,
>  *(LPWSTR *)( + 
> lVar2),
>  *(int *)( + 
> lVar2));
>  puVar11 = auStackY_78 + lVar2;
>  if (iVar3 == 0) goto LAB_1800cce89;
>  *(undefined8 *)(auStackY_78 + lVar2 + -8) = 0x1800cce5d;
>  pFVar6 = _wfopen((wchar_t *)((longlong)local_48 + lVar2),local_48);
>  puVar11 = auStackY_78 + lVar2;
>  if (pFVar6 != (FILE *)0x0) goto LAB_1800cce89;
>  *(undefined8 *)(auStackY_78 + lVar2 + -8) = 0x1800cce6a;
>  piVar7 = _errno();
>  puVar10 = auStackY_78 + lVar2;
>  if (*piVar7 != 2) {
>*(undefined8 *)(auStackY_78 + lVar2 + -8) = 0x1800cce78;
>piVar7 = _errno();
>puVar10 = auStackY_78 + lVar2;
>puVar11 = auStackY_78 + lVar2;
>if (*piVar7 != 9) goto LAB_1800cce89;
>  }
>}
>*(undefined8 *)(puVar10 + -8) = 0x1800ccda7;
>fopen(param_1,param_2);
>puVar11 = puVar10;
> LAB_1800cce89:
>uVar8 = local_38 ^ (ulonglong)local_48;
>*(undefined8 *)(puVar11 + -8) = 0x1800cce95;
>FUN_180263660(uVar8);
>return;
> }
> 
> Thanks for helping to at least link it to this openssl source:
> 
> 

Re: Win10 installation progress

[DdC]

n82...@gmail.com
Dear Chuck Caldarale,
THANKS for your help/ rolling up the sleeves now.
      Some of us have just given up on Windows entirelySure.I have installed 
tomcat also on two unix boxes among which ubuntu,2019 before the transition now 
required.Dealing here with a legacy situation.[[[ For your chuckles:: j2ee.jar 
was used in tomcat4.04 ]]]
THANKS AGAIN.{{{ Purpose of life: helping other people  - you did it. }}}
dennis de champeaux
--
Home page:      rs6.risingnet.net/~ddccMarketing site:  www . OntoOO.comKindle 
books:   Side Effects: Impacts on the 21st 
Century::https://www.amazon.com/-/es/Dennis-Champeaux-ebook/dp/B09MHJ5W48   
Even if not 
true::https://www.amazon.com/-/es/Dennis-Champeaux-ebook/dp/B09Y4WR9J7   9/11:: 
They had the Sun in their 
Eyeshttps://www.amazon.com/11-They-had-their-Eyes-ebook/dp/B0CMQ2WSK9https://www.amazon.nl/dp/B0CMQ2WSK9


 

On Saturday, May 18, 2024 at 10:11:09 PM PDT, Chuck Caldarale 
 wrote:  
 
 
> On May 18, 2024, at 22:40, DdC  wrote:
> 
> Gave up on installing 9.0.88. on Win10. 


Some of us have just given up on Windows entirely…


> Succeeded with  10.1.23 andjdk-18.0.2.1.The lib directory has j2ee.jar, which 
> I have used in earliertomcat versions.


Not lately. I can’t recall when j2ee.jar was last useful, but I’m pretty sure 
it’s been well over a decade. You most likely need to delete it.


> Compilation of a system was OK apart from some warnings because Java 
> haschanged since the code was written.There is a web.xml file in 
> WEB-INF.Invoking a servlet gives a 500 error with the ominous complaint:    
> class su.SUlogin cannot be cast to jakarta.servlet.Servlet    (su.SUlogin is 
> in unnamed module of loader org.apache.catalina    ... )


First, look at the Tomcat migration guides: 
https://tomcat.apache.org/migration.html

You’ll need to review each one, starting with the last version of Tomcat you 
were using, up to the one for 10.1. In particular, when Oracle gave control of 
the Java EE spec to Eclipse, the classes were renamed from javax to jakarta for 
legal reasons, so all code using the old class names must be updated to the 
revised ones. This can be done with a migration tool supplied by Tomcat:

https://tomcat.apache.org/download-migration.cgi

or by placing old apps in the webapps-javaee directory rather than webapps and 
letting Tomcat convert them automatically. Look at the documentation for the 
legacyAppBase attribute of the  element:

https://tomcat.apache.org/tomcat-10.1-doc/config/host.html#Common_Attributes

  - Chuck

  

Re: Win10 installation progress

[Chuck Caldarale]

> On May 18, 2024, at 22:40, DdC  wrote:
> 
> Gave up on installing 9.0.88. on Win10. 


Some of us have just given up on Windows entirely…


> Succeeded with  10.1.23 andjdk-18.0.2.1.The lib directory has j2ee.jar, which 
> I have used in earliertomcat versions.


Not lately. I can’t recall when j2ee.jar was last useful, but I’m pretty sure 
it’s been well over a decade. You most likely need to delete it.


> Compilation of a system was OK apart from some warnings because Java 
> haschanged since the code was written.There is a web.xml file in 
> WEB-INF.Invoking a servlet gives a 500 error with the ominous complaint:
> class su.SUlogin cannot be cast to jakarta.servlet.Servlet(su.SUlogin is 
> in unnamed module of loader org.apache.catalina... )


First, look at the Tomcat migration guides: 
https://tomcat.apache.org/migration.html

You’ll need to review each one, starting with the last version of Tomcat you 
were using, up to the one for 10.1. In particular, when Oracle gave control of 
the Java EE spec to Eclipse, the classes were renamed from javax to jakarta for 
legal reasons, so all code using the old class names must be updated to the 
revised ones. This can be done with a migration tool supplied by Tomcat:

https://tomcat.apache.org/download-migration.cgi

or by placing old apps in the webapps-javaee directory rather than webapps and 
letting Tomcat convert them automatically. Look at the documentation for the 
legacyAppBase attribute of the  element:

https://tomcat.apache.org/tomcat-10.1-doc/config/host.html#Common_Attributes

  - Chuck

Win10 installation progress

[DdC]

Dear Tomcatters,
Gave up on installing 9.0.88. on Win10.  Succeeded with  10.1.23 
andjdk-18.0.2.1.The lib directory has j2ee.jar, which I have used in 
earliertomcat versions.Compilation of a system was OK apart from some warnings 
because Java haschanged since the code was written.There is a web.xml file in 
WEB-INF.Invoking a servlet gives a 500 error with the ominous complaint:    
class su.SUlogin cannot be cast to jakarta.servlet.Servlet    (su.SUlogin is in 
unnamed module of loader org.apache.catalina    ... )
Looks like that my code is quite out of date.Any suggestion for a fix?Going 
back to an earlier tomcat?
dennis de champeaux
--
Home page:      rs6.risingnet.net/~ddccMarketing site:  www . OntoOO.comKindle 
books:   Side Effects: Impacts on the 21st 
Century::https://www.amazon.com/-/es/Dennis-Champeaux-ebook/dp/B09MHJ5W48   
Even if not 
true::https://www.amazon.com/-/es/Dennis-Champeaux-ebook/dp/B09Y4WR9J7   9/11:: 
They had the Sun in their 
Eyeshttps://www.amazon.com/11-They-had-their-Eyes-ebook/dp/B0CMQ2WSK9https://www.amazon.nl/dp/B0CMQ2WSK9

Re: JVM crashing with caCertificatePath in server.xml

[Christopher Schultz]

Michael,

On 5/17/24 03:42, Michael Osipov wrote:

On 2024/05/16 21:37:34 Christopher Schultz wrote:

Michael,

On 5/16/24 12:00, Michael Osipov wrote:

On 2024/05/16 15:55:04 Andy Arismendi wrote:

Ok great! Thank you for taking the time and making the effort to look into this 
Michael, much appreciated!


Here is a dynamically linked, patched version until there is an official 
release: http://home.apache.org/~michaelo/issues/tomcat/openssl-crash/

Please give it a try.


Since you have produced a debug build of tcnative (and other
components?) could you post the debug trace of the native stack?


Unfortunately I can't. While I have the files with debug symbols I am limited 
by https://github.com/mturk/cmsc?tab=readme-ov-file#warning. I don't have a 
full blown Visual Studio installed.


Okay. If you did build with VS, can you get a debug build with a backtrace?

I guess you already tracked the crash to openssl_fopen. When I did a 
decompile of the official binary, I can see the code but it's very 
difficult to read:


void FUN_1800cccd0(char *param_1,char *param_2)

{
  char cVar1;
  longlong lVar2;
  int iVar3;
  DWORD DVar4;
  char *pcVar5;
  FILE *pFVar6;
  int *piVar7;
  ulonglong uVar8;
  uint uVar9;
  int cbMultiByte;
  undefined *puVar10;
  undefined *puVar11;
  uint uVar12;
  undefined8 uStackY_80;
  undefined auStackY_78 [32];
  wchar_t local_48 [8];
  ulonglong local_38;
  undefined8 uStack_30;

  uStack_30 = 0x1800ccce3;
  local_38 = DAT_18033f868 ^ (ulonglong)local_48;
  cVar1 = *param_1;
  uVar12 = 0;
  pcVar5 = param_1;
  for (uVar9 = uVar12; (cVar1 != '\0' && (uVar9 < 0x8000)); uVar9 = 
uVar9 + 1) {

pcVar5 = pcVar5 + 1;
cVar1 = *pcVar5;
  }
  cbMultiByte = (uVar9 & 0x7fff) + 1;
  uStackY_80 = 0x1800ccd50;
  iVar3 = MultiByteToWideChar(0xfde9,8,param_1,cbMultiByte,(LPWSTR)0x0,0);
  DVar4 = 8;
  if (iVar3 < 1) {
uStackY_80 = 0x1800ccd5d;
DVar4 = GetLastError();
if (DVar4 == 0x3ec) {
  uStackY_80 = 0x1800ccd84;
  iVar3 = 
MultiByteToWideChar(0xfde9,0,param_1,cbMultiByte,(LPWSTR)0x0,0);

  DVar4 = 0;
  if (0 < iVar3) goto LAB_1800ccdac;
}
uStackY_80 = 0x1800ccd91;
DVar4 = GetLastError();
puVar10 = auStackY_78;
puVar11 = auStackY_78;
if (DVar4 != 0x459) goto LAB_1800cce89;
  }
  else {
LAB_1800ccdac:
uVar8 = (longlong)iVar3 * 2 + 0xf;
if (uVar8 <= (ulonglong)((longlong)iVar3 * 2)) {
  uVar8 = 0xff0;
}
uStackY_80 = 0x1800ccdd1;
lVar2 = -(uVar8 & 0xfff0);
*(int *)( + lVar2) = iVar3;
*(wchar_t **)( + lVar2) = (wchar_t 
*)((longlong)local_48 + lVar2);

*(undefined8 *)(auStackY_78 + lVar2 + -8) = 0x1800ccdf7;
iVar3 = MultiByteToWideChar(0xfde9,DVar4,param_1,cbMultiByte,
*(LPWSTR *)( + 
lVar2),
*(int *)( + 
lVar2));

puVar11 = auStackY_78 + lVar2;
if (iVar3 == 0) goto LAB_1800cce89;
cVar1 = *param_2;
pcVar5 = param_2;
for (; (cVar1 != '\0' && (uVar12 < 0x8000)); uVar12 = uVar12 + 1) {
  pcVar5 = pcVar5 + 1;
  cVar1 = *pcVar5;
}
*(undefined4 *)( + lVar2) = 8;
*(wchar_t **)( + lVar2) = local_48;
*(undefined8 *)(auStackY_78 + lVar2 + -8) = 0x1800cce4d;
iVar3 = MultiByteToWideChar(0xfde9,0,param_2,(uVar12 & 0x7fff) + 1,
*(LPWSTR *)( + 
lVar2),
*(int *)( + 
lVar2));

puVar11 = auStackY_78 + lVar2;
if (iVar3 == 0) goto LAB_1800cce89;
*(undefined8 *)(auStackY_78 + lVar2 + -8) = 0x1800cce5d;
pFVar6 = _wfopen((wchar_t *)((longlong)local_48 + lVar2),local_48);
puVar11 = auStackY_78 + lVar2;
if (pFVar6 != (FILE *)0x0) goto LAB_1800cce89;
*(undefined8 *)(auStackY_78 + lVar2 + -8) = 0x1800cce6a;
piVar7 = _errno();
puVar10 = auStackY_78 + lVar2;
if (*piVar7 != 2) {
  *(undefined8 *)(auStackY_78 + lVar2 + -8) = 0x1800cce78;
  piVar7 = _errno();
  puVar10 = auStackY_78 + lVar2;
  puVar11 = auStackY_78 + lVar2;
  if (*piVar7 != 9) goto LAB_1800cce89;
}
  }
  *(undefined8 *)(puVar10 + -8) = 0x1800ccda7;
  fopen(param_1,param_2);
  puVar11 = puVar10;
LAB_1800cce89:
  uVar8 = local_38 ^ (ulonglong)local_48;
  *(undefined8 *)(puVar11 + -8) = 0x1800cce95;
  FUN_180263660(uVar8);
  return;
}

Thanks for helping to at least link it to this openssl source:

https://github.com/openssl/openssl/blob/45f5d51b72a262bf85c4461fbded91485ce6b9da/crypto/o_fopen.c#L38

Since libtcnative.dll is statically-linked, it doesn't even need a 
symbol table for internal calls so the openssl_fopen token is completely 
lost. Also, libtcnative contains all of TCN, APR, and OpenSSL. TCN 
doesn't make direct Win32 calls so that leaves ... all of APR and 
OpenSSL to search for this pattern of calls.


Since you know where the fault is occurring, do you know the native 
call-trace being performed? I'd love to know which component along the 
way is not properly checking for 

Is there any way to add "connection: close" response header via http/1.1 connection after graceful shutdown begin by outside library

[SG H]

Hello all.
I have a question about connection close header in http/1.1 protocol.

While configure k8s environment run Spring Boot Server with Application
Load Balancer(a.k.a ALB)
I heard there are chance to client can get 503 from ALB.

ALB are communicating with a pod using HTTP/1.1 in my case.
When I rolling update pods with new image in k8s, there are must be newly
created pods and terminating pods.
And in terminating pods, Spring Boot are in graceful shutdown phase, so new
connection to these will got RST packet by tomcat embed I guess.
In additional, after graceful shutdown phase, processed requests are not
include connection response header.

Because of above

1. ALB may try to connect Spring Boot in graceful shutdown phase, got RST
and ALB response to client with 503
2. ALB may got response from Spring Boot in graceful shutdown phase which
no connection header.
So, if next request fired, ALB try to reuse current connection because
before connection is recognized as keep-alive, then got RST and ALB
response to client with 503

This may solved by make ALB retry to connect to another instance several
times until got success packet not RST.
But this behavior seems not good because ALB may got RST by another reason.

If I use HTTP/2, I got GOAWAY frame at graceful shutdown phase begun from
connection by async.
And this behavior done by tomcat.
But I can't use HTTP/2 in my environment now.

Seems Golang had a issue similar this before, so it looks like have a code
that add connection: close response header on shutdown phase.

https://cs.opensource.google/go/go/+/refs/tags/go1.22.3:src/net/http/server.go;l=1512
https://cs.opensource.google/go/go/+/refs/tags/go1.22.3:src/net/http/server.go;l=1355
https://cs.opensource.google/go/go/+/refs/tags/go1.22.3:src/net/http/server.go;l=1266
https://cs.opensource.google/go/go/+/refs/tags/go1.22.3:src/net/http/server.go;l=3385

Is there any good solution I can try?

https://github.com/spring-projects/spring-boot/issues/40802

I raised PR on spring boot github about this, and I heard this behavior
might be modified in tomcat side.

I used Embed Tomcat 10.1.17 (in spring boot 3.2.1)
Run on macbook pro m1

Best regards, SaeGon-Heo

Re: JVM crashing with caCertificatePath in server.xml

[Michael Osipov]

On 2024/05/16 21:37:34 Christopher Schultz wrote:
> Michael,
> 
> On 5/16/24 12:00, Michael Osipov wrote:
> > On 2024/05/16 15:55:04 Andy Arismendi wrote:
> >> Ok great! Thank you for taking the time and making the effort to look into 
> >> this Michael, much appreciated!
> > 
> > Here is a dynamically linked, patched version until there is an official 
> > release: http://home.apache.org/~michaelo/issues/tomcat/openssl-crash/
> > 
> > Please give it a try.
> 
> Since you have produced a debug build of tcnative (and other 
> components?) could you post the debug trace of the native stack?

Unfortunately I can't. While I have the files with debug symbols I am limited 
by https://github.com/mturk/cmsc?tab=readme-ov-file#warning. I don't have a 
full blown Visual Studio installed.

M

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Regarding Tomcat url redirection

[Christopher Schultz]

Lavanya,

On 5/15/24 09:09, lavanya tech wrote:

Hi Chris,





If i remove this from server.xml file i have the below error.

Message java.lang.NoClassDefFoundError: org/towl/indexer/web/Prefix

Description The server encountered an unexpected condition that prevented
it from fulfilling the request.

Exception

jakarta.servlet.ServletException: java.lang.NoClassDefFoundError:
org/towl/indexer/web/Prefix
org.apache.jasper.servlet.JspServlet.service(JspServlet.java:333)
jakarta.servlet.http.HttpServlet.service(HttpServlet.java:658)
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)


That smells like a CLASSPATH problem where your application is not 
actually packaged properly. It could be something else, but it looks 
suspicious.



The "aliasing" will always be weird. IMO it's better to redirect. If you
change to redirect, does everything *work*, even if you don't like how
the browser's URL bar displays?
   --> I tried but it didnot work
ok apart from this tpic , we have one more issue found.


Actually application team, they are deploying two applications one with
towl (which you are already aware) the other one is (towl-app) they have
defined seperate server.xml for both.


Separate server.xml files means that you have to have two separate 
Tomcat processes.



Name:server.lbg.com
Address:  192.168.200.120
Aliases:  example.lbg.com


Name:server.lbg.com
Address:  192.168.200.120
Aliases:  example-app.lbg.com

which means we have two aliases for server.lbg.com , earlier we were
concentrating only on one example.lbg.com , now i wanted to somehow enable
access as the same for the other one also
https://example-app.lbg.com --> https://server.lbg.com:8444/towl-app

So i created iptable rule in the sameway as before redirect 443 to 8444 and
i have the urls working same as example.lbg.com

Both the server.xml files are here

/git/towl/apachetomcat/conf/server.xml
/git/towl-app/apachetomcat/conf/server.xml --> I changed the port of
connectors and everything

But now when i try to access https://example.lbg.com --> I get webpage of
https://example-app.lbg.com and sometimes i get webpage of
https://example.lbg.com after refresh itself which is wierd

May i know why this is happening. If we fix this then I am thinking to
disable the unwated urls leaving the required ones. for example the below
ones. I think that would be easier ? rather than redirecting or aliasing-->
Because we noticed that towl application is already pointing with
https://example.lbg.com

https://server.lbg.com:8443
   https://example-lbg.com:8443
   

https://server.lbg.com:8444
   https://example-lbg.com:8444
   


kindly suggest us a fix.


The best fix is to deploy the two applications normally without any 
funny business. Put both applications into webapps/ with no  
elements in server.xml and let them deploy. Use the correct URLs to 
access them. It's obviously some internal thing to your company because 
nobody is going to use :8443 in the real world.


I'm sorry, but it seems like you are being given arbitrary and weird 
requirements almost as a game.


I'm not sure I can help you any further at this point.

-chris


On Wed, May 15, 2024 at 2:16 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:


Lavanya,

On 5/15/24 04:43, lavanya tech wrote:

Though to write you privately, regaridng the tomcat url redirection as
the mail chain is getting more big big


It's better to post to the list, so anyone in your situation can learn
from it.


Let me know if its fine for you and here is what I did.

1)  



Don't do this. Just put towl.war into webapps/ and let it auto-deploy.
What you are doing here is double-deploying your "towl" application:
once as "" (ROOT) and once as "/towl". Remove this from server.xml.






Okay.


2) I have towl application and towl.war under webapps directory
3) added  proxy port and proxyname to connector

  
 proxyPort="8443" proxyName="server.lbg.com
">
  
  
  
  
  


Okay.


4) added rewrite.config under conf directory
  > # Redirect everything that is not server.lbg.com
 to
  > # server.lbg.com . Don't worry about /towl

yet.

  > RewriteCond %{HTTP_HOST} !^server\.lbg\.com$
  > RewriteRule ^/(.*) https://server.lbg.com:8443/$1
 [L]
  >
  > # Redirect anything that isn't already going to /towl
  > # to go to /towl
  > RewriteCond %{REQUEST_URI} !^/towl
  > RewriteRule ^/(.*) https://server.lbg.com:8443/towl/$1
 [L]

5) restarted tomcat
6) can access all the urls https://server.lbg.com:8443
, https://server.lbg.com

Re: Regarding Tomcat url redirection

[Christopher Schultz]

Lavanya,

On 5/15/24 09:09, lavanya tech wrote:

Hi Chris,





If i remove this from server.xml file i have the below error.

Message java.lang.NoClassDefFoundError: org/towl/indexer/web/Prefix

Description The server encountered an unexpected condition that prevented
it from fulfilling the request.

Exception

jakarta.servlet.ServletException: java.lang.NoClassDefFoundError:
org/towl/indexer/web/Prefix
org.apache.jasper.servlet.JspServlet.service(JspServlet.java:333)
jakarta.servlet.http.HttpServlet.service(HttpServlet.java:658)
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)


That smells like a CLASSPATH problem where your application is not 
actually packaged properly. It could be something else, but it looks 
suspicious.



The "aliasing" will always be weird. IMO it's better to redirect. If you
change to redirect, does everything *work*, even if you don't like how
the browser's URL bar displays?
   --> I tried but it didnot work
ok apart from this tpic , we have one more issue found.


Actually application team, they are deploying two applications one with
towl (which you are already aware) the other one is (towl-app) they have
defined seperate server.xml for both.


Separate server.xml files means that you have to have two separate 
Tomcat processes.



Name:server.lbg.com
Address:  192.168.200.120
Aliases:  example.lbg.com


Name:server.lbg.com
Address:  192.168.200.120
Aliases:  example-app.lbg.com

which means we have two aliases for server.lbg.com , earlier we were
concentrating only on one example.lbg.com , now i wanted to somehow enable
access as the same for the other one also
https://example-app.lbg.com --> https://server.lbg.com:8444/towl-app

So i created iptable rule in the sameway as before redirect 443 to 8444 and
i have the urls working same as example.lbg.com

Both the server.xml files are here

/git/towl/apachetomcat/conf/server.xml
/git/towl-app/apachetomcat/conf/server.xml --> I changed the port of
connectors and everything

But now when i try to access https://example.lbg.com --> I get webpage of
https://example-app.lbg.com and sometimes i get webpage of
https://example.lbg.com after refresh itself which is wierd

May i know why this is happening. If we fix this then I am thinking to
disable the unwated urls leaving the required ones. for example the below
ones. I think that would be easier ? rather than redirecting or aliasing-->
Because we noticed that towl application is already pointing with
https://example.lbg.com

https://server.lbg.com:8443
   https://example-lbg.com:8443
   

https://server.lbg.com:8444
   https://example-lbg.com:8444
   


kindly suggest us a fix.


The best fix is to deploy the two applications normally without any 
funny business. Put both applications into webapps/ with no  
elements in server.xml and let them deploy. Use the correct URLs to 
access them. It's obviously some internal thing to your company because 
nobody is going to use :8443 in the real world.


I'm sorry, but it seems like you are being given arbitrary and weird 
requirements almost as a game.


I'm not sure I can help you any further at this point.

-chris


On Wed, May 15, 2024 at 2:16 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:


Lavanya,

On 5/15/24 04:43, lavanya tech wrote:

Though to write you privately, regaridng the tomcat url redirection as
the mail chain is getting more big big


It's better to post to the list, so anyone in your situation can learn
from it.


Let me know if its fine for you and here is what I did.

1)  



Don't do this. Just put towl.war into webapps/ and let it auto-deploy.
What you are doing here is double-deploying your "towl" application:
once as "" (ROOT) and once as "/towl". Remove this from server.xml.






Okay.


2) I have towl application and towl.war under webapps directory
3) added  proxy port and proxyname to connector

  
 proxyPort="8443" proxyName="server.lbg.com
">
  
  
  
  
  


Okay.


4) added rewrite.config under conf directory
  > # Redirect everything that is not server.lbg.com
 to
  > # server.lbg.com . Don't worry about /towl

yet.

  > RewriteCond %{HTTP_HOST} !^server\.lbg\.com$
  > RewriteRule ^/(.*) https://server.lbg.com:8443/$1
 [L]
  >
  > # Redirect anything that isn't already going to /towl
  > # to go to /towl
  > RewriteCond %{REQUEST_URI} !^/towl
  > RewriteRule ^/(.*) https://server.lbg.com:8443/towl/$1
 [L]

5) restarted tomcat
6) can access all the urls https://server.lbg.com:8443
, https://server.lbg.com

Re: JVM crashing with caCertificatePath in server.xml

[Christopher Schultz]

Michael,

On 5/16/24 12:00, Michael Osipov wrote:

On 2024/05/16 15:55:04 Andy Arismendi wrote:

Ok great! Thank you for taking the time and making the effort to look into this 
Michael, much appreciated!


Here is a dynamically linked, patched version until there is an official 
release: http://home.apache.org/~michaelo/issues/tomcat/openssl-crash/

Please give it a try.


Since you have produced a debug build of tcnative (and other 
components?) could you post the debug trace of the native stack?


Ghidra has been *most* unhelpful, here, starting with the fact that it 
doesn't even get the file-offset correct when trying to jump.


-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: JVM crashing with caCertificatePath in server.xml

[Michael Osipov]

On 2024/05/16 15:55:04 Andy Arismendi wrote:
> Ok great! Thank you for taking the time and making the effort to look into 
> this Michael, much appreciated!

Here is a dynamically linked, patched version until there is an official 
release: http://home.apache.org/~michaelo/issues/tomcat/openssl-crash/

Please give it a try.

Michael

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: JVM crashing with caCertificatePath in server.xml

[Andy Arismendi]

Ok great! Thank you for taking the time and making the effort to look into this 
Michael, much appreciated!

-Andy
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: JVM crashing with caCertificatePath in server.xml

[Michael Osipov]

On 2024/05/15 20:35:08 Michael Osipov wrote:
> On 2024/05/15 14:41:43 Michael Osipov wrote:
> > Good news. I can reproduce on Windows:
> > 15-May-2024 16:40:31.092 INFORMATION [main] 
> > org.apache.coyote.AbstractProtocol.init Initialisiere 
> > ProtocolHandler["https-openssl-apr-18444"]
> > 15-May-2024 16:40:31.144 WARNUNG [main] 
> > org.apache.tomcat.util.net.SSLUtilBase.getEnabled Tomcat interprets the 
> > [ciphers] attribute in a manner consistent with the latest OpenSSL 
> > development branch. Some of the specified [ciphers] are not supported by 
> > the configured SSL engine for this connector (which may use JSSE or an 
> > older OpenSSL version) and have been skipped: 
> > [[TLS_DH_DSS_WITH_AES_256_GCM_SHA384, TLS_DH_RSA_WITH_AES_256_GCM_SHA384, 
> > TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, 
> > TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_AES_128_CCM_SHA256, 
> > TLS_DH_DSS_WITH_AES_128_GCM_SHA256, TLS_DH_RSA_WITH_AES_128_GCM_SHA256, 
> > TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, 
> > TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256]]
> > #
> > # A fatal error has been detected by the Java Runtime Environment:
> > #
> > #  EXCEPTION_ACCESS_VIOLATION (0xc005) at pc=0x024928d5cd10, 
> > pid=33136, tid=0x55b8
> > #
> > # JRE version: OpenJDK Runtime Environment (Zulu 8.68.0.21-CA-win64) 
> > (8.0_362-b09) (build 1.8.0_362-b09)
> > # Java VM: OpenJDK 64-Bit Server VM (25.362-b09 mixed mode windows-amd64 
> > compressed oops)
> > # Problematic frame:
> > # C  [tcnative-1.dll+0xccd10]
> > #
> > # Failed to write core dump. Minidumps are not enabled by default on client 
> > versions of Windows
> > #
> > # An error report file with more information is saved as:
> > # C:\Temp\apache-tomcat-9.0.89\hs_err_pid33136.log
> > #
> > # If you would like to submit a bug report, please visit:
> > #   http://www.azul.com/support/
> > # The crash happened outside the Java Virtual Machine in native code.
> > # See problematic frame for where to report the bug.
> > #
> > 
> > I will do a custom build of Tomcat Native and see where it crashes. Stay 
> > tuned.
> 
> Found the bug: It is either a flaw or uncertainty in OpenSSL. Details follow 
> tomorrow.

Details:

Reported the issue upstream: https://github.com/openssl/openssl/issues/24416
I will push a temporary fix until upstream does properly handle NULL input.

Partially OT: After testing here in and out I am convinced that the code after 
SSL_CTX_load_verify_locations() does absolutely not that what the author 
intended to do. The code block messes up CA certification for client 
verification with the request DNs for client cert auth. I will report a 
separate issue because it is unrelated.

Michael

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: JVM crashing with caCertificatePath in server.xml

[Michael Osipov]

On 2024/05/15 14:41:43 Michael Osipov wrote:
> Good news. I can reproduce on Windows:
> 15-May-2024 16:40:31.092 INFORMATION [main] 
> org.apache.coyote.AbstractProtocol.init Initialisiere 
> ProtocolHandler["https-openssl-apr-18444"]
> 15-May-2024 16:40:31.144 WARNUNG [main] 
> org.apache.tomcat.util.net.SSLUtilBase.getEnabled Tomcat interprets the 
> [ciphers] attribute in a manner consistent with the latest OpenSSL 
> development branch. Some of the specified [ciphers] are not supported by the 
> configured SSL engine for this connector (which may use JSSE or an older 
> OpenSSL version) and have been skipped: [[TLS_DH_DSS_WITH_AES_256_GCM_SHA384, 
> TLS_DH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, 
> TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_AES_128_CCM_SHA256, 
> TLS_DH_DSS_WITH_AES_128_GCM_SHA256, TLS_DH_RSA_WITH_AES_128_GCM_SHA256, 
> TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256]]
> #
> # A fatal error has been detected by the Java Runtime Environment:
> #
> #  EXCEPTION_ACCESS_VIOLATION (0xc005) at pc=0x024928d5cd10, 
> pid=33136, tid=0x55b8
> #
> # JRE version: OpenJDK Runtime Environment (Zulu 8.68.0.21-CA-win64) 
> (8.0_362-b09) (build 1.8.0_362-b09)
> # Java VM: OpenJDK 64-Bit Server VM (25.362-b09 mixed mode windows-amd64 
> compressed oops)
> # Problematic frame:
> # C  [tcnative-1.dll+0xccd10]
> #
> # Failed to write core dump. Minidumps are not enabled by default on client 
> versions of Windows
> #
> # An error report file with more information is saved as:
> # C:\Temp\apache-tomcat-9.0.89\hs_err_pid33136.log
> #
> # If you would like to submit a bug report, please visit:
> #   http://www.azul.com/support/
> # The crash happened outside the Java Virtual Machine in native code.
> # See problematic frame for where to report the bug.
> #
> 
> I will do a custom build of Tomcat Native and see where it crashes. Stay 
> tuned.

Found the bug: It is either a flaw or uncertainty in OpenSSL. Details follow 
tomorrow.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Aw: Re: Logrotation throu CATALINA_OUT_CMD in Tomcat9

[Peter Rader]

> You need to do what the instructions state: create a FIFO and specify its 
> name in the CATALINA_OUT variable. For example, do

Ah, yes,

mkfifo catalina.out

fixed it for me. I had no idea what a fifo is, now I knew.

Kind regards

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Logrotation throu CATALINA_OUT_CMD in Tomcat9

[Chuck Caldarale]

> On May 15, 2024, at 12:43, Peter Rader  wrote:
> 
> my catalina.out is getting bigger and bigger.


(I should Insert a philosophical discussion on not using stdout for application 
logging here, but I’ll leave that for some other time.)


> In order to have smaller catalina.out I noticed this environment-variable: 
> CATALINA_OUT_CMD
> 
> Inside the catalina.sh is documented:
> 
> # CATALINA_OUT_CMD (Optional) Command which will be executed and receive
> #   as its stdin the stdout and stderr from the Tomcat java
> #   process. If CATALINA_OUT_CMD is set, the value of
> #   CATALINA_OUT will be used as a named pipe.
> #   No default.
> #   Example (all one line)
> #   CATALINA_OUT_CMD="/usr/bin/rotatelogs -f 
> $CATALINA_BASE/logs/catalina.out.%Y-%m-%d.log 86400"
> 
> I try to use that example and export this variable before start of tomcat:
> 
>   export CATALINA_OUT_CMD="/usr/bin/rotatelogs -f 
> /home/tomcat/apache-tomcat-9.0.75/logs/catalina.out.%Y-%m-%d.log 86400" 
> 
> Unfortunately the tomcat does not work anymore, instead this message appear:
> 
>/home/tomcat/apache-tomcat-9.0.75/logs/catalina.out exists and is not a 
> named pipe. Start aborted.


You need to do what the instructions state: create a FIFO and specify its name 
in the CATALINA_OUT variable. For example, do

mkfifo logs/catalina_out.pipe

one time, before starting Tomcat, then add the following to bin/setenv.sh:

export CATALINA_OUT="$CATALINA_HOME/logs/catalina_out.pipe"
export CATALINA_OUT_CMD=“rotatelogs -f 
$CATALINA_HOME/logs/catalina.out.%Y-%m-%d.log 86400"

This causes Tomcat to use the named pipe rather than logs/catalina.out for 
stdout and stderr messages, and then invoke rotatelogs to process the entries. 
As an alternative to setting CATALINA_OUT, you could just delete the existing 
logs/catalina.out file and recreate it as a FIFO, but I wouldn’t recommend it 
due to potential confusion.

  - Chuck

Logrotation throu CATALINA_OUT_CMD in Tomcat9

[Peter Rader]

Hi,

my catalina.out is getting bigger and bigger.

In order to have smaller catalina.out I noticed this environment-variable: 
CATALINA_OUT_CMD

Inside the catalina.sh is documented:

# CATALINA_OUT_CMD (Optional) Command which will be executed and receive
#   as its stdin the stdout and stderr from the Tomcat java
#   process. If CATALINA_OUT_CMD is set, the value of
#   CATALINA_OUT will be used as a named pipe.
#   No default.
#   Example (all one line)
#   CATALINA_OUT_CMD="/usr/bin/rotatelogs -f 
$CATALINA_BASE/logs/catalina.out.%Y-%m-%d.log 86400"

I try to use that example and export this variable before start of tomcat:

   export CATALINA_OUT_CMD="/usr/bin/rotatelogs -f 
/home/tomcat/apache-tomcat-9.0.75/logs/catalina.out.%Y-%m-%d.log 86400" 

Unfortunately the tomcat does not work anymore, instead this message appear:

/home/tomcat/apache-tomcat-9.0.75/logs/catalina.out exists and is not a 
named pipe. Start aborted.
 
Any Ideas?
 
Kind regards

Peter Rader

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: JVM crashing with caCertificatePath in server.xml

[Michael Osipov]

Good news. I can reproduce on Windows:
15-May-2024 16:40:31.092 INFORMATION [main] 
org.apache.coyote.AbstractProtocol.init Initialisiere 
ProtocolHandler["https-openssl-apr-18444"]
15-May-2024 16:40:31.144 WARNUNG [main] 
org.apache.tomcat.util.net.SSLUtilBase.getEnabled Tomcat interprets the 
[ciphers] attribute in a manner consistent with the latest OpenSSL development 
branch. Some of the specified [ciphers] are not supported by the configured SSL 
engine for this connector (which may use JSSE or an older OpenSSL version) and 
have been skipped: [[TLS_DH_DSS_WITH_AES_256_GCM_SHA384, 
TLS_DH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, 
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_AES_128_CCM_SHA256, 
TLS_DH_DSS_WITH_AES_128_GCM_SHA256, TLS_DH_RSA_WITH_AES_128_GCM_SHA256, 
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256]]
#
# A fatal error has been detected by the Java Runtime Environment:
#
#  EXCEPTION_ACCESS_VIOLATION (0xc005) at pc=0x024928d5cd10, pid=33136, 
tid=0x55b8
#
# JRE version: OpenJDK Runtime Environment (Zulu 8.68.0.21-CA-win64) 
(8.0_362-b09) (build 1.8.0_362-b09)
# Java VM: OpenJDK 64-Bit Server VM (25.362-b09 mixed mode windows-amd64 
compressed oops)
# Problematic frame:
# C  [tcnative-1.dll+0xccd10]
#
# Failed to write core dump. Minidumps are not enabled by default on client 
versions of Windows
#
# An error report file with more information is saved as:
# C:\Temp\apache-tomcat-9.0.89\hs_err_pid33136.log
#
# If you would like to submit a bug report, please visit:
#   http://www.azul.com/support/
# The crash happened outside the Java Virtual Machine in native code.
# See problematic frame for where to report the bug.
#

I will do a custom build of Tomcat Native and see where it crashes. Stay tuned.

M

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Regarding Tomcat url redirection

[lavanya tech]

Hi Chris,

>

If i remove this from server.xml file i have the below error.

Message java.lang.NoClassDefFoundError: org/towl/indexer/web/Prefix

Description The server encountered an unexpected condition that prevented
it from fulfilling the request.

Exception

jakarta.servlet.ServletException: java.lang.NoClassDefFoundError:
org/towl/indexer/web/Prefix
org.apache.jasper.servlet.JspServlet.service(JspServlet.java:333)
jakarta.servlet.http.HttpServlet.service(HttpServlet.java:658)
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)

The "aliasing" will always be weird. IMO it's better to redirect. If you
change to redirect, does everything *work*, even if you don't like how
the browser's URL bar displays?
  --> I tried but it didnot work
ok apart from this tpic , we have one more issue found.


Actually application team, they are deploying two applications one with
towl (which you are already aware) the other one is (towl-app) they have
defined seperate server.xml for both.

Name:server.lbg.com
Address:  192.168.200.120
Aliases:  example.lbg.com


Name:server.lbg.com
Address:  192.168.200.120
Aliases:  example-app.lbg.com

which means we have two aliases for server.lbg.com , earlier we were
concentrating only on one example.lbg.com , now i wanted to somehow enable
access as the same for the other one also
https://example-app.lbg.com --> https://server.lbg.com:8444/towl-app

So i created iptable rule in the sameway as before redirect 443 to 8444 and
i have the urls working same as example.lbg.com

Both the server.xml files are here

/git/towl/apachetomcat/conf/server.xml
/git/towl-app/apachetomcat/conf/server.xml --> I changed the port of
connectors and everything

But now when i try to access https://example.lbg.com --> I get webpage of
https://example-app.lbg.com and sometimes i get webpage of
https://example.lbg.com after refresh itself which is wierd

May i know why this is happening. If we fix this then I am thinking to
disable the unwated urls leaving the required ones. for example the below
ones. I think that would be easier ? rather than redirecting or aliasing-->
Because we noticed that towl application is already pointing with
https://example.lbg.com

   https://server.lbg.com:8443
  https://example-lbg.com:8443
  

   https://server.lbg.com:8444
  https://example-lbg.com:8444
  


kindly suggest us a fix.

Thanks once again for your time

Regards,
Lavanya




On Wed, May 15, 2024 at 2:16 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> Lavanya,
>
> On 5/15/24 04:43, lavanya tech wrote:
> > Though to write you privately, regaridng the tomcat url redirection as
> > the mail chain is getting more big big
>
> It's better to post to the list, so anyone in your situation can learn
> from it.
>
> > Let me know if its fine for you and here is what I did.
> >
> > 1)   > autoDeploy="true">
> >
>
> Don't do this. Just put towl.war into webapps/ and let it auto-deploy.
> What you are doing here is double-deploying your "towl" application:
> once as "" (ROOT) and once as "/towl". Remove this from server.xml.
>
> >
> > > className="org.apache.catalina.valves.rewrite.RewriteValve" />
>
> Okay.
>
> > 2) I have towl application and towl.war under webapps directory
> > 3) added  proxy port and proxyname to connector
> >
> >   > protocol="org.apache.coyote.http11.Http11NioProtocol"
> > maxThreads="150" SSLEnabled="true">
> > proxyPort="8443" proxyName="server.lbg.com
> > ">
> >   > className="org.apache.coyote.http2.Http2Protocol" />
> >  
> >   >   certificateKeystorePassword="pass"
> >   type="RSA" />
> >  
> >  
>
> Okay.
>
> > 4) added rewrite.config under conf directory
> >  > # Redirect everything that is not server.lbg.com
> >  to
> >  > # server.lbg.com . Don't worry about /towl
> yet.
> >  > RewriteCond %{HTTP_HOST} !^server\.lbg\.com$
> >  > RewriteRule ^/(.*) https://server.lbg.com:8443/$1
> >  [L]
> >  >
> >  > # Redirect anything that isn't already going to /towl
> >  > # to go to /towl
> >  > RewriteCond %{REQUEST_URI} !^/towl
> >  > RewriteRule ^/(.*) https://server.lbg.com:8443/towl/$1
> >  [L]
> >
> > 5) restarted tomcat
> > 6) can access all the urls https://server.lbg.com:8443
> > , https://server.lbg.com
> > , https://server.lbg.com:8443/towl
> > , https://server.lbg.com/towl
> > 
> > https://example.lbg.com:8443 ,
> > https://example.lbg.com 

Re: JVM crashing with caCertificatePath in server.xml

[Andy Arismendi]

Ah wasn’t sure if attachments worked, log content information below. Yea the 
docs just say directory for trusted CA PEM certificates.


TOMCAT DOCS

https://tomcat.apache.org/tomcat-9.0-doc/config/http.html: caCertificatePath 
(OpenSSL only) Name of the directory that contains the certificates for the 
trusted certificate authorities. The format is PEM-encoded.


CATALINA LOG FINE LEVEL CONTENT

15-May-2024 01:37:45.569 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Server version name:   
Apache Tomcat/9.0.89
15-May-2024 01:37:45.584 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Server built:  
May 3 2024 20:22:11 UTC
15-May-2024 01:37:45.584 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Server version number: 
9.0.89.0
15-May-2024 01:37:45.584 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log OS Name:   
Windows Server 2019
15-May-2024 01:37:45.584 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log OS Version:
10.0
15-May-2024 01:37:45.584 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Architecture:  
amd64
15-May-2024 01:37:45.584 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Java Home: 
D:\Program Files\Java\jre
15-May-2024 01:37:45.584 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log JVM Version:   
1.8.0_322-b06
15-May-2024 01:37:45.584 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor:
Azul Systems, Inc.
15-May-2024 01:37:45.584 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE: 
D:\Program Files\apache-tomcat
15-May-2024 01:37:45.584 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME: 
D:\Program Files\apache-tomcat
15-May-2024 01:37:45.584 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Command line argument: 
-Djava.util.logging.config.file=D:\Program 
Files\apache-tomcat\conf\logging.properties
15-May-2024 01:37:45.584 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Command line argument: 
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
15-May-2024 01:37:45.584 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Command line argument: 
-Djdk.tls.ephemeralDHKeySize=2048
15-May-2024 01:37:45.584 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Command line argument: 
-Djava.protocol.handler.pkgs=org.apache.catalina.webresources
15-May-2024 01:37:45.584 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Command line argument: 
-Dignore.endorsed.dirs=
15-May-2024 01:37:45.584 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Command line argument: 
-Dcatalina.base=D:\Program Files\apache-tomcat
15-May-2024 01:37:45.584 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Command line argument: 
-Dcatalina.home=D:\Program Files\apache-tomcat
15-May-2024 01:37:45.584 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Command line argument: 
-Djava.io.tmpdir=D:\Program Files\apache-tomcat\temp
15-May-2024 01:37:45.600 INFO [main] 
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded Apache 
Tomcat Native library [1.3.0] using APR version [1.7.4].
15-May-2024 01:37:45.600 INFO [main] 
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: 
IPv6 [true], sendfile [true], accept filters [false], random [true], UDS [true].
15-May-2024 01:37:45.600 INFO [main] 
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL 
configuration: useAprConnector [false], useOpenSSL [true]
15-May-2024 01:37:45.647 FINE [main] 
org.apache.catalina.core.AprLifecycleListener.initializeSSL Current FIPS mode: 
[1]
15-May-2024 01:37:45.647 INFO [main] 
org.apache.catalina.core.AprLifecycleListener.initializeSSL Using OpenSSL with 
the FIPS provider as the default provider
15-May-2024 01:37:45.647 INFO [main] 
org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL 
successfully initialized [OpenSSL 3.0.13 30 Jan 2024]
15-May-2024 01:37:45.756 FINE [main] 
org.apache.tomcat.util.modeler.Registry.getMBeanServer Created MBeanServer
15-May-2024 01:37:46.069 FINE [main] 
org.apache.catalina.util.LifecycleBase.setStateInternal Setting state for 
[org.apache.catalina.deploy.NamingResourcesImpl@5e955596] to [INITIALIZING]
15-May-2024 01:37:46.084 FINE [main] 
org.apache.catalina.util.LifecycleBase.setStateInternal Setting state for 
[org.apache.catalina.deploy.NamingResourcesImpl@5e955596] to [INITIALIZED]
15-May-2024 01:37:46.116 FINE [main] 
org.apache.catalina.util.LifecycleBase.setStateInternal Setting state for 
[StandardService[Catalina]] to [INITIALIZING]
15-May-2024 01:37:46.116 FINE [main] 
org.apache.catalina.util.LifecycleBase.setStateInternal Setting state for 

Re: Regarding Tomcat url redirection

[Christopher Schultz]

Lavanya,

On 5/15/24 04:43, lavanya tech wrote:
Though to write you privately, regaridng the tomcat url redirection as 
the mail chain is getting more big big


It's better to post to the list, so anyone in your situation can learn 
from it.



Let me know if its fine for you and here is what I did.

1)      autoDeploy="true">

           


Don't do this. Just put towl.war into webapps/ and let it auto-deploy. 
What you are doing here is double-deploying your "towl" application: 
once as "" (ROOT) and once as "/towl". Remove this from server.xml.



           
           className="org.apache.catalina.valves.rewrite.RewriteValve" />


Okay.


2) I have towl application and towl.war under webapps directory
3) added  proxy port and proxyname to connector

     protocol="org.apache.coyote.http11.Http11NioProtocol"

                maxThreads="150" SSLEnabled="true">
                proxyPort="8443" proxyName="server.lbg.com 
">
         className="org.apache.coyote.http2.Http2Protocol" />

         
             
         
     


Okay.


4) added rewrite.config under conf directory
 > # Redirect everything that is not server.lbg.com 
 to

 > # server.lbg.com . Don't worry about /towl yet.
 > RewriteCond %{HTTP_HOST} !^server\.lbg\.com$
 > RewriteRule ^/(.*) https://server.lbg.com:8443/$1 
 [L]

 >
 > # Redirect anything that isn't already going to /towl
 > # to go to /towl
 > RewriteCond %{REQUEST_URI} !^/towl
 > RewriteRule ^/(.*) https://server.lbg.com:8443/towl/$1 
 [L]


5) restarted tomcat
6) can access all the urls https://server.lbg.com:8443 
, https://server.lbg.com 
, https://server.lbg.com:8443/towl 
, https://server.lbg.com/towl 

https://example.lbg.com:8443 , 
https://example.lbg.com , 
https://example.lbg.com:8443/towl , 
https://example.lbg.com/towl 


Unfortunately aliasing still doesnot work https://example.lbg.com 
 --> https://server.lbg.com:8443/towl 
 and many urls works


The "aliasing" will always be weird. IMO it's better to redirect. If you 
change to redirect, does everything *work*, even if you don't like how 
the browser's URL bar displays?


-chris

On Tue, May 14, 2024 at 11:38 PM Christopher Schultz 
mailto:ch...@christopherschultz.net>> wrote:


Lavanya,

On 5/14/24 15:11, lavanya tech wrote:
 > You are right. We need aliasing here which means the URL in the
browser
 > does not change.
 > May I know where should I put the below rewrite files ?
 >
 > # Redirect everything that is not server.lbg.com
 to
 > # server.lbg.com . Don't worry about /towl
yet.
 > RewriteCond %{HTTP_HOST} !^server\.lbg\.com$
 > RewriteRule ^/(.*) https://server.lbg.com:8443/$1
 [R=301,L]
 >
 > # Redirect anything that isn't already going to /towl
 > # to go to /towl
 > RewriteCond %{REQUEST_URI} !^/towl
 > RewriteRule ^/(.*) https://server.lbg.com:8443/towl/$1
 [R=301,L]

AIUI, you can put all of the above in conf/rewrite.config and configure
the  under your  just as you had it before.

If you want aliasing and not redirection, then you don't want the [R]
flag. IMO, you should really do a redirect. If you don't, then the
application and the browser disagree about the base URL and all
kinds of
things like that.

-chris

 > On Tuesday, May 14, 2024, Christopher Schultz
mailto:ch...@christopherschultz.net>>
 > wrote:
 >
 >> Lavanya,
 >>
 >> On 5/14/24 09:12, lavanya tech wrote:
 >>
 >>> IMHO removing the port number is always the preferred solution
— I never
  did it
 
 
 > can we achieve this with tomcat or we need to setup an
reverse proxy
 > here.
 >
 >
  Your application uses whatever internal URLs it wants. Are you
building
  those yourself, or are you asking Tomcat for the e.g.
hostname, etc.? If
  it's Tomcat, this is where the proxyName and proxyPort come in.
 
 >>>
 >>>    - Yes, I have not built these UrLs before. It’s was working
from the
 >>> very
 >>> beginning. As. I mentioned we are not able to reach goal or
whatever.
 >>>
 >>> Rather than saying redirection, I would say it’s aliasing.
 >>>
 >>
 >> Please be specific. "Aliasing" (to me) means "the URL does to
the right
 >> place but doesn't change in the browser's URL" and "redirection" (to
 >> 

Re: JVM crashing with caCertificatePath in server.xml

[Michael Osipov]

On 2024/05/15 01:51:41 Andy Arismendi wrote:
> ADDITIONAL ENVIRONMENT INFO UPDATE:
> 
> libtcnative: org.apache.catalina.core.AprLifecycleListener.lifecycleEvent 
> Loaded Apache Tomcat Native library [1.3.0] using APR version [1.7.4].
> 
> CRASH LOG
> 
> See enclosed: hs_err_pid4464.log
> 
> c_rehash.pl
> 
> I didn’t have perl, tried strawberry perl, it didn’t seem to create symlinks 
> on Windows so I do it with a powershell using "openssl x509 -subject_hash 
> -fingerprint -noout -in " making symlinks in the same directory for 
> each CA cert PEM e.g. a655d288.0 (link) -> cert.pem (file). This didn’t seem 
> to make a difference though, JVM still crashed.

To make sure I have just tried:
> 8981 2024-05-15T10:26:58.717 INFORMATION [main] 
> org.apache.catalina.startup.VersionLoggerListener.log Server version name:   
> Apache Tomcat/9.0.89
> 8982 2024-05-15T10:26:58.722 INFORMATION [main] 
> org.apache.catalina.startup.VersionLoggerListener.log Server built:  
> May 3 2024 20:22:11 UTC
> 8983 2024-05-15T10:26:58.722 INFORMATION [main] 
> org.apache.catalina.startup.VersionLoggerListener.log Server version number: 
> 9.0.89.0
> 8984 2024-05-15T10:26:58.722 INFORMATION [main] 
> org.apache.catalina.startup.VersionLoggerListener.log OS Name:   
> HP-UX
> 8985 2024-05-15T10:26:58.723 INFORMATION [main] 
> org.apache.catalina.startup.VersionLoggerListener.log OS Version:
> B.11.31
> 8986 2024-05-15T10:26:58.723 INFORMATION [main] 
> org.apache.catalina.startup.VersionLoggerListener.log Architecture:  
> IA64N
> 8987 2024-05-15T10:26:58.723 INFORMATION [main] 
> org.apache.catalina.startup.VersionLoggerListener.log Java Home: 
> /opt/java8/jre
> 8988 2024-05-15T10:26:58.723 INFORMATION [main] 
> org.apache.catalina.startup.VersionLoggerListener.log JVM Version:   
> 1.8.0.27-hp-ux-b1
> 8989 2024-05-15T10:26:58.724 INFORMATION [main] 
> org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor:
> Hewlett Packard Enterprise Company
> 8990 2024-05-15T10:26:58.724 INFORMATION [main] 
> org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE: 
> /var/opt/tomcat-services
> 8991 2024-05-15T10:26:58.724 INFORMATION [main] 
> org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME: 
> /opt/ports/apache-tomcat-9.0.89
> 9015 2024-05-15T10:26:58.733 INFORMATION [main] 
> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded Apache 
> Tomcat Native library [1.3.0] using APR version [1.7.4].
> 9016 2024-05-15T10:26:58.733 INFORMATION [main] 
> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR 
> capabilities: IPv6 [true], sendfile [true], accept filters [false], random 
> [true], UDS [true].
> 9017 2024-05-15T10:26:58.733 INFORMATION [main] 
> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL 
> configuration: useAprConnector [true], useOpenSSL [true]
> 9018 2024-05-15T10:26:58.816 INFORMATION [main] 
> org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL 
> successfully initialized [OpenSSL 3.0.13 30 Jan 2024]

With my smartcard it just works:
>  maxParameterCount="1000"
> maxHttpHeaderSize="24576" maxThreads="250"
> SSLEnabled="true" scheme="https" secure="true"
> defaultSSLHostConfigName="...">
>  honorCipherOrder="true" disableSessionTickets="true"
> certificateVerification="optional" certificateVerificationDepth="5"
> 
> ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!DSS:!SHA1:!SHA256:!SHA384"
> caCertificatePath="/opt/openssl/certs">
>  certificateKeyFile="/opt/openssl/.../key.crt"
> certificateKeyPasswordFile="/opt/openssl/.../password" type="RSA" 
> />
> 
>  value="/opt/openssl/siemens-medium+strong-clientcert-cacerts.crt" />
> 
> 
> 
> 

M

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: JVM crashing with caCertificatePath in server.xml

[Michael Osipov]

On 2024/05/14 20:27:02 Christopher Schultz wrote:
> 
> 
> On 5/14/24 15:23, Andy Arismendi wrote:
> > Sure thing -
> > 
> > ADDITIONAL ENVIRONMENT INFO:
> > 
> > libtcnative: tcnative-1.dll is included in the Tomcat 9.0.89 64-bit Windows 
> > zip download, not sure about the version...
> > OpenSSL version: 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024) 
> > (with FIPS 140-2)
> > 
> > Regarding expecting a directory of certificate hash files, I wasn’t
> > aware of this, assumed it would pick up CA cert PEM files in a
> > directory.
> 
> The Tomcat documentation does say this just needs to be a directory full 
> of PEM files. I can trace through the code to see if it's more like what 
> Michael-O posted. Honestly, the whole idea of having to run c_rehash is 
> a stupid hack for stupid programs. You should never have to do that. :/

If the docs say so, then we need to fix the docs because all path input in 
OpenSSL expects simplified subject hashes. Anything else will not work/will be 
ignored. Use strace/truss/etc. and you will see what OpenSSL will try to read. 
"openssl s_server" will do the trick here for you.

Michael

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: JVM crashing with caCertificatePath in server.xml

[Michael Osipov]

On 2024/05/15 01:51:41 Andy Arismendi wrote:
> ADDITIONAL ENVIRONMENT INFO UPDATE:
> 
> libtcnative: org.apache.catalina.core.AprLifecycleListener.lifecycleEvent 
> Loaded Apache Tomcat Native library [1.3.0] using APR version [1.7.4].
> 
> CRASH LOG
> 
> See enclosed: hs_err_pid4464.log

Attachments are stripped. You not to upload it somewhere or send via email.

Michael

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: JVM crashing with caCertificatePath in server.xml

[Andy Arismendi]

ADDITIONAL ENVIRONMENT INFO UPDATE:

libtcnative: org.apache.catalina.core.AprLifecycleListener.lifecycleEvent 
Loaded Apache Tomcat Native library [1.3.0] using APR version [1.7.4].

CRASH LOG

See enclosed: hs_err_pid4464.log

c_rehash.pl

I didn’t have perl, tried strawberry perl, it didn’t seem to create symlinks on 
Windows so I do it with a powershell using "openssl x509 -subject_hash 
-fingerprint -noout -in " making symlinks in the same directory for 
each CA cert PEM e.g. a655d288.0 (link) -> cert.pem (file). This didn’t seem to 
make a difference though, JVM still crashed.

-Andy


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Regarding Tomcat url redirection

[Christopher Schultz]

Lavanya,

On 5/14/24 15:11, lavanya tech wrote:

You are right. We need aliasing here which means the URL in the browser
does not change.
May I know where should I put the below rewrite files ?

# Redirect everything that is not server.lbg.com to
# server.lbg.com. Don't worry about /towl yet.
RewriteCond %{HTTP_HOST} !^server\.lbg\.com$
RewriteRule ^/(.*) https://server.lbg.com:8443/$1 [R=301,L]

# Redirect anything that isn't already going to /towl
# to go to /towl
RewriteCond %{REQUEST_URI} !^/towl
RewriteRule ^/(.*) https://server.lbg.com:8443/towl/$1 [R=301,L]


AIUI, you can put all of the above in conf/rewrite.config and configure 
the  under your  just as you had it before.


If you want aliasing and not redirection, then you don't want the [R] 
flag. IMO, you should really do a redirect. If you don't, then the 
application and the browser disagree about the base URL and all kinds of 
things like that.


-chris


On Tuesday, May 14, 2024, Christopher Schultz 
wrote:


Lavanya,

On 5/14/24 09:12, lavanya tech wrote:


IMHO removing the port number is always the preferred solution — I never

did it



can we achieve this with tomcat or we need to setup an reverse proxy
here.



Your application uses whatever internal URLs it wants. Are you building
those yourself, or are you asking Tomcat for the e.g. hostname, etc.? If
it's Tomcat, this is where the proxyName and proxyPort come in.



   - Yes, I have not built these UrLs before. It’s was working from the
very
beginning. As. I mentioned we are not able to reach goal or whatever.

Rather than saying redirection, I would say it’s aliasing.



Please be specific. "Aliasing" (to me) means "the URL does to the right
place but doesn't change in the browser's URL" and "redirection" (to
everybody) means "HTTP 301 or 302 response to a new URL".

Instead of moving applications or changing tomcat configuration it’s easier

to achieve with reverse proxy ?

https://example.lbg.com/ to https://server.lbg.com:8443/towl



This will be a nightmare. Do not try to rewrite URLs using a reverse
proxy. You should redirect users to the right place if necessary. You can
use a reverse-proxy if you want, but it won't be any less complicated than
having Tomcat do it.

I think your rewrite.config file just needs a few tweaks:

# Redirect everything that is not server.lbg.com to
# server.lbg.com. Don't worry about /towl yet.
RewriteCond %{HTTP_HOST} !^server\.lbg\.com$
RewriteRule ^/(.*) https://server.lbg.com:8443/$1 [R=301,L]

# Redirect anything that isn't already going to /towl
# to go to /towl
RewriteCond %{REQUEST_URI} !^/towl
RewriteRule ^/(.*) https://server.lbg.com:8443/towl/$1 [R=301,L]

The application should be deployed as towl.war (or towl/ directory). You
should listen on ports 80, 443, and 8443, and you should always end up at
the right place. You should have proxyPort="8443" and proxyName="
server.lbg.com" in your .

You will not need a ROOT context, since the rewrite will take care of that
for you.

-chris

On Mon, May 13, 2024 at 10:17 PM lavanya tech 

wrote:

Hi Chris,

Sorry, If I did confuse. It’s important that
https://server.lbg.com:8443/towl is always working. Goal is not to
disable /towl, but just redirect or aliasing

https//example.lbg.com/ to https://server.lbg.com:8443/towl




Thanks,
Lavanya

On Monday, May 13, 2024, Christopher Schultz <
ch...@christopherschultz.net



wrote:


Lavanya,

On 5/13/24 05:57, lavanya tech wrote:

Somehow made it work now i can only access urls as you mentioned before
https://example.lbg.com and https://server.lbg.com with port 8443 and
with
out

 https://example.lbg.com/towl and https://server.lbg.com/towl --> I
have an
error now File not found.

So i think we need to make work https://example.lbg.com/ to
https://server.lbg.com/towl


I'm sorry, I'm still confused as to which way you want things.

Do you want to redirect /towl -> / or do you want to redirect / - >
/towl?

Or does it depend upon the hostname? It would really be better if you
could settle on one specific beahvior.

-chris

On Mon, May 13, 2024 at 9:41 AM lavanya tech 

wrote:

Hi Chris,


Where are you defining the RewriteValve itself?

Defined rewritevalve here
  

  
 resource="conf/rewrite.config" />

2) reated rewrite.config and added as below under conf/

 RewriteCond %{REQUEST_URI} ^/towl/(.*)
 RewriteRule ^/towl/(.*) https://example.lbg.com/%1 [R]

3) After renaming towl to ROOT -> /webapps/ROOT/WEB-INF/web.xml ( I
already have this mappings /* in web.xml file)

   
  
Logging Area

Authentication for registered users.

/*
/api/v1/search 
/api/v1/suggest/* 
  

LDAP_USER
api



4) Restarted Tomcat, Then I cannot access
https://server.lbg.com:8443/towl
--> Have below error

Message java.nio.file.NoSuchFileException:

Re: JVM crashing with caCertificatePath in server.xml

[Christopher Schultz]

On 5/14/24 15:23, Andy Arismendi wrote:

Sure thing -

ADDITIONAL ENVIRONMENT INFO:

libtcnative: tcnative-1.dll is included in the Tomcat 9.0.89 64-bit Windows zip 
download, not sure about the version...
OpenSSL version: 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024) (with 
FIPS 140-2)

Regarding expecting a directory of certificate hash files, I wasn’t
aware of this, assumed it would pick up CA cert PEM files in a
directory.


The Tomcat documentation does say this just needs to be a directory full 
of PEM files. I can trace through the code to see if it's more like what 
Michael-O posted. Honestly, the whole idea of having to run c_rehash is 
a stupid hack for stupid programs. You should never have to do that. :/



I would however not expect this or an empty directory to crash the
JVM however…

+1

Are you able to provide a better backtrace than 
"libtcnative.dll++0xccd10"? A Java stack trace would be great, but a 
native one would be even better.


-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: JVM crashing with caCertificatePath in server.xml

[Michael Osipov]

On 2024/05/14 19:23:47 Andy Arismendi wrote:
> Sure thing - 
> 
> ADDITIONAL ENVIRONMENT INFO:
> 
> libtcnative: tcnative-1.dll is included in the Tomcat 9.0.89 64-bit Windows 
> zip download, not sure about the version...
> OpenSSL version: 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024) 
> (with FIPS 140-2)

Have a look at catalina.out, it should be 1.3.0, I guess.

> Regarding expecting a directory of certificate hash files, I wasn’t aware of 
> this, assumed it would pick up CA cert PEM files in a directory. I would 
> however not expect this or an empty directory to crash the JVM however…

Nope, it won't. See SSL_CTX_load_verify_locations at 
https://www.openssl.org/docs/manmaster/man3/SSL_CTX_load_verify_locations.html:
If CApath is not NULL, it points to a directory containing CA certificates in 
PEM format. The files each contain one CA certificate. The files are looked up 
by the CA subject name hash value, which must hence be available. If more than 
one CA certificate with the same name hash value exist, the extension must be 
different (e.g. 9d66eef0.0, 9d66eef0.1 etc). The search is performed in the 
ordering of the extension number, regardless of other properties of the 
certificates. Use the c_rehash utility to create the necessary links.

Please don't forget the log file. The issue is somewhere here: 
https://github.com/apache/tomcat-native/blob/43ddd1e8059528454110198ca0d7d191322beeaf/native/src/sslcontext.c#L673-L738

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: JVM crashing with caCertificatePath in server.xml

[Andy Arismendi]

Sure thing - 

ADDITIONAL ENVIRONMENT INFO:

libtcnative: tcnative-1.dll is included in the Tomcat 9.0.89 64-bit Windows zip 
download, not sure about the version...
OpenSSL version: 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024) (with 
FIPS 140-2)

Regarding expecting a directory of certificate hash files, I wasn’t aware of 
this, assumed it would pick up CA cert PEM files in a directory. I would 
however not expect this or an empty directory to crash the JVM however…

-Andy


On May 14, 2024, at 2:53 PM, Michael Osipov  wrote:

Please provide the log file, the OpenSSL version used and the libtcnative 
version used. 
Please note that caCertificatePath expects a directory with certificate hash 
files. Plain certs won't work.

M

Re: Regarding Tomcat url redirection

[lavanya tech]

Hi Chris,

You are right. We need aliasing here which means the URL in the browser
does not change.
May I know where should I put the below rewrite files ?

# Redirect everything that is not server.lbg.com to
# server.lbg.com. Don't worry about /towl yet.
RewriteCond %{HTTP_HOST} !^server\.lbg\.com$
RewriteRule ^/(.*) https://server.lbg.com:8443/$1 [R=301,L]

# Redirect anything that isn't already going to /towl
# to go to /towl
RewriteCond %{REQUEST_URI} !^/towl
RewriteRule ^/(.*) https://server.lbg.com:8443/towl/$1 [R=301,L]

Thanks,
Lavanya

On Tuesday, May 14, 2024, Christopher Schultz 
wrote:

> Lavanya,
>
> On 5/14/24 09:12, lavanya tech wrote:
>
>> IMHO removing the port number is always the preferred solution — I never
>>> did it
>>>
>>>
 can we achieve this with tomcat or we need to setup an reverse proxy
 here.


>>> Your application uses whatever internal URLs it wants. Are you building
>>> those yourself, or are you asking Tomcat for the e.g. hostname, etc.? If
>>> it's Tomcat, this is where the proxyName and proxyPort come in.
>>>
>>
>>   - Yes, I have not built these UrLs before. It’s was working from the
>> very
>> beginning. As. I mentioned we are not able to reach goal or whatever.
>>
>> Rather than saying redirection, I would say it’s aliasing.
>>
>
> Please be specific. "Aliasing" (to me) means "the URL does to the right
> place but doesn't change in the browser's URL" and "redirection" (to
> everybody) means "HTTP 301 or 302 response to a new URL".
>
> Instead of moving applications or changing tomcat configuration it’s easier
>> to achieve with reverse proxy ?
>>
>> https://example.lbg.com/ to https://server.lbg.com:8443/towl
>>
>
> This will be a nightmare. Do not try to rewrite URLs using a reverse
> proxy. You should redirect users to the right place if necessary. You can
> use a reverse-proxy if you want, but it won't be any less complicated than
> having Tomcat do it.
>
> I think your rewrite.config file just needs a few tweaks:
>
> # Redirect everything that is not server.lbg.com to
> # server.lbg.com. Don't worry about /towl yet.
> RewriteCond %{HTTP_HOST} !^server\.lbg\.com$
> RewriteRule ^/(.*) https://server.lbg.com:8443/$1 [R=301,L]
>
> # Redirect anything that isn't already going to /towl
> # to go to /towl
> RewriteCond %{REQUEST_URI} !^/towl
> RewriteRule ^/(.*) https://server.lbg.com:8443/towl/$1 [R=301,L]
>
> The application should be deployed as towl.war (or towl/ directory). You
> should listen on ports 80, 443, and 8443, and you should always end up at
> the right place. You should have proxyPort="8443" and proxyName="
> server.lbg.com" in your .
>
> You will not need a ROOT context, since the rewrite will take care of that
> for you.
>
> -chris
>
> On Mon, May 13, 2024 at 10:17 PM lavanya tech 
>>> wrote:
>>>
>>> Hi Chris,
>>>
>>> Sorry, If I did confuse. It’s important that
>>> https://server.lbg.com:8443/towl is always working. Goal is not to
>>> disable /towl, but just redirect or aliasing
>>>
>>> https//example.lbg.com/ to https://server.lbg.com:8443/towl
>>>
>>>
>>>
>>>
>>> Thanks,
>>> Lavanya
>>>
>>> On Monday, May 13, 2024, Christopher Schultz <
>>> ch...@christopherschultz.net
>>>

 wrote:
>>>
>>> Lavanya,
>>>
>>> On 5/13/24 05:57, lavanya tech wrote:
>>>
>>> Somehow made it work now i can only access urls as you mentioned before
>>> https://example.lbg.com and https://server.lbg.com with port 8443 and
>>> with
>>> out
>>>
>>> https://example.lbg.com/towl and https://server.lbg.com/towl --> I
>>> have an
>>> error now File not found.
>>>
>>> So i think we need to make work https://example.lbg.com/ to
>>> https://server.lbg.com/towl
>>>
>>>
>>> I'm sorry, I'm still confused as to which way you want things.
>>>
>>> Do you want to redirect /towl -> / or do you want to redirect / - >
>>> /towl?
>>>
>>> Or does it depend upon the hostname? It would really be better if you
>>> could settle on one specific beahvior.
>>>
>>> -chris
>>>
>>> On Mon, May 13, 2024 at 9:41 AM lavanya tech 
>>>
>>> wrote:
>>>
>>> Hi Chris,
>>>
>>>
>>> Where are you defining the RewriteValve itself?
>>>
>>> Defined rewritevalve here
>>>  >>unpackWARs="true" autoDeploy="true">
>>>
>>>  >> className="org.apache.catalina.valves.rewrite.RewriteValve" />
>>> resource="conf/rewrite.config" />
>>>
>>> 2) reated rewrite.config and added as below under conf/
>>>
>>> RewriteCond %{REQUEST_URI} ^/towl/(.*)
>>> RewriteRule ^/towl/(.*) https://example.lbg.com/%1 [R]
>>>
>>> 3) After renaming towl to ROOT -> /webapps/ROOT/WEB-INF/web.xml ( I
>>> already have this mappings /* in web.xml file)
>>>
>>>   
>>>  
>>>Logging Area
>>>
>>>Authentication for registered users.
>>>
>>>/*
>>>/api/v1/search 
>>>/api/v1/suggest/* 
>>>  
>>>
>>>LDAP_USER
>>>api
>>>
>>>  

Re: JVM crashing with caCertificatePath in server.xml

[Michael Osipov]

On 2024/05/14 18:21:36 Andy Arismendi wrote:
> Hi, just ran into this today. The JVM is crashing when caCertificatePath is 
> added to server.xml. I tried the latest Zulu JRE 8 and 11 but still had the 
> crash.
> 
> 
> ENVIRONMENT
> 
> Tomcat: 9.0.89 (64-bit Windows zip)
> OS: Windows Server 2019
> JVM:
> openjdk version "1.8.0_322"
> OpenJDK Runtime Environment (Zulu 8.60.0.21-CA-win64) (build 1.8.0_322-b06)
> OpenJDK 64-Bit Server VM (Zulu 8.60.0.21-CA-win64) (build 25.322-b06, mixed 
> mode)
> 
> 
> CRASH INFO
> 
> When caCertificatePath is present in server.xml and points to a valid 
> directory (empty or with PEM files) the JVM crashes during Tomcat startup. 
> This is the JVM console output:
> 
> 14-May-2024 17:34:58.443 INFO [main] org.apache.coyote.AbstractProtocol.init 
> Initializing ProtocolHandler ["https-openssl-nio2-1.2.3.4-443"]
> #
> # A fatal error has been detected by the Java Runtime Environment:
> #
> #  EXCEPTION_ACCESS_VIOLATION (0xc005) at pc=0x0001800ccd10, 
> pid=1244, tid=0x0ab0
> #
> # JRE version: OpenJDK Runtime Environment (Zulu 8.60.0.21-CA-win64) 
> (8.0_322-b06) (build 1.8.0_322-b06)
> # Java VM: OpenJDK 64-Bit Server VM (25.322-b06 mixed mode windows-amd64 
> compressed oops)
> # Problematic frame:
> # C  [tcnative-1.dll+0xccd10]
> #
> # Core dump written. Default location: D:\Program 
> Files\apache-tomcat\bin\hs_err_pid1244.mdmp
> #
> # An error report file with more information is saved as:
> # D:\Program Files\apache-tomcat\bin\hs_err_pid1244.log
> #
> # If you would like to submit a bug report, please visit:
> #   http://www.azul.com/support/
> # The crash happened outside the Java Virtual Machine in native code.
> # See problematic frame for where to report the bug.
> #
> 
> 
> CONFIG INFO
> 
> Here’s the server.xml that causes the JVM crash. 
> 
>  maxThreads="1000" port="443" scheme="https" secure="true" SSLEnabled="true" 
> allowTrace="false" xpoweredBy="false" address="1.2.3.4" acceptCount="1" 
> socket.rxBufSize="131072" socket.txBufSize="131072" minSpareThreads="100" 
> maxConnections="1">
>ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA"
>  disableCompression="true" disableSessionTickets="false" 
> honorCipherOrder="true" caCertificatePath="C:\PKI\CA">
>  certificateKeyFile="C:\PKI\server.key" 
> certificateChainFile="C:\PKI\server-chain.pem"/>
>   
> 

Please provide the log file, the OpenSSL version used and the libtcnative 
version used. 
Please note that caCertificatePath expects a directory with certificate hash 
files. Plain certs won't work.

M

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

JVM crashing with caCertificatePath in server.xml

[Andy Arismendi]

Hi, just ran into this today. The JVM is crashing when caCertificatePath is 
added to server.xml. I tried the latest Zulu JRE 8 and 11 but still had the 
crash.


ENVIRONMENT

Tomcat: 9.0.89 (64-bit Windows zip)
OS: Windows Server 2019
JVM:
openjdk version "1.8.0_322"
OpenJDK Runtime Environment (Zulu 8.60.0.21-CA-win64) (build 1.8.0_322-b06)
OpenJDK 64-Bit Server VM (Zulu 8.60.0.21-CA-win64) (build 25.322-b06, mixed 
mode)


CRASH INFO

When caCertificatePath is present in server.xml and points to a valid directory 
(empty or with PEM files) the JVM crashes during Tomcat startup. This is the 
JVM console output:

14-May-2024 17:34:58.443 INFO [main] org.apache.coyote.AbstractProtocol.init 
Initializing ProtocolHandler ["https-openssl-nio2-1.2.3.4-443"]
#
# A fatal error has been detected by the Java Runtime Environment:
#
#  EXCEPTION_ACCESS_VIOLATION (0xc005) at pc=0x0001800ccd10, pid=1244, 
tid=0x0ab0
#
# JRE version: OpenJDK Runtime Environment (Zulu 8.60.0.21-CA-win64) 
(8.0_322-b06) (build 1.8.0_322-b06)
# Java VM: OpenJDK 64-Bit Server VM (25.322-b06 mixed mode windows-amd64 
compressed oops)
# Problematic frame:
# C  [tcnative-1.dll+0xccd10]
#
# Core dump written. Default location: D:\Program 
Files\apache-tomcat\bin\hs_err_pid1244.mdmp
#
# An error report file with more information is saved as:
# D:\Program Files\apache-tomcat\bin\hs_err_pid1244.log
#
# If you would like to submit a bug report, please visit:
#   http://www.azul.com/support/
# The crash happened outside the Java Virtual Machine in native code.
# See problematic frame for where to report the bug.
#


CONFIG INFO

Here’s the server.xml that causes the JVM crash. 


  

  





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Regarding Tomcat url redirection

[Christopher Schultz]

Lavanya,

On 5/14/24 09:12, lavanya tech wrote:

IMHO removing the port number is always the preferred solution — I never
did it



can we achieve this with tomcat or we need to setup an reverse proxy here.



Your application uses whatever internal URLs it wants. Are you building
those yourself, or are you asking Tomcat for the e.g. hostname, etc.? If
it's Tomcat, this is where the proxyName and proxyPort come in.


  - Yes, I have not built these UrLs before. It’s was working from the very
beginning. As. I mentioned we are not able to reach goal or whatever.

Rather than saying redirection, I would say it’s aliasing.


Please be specific. "Aliasing" (to me) means "the URL does to the right 
place but doesn't change in the browser's URL" and "redirection" (to 
everybody) means "HTTP 301 or 302 response to a new URL".



Instead of moving applications or changing tomcat configuration it’s easier
to achieve with reverse proxy ?

https://example.lbg.com/ to https://server.lbg.com:8443/towl


This will be a nightmare. Do not try to rewrite URLs using a reverse 
proxy. You should redirect users to the right place if necessary. You 
can use a reverse-proxy if you want, but it won't be any less 
complicated than having Tomcat do it.


I think your rewrite.config file just needs a few tweaks:

# Redirect everything that is not server.lbg.com to
# server.lbg.com. Don't worry about /towl yet.
RewriteCond %{HTTP_HOST} !^server\.lbg\.com$
RewriteRule ^/(.*) https://server.lbg.com:8443/$1 [R=301,L]

# Redirect anything that isn't already going to /towl
# to go to /towl
RewriteCond %{REQUEST_URI} !^/towl
RewriteRule ^/(.*) https://server.lbg.com:8443/towl/$1 [R=301,L]

The application should be deployed as towl.war (or towl/ directory). You 
should listen on ports 80, 443, and 8443, and you should always end up 
at the right place. You should have proxyPort="8443" and 
proxyName="server.lbg.com" in your .


You will not need a ROOT context, since the rewrite will take care of 
that for you.


-chris


On Mon, May 13, 2024 at 10:17 PM lavanya tech 
wrote:

Hi Chris,

Sorry, If I did confuse. It’s important that
https://server.lbg.com:8443/towl is always working. Goal is not to
disable /towl, but just redirect or aliasing

https//example.lbg.com/ to https://server.lbg.com:8443/towl




Thanks,
Lavanya

On Monday, May 13, 2024, Christopher Schultz 


wrote:

Lavanya,

On 5/13/24 05:57, lavanya tech wrote:

Somehow made it work now i can only access urls as you mentioned before
https://example.lbg.com and https://server.lbg.com with port 8443 and
with
out

https://example.lbg.com/towl and https://server.lbg.com/towl --> I
have an
error now File not found.

So i think we need to make work https://example.lbg.com/ to
https://server.lbg.com/towl


I'm sorry, I'm still confused as to which way you want things.

Do you want to redirect /towl -> / or do you want to redirect / - > /towl?

Or does it depend upon the hostname? It would really be better if you
could settle on one specific beahvior.

-chris

On Mon, May 13, 2024 at 9:41 AM lavanya tech 

wrote:

Hi Chris,


Where are you defining the RewriteValve itself?

Defined rewritevalve here
 

 
resource="conf/rewrite.config" />

2) reated rewrite.config and added as below under conf/

RewriteCond %{REQUEST_URI} ^/towl/(.*)
RewriteRule ^/towl/(.*) https://example.lbg.com/%1 [R]

3) After renaming towl to ROOT -> /webapps/ROOT/WEB-INF/web.xml ( I
already have this mappings /* in web.xml file)

  
 
   Logging Area
   
   Authentication for registered users.
   
   /*
   /api/v1/search 
   /api/v1/suggest/* 
 
   
   LDAP_USER
   api
   
   

4) Restarted Tomcat, Then I cannot access
https://server.lbg.com:8443/towl
--> Have below error

Message java.nio.file.NoSuchFileException:
/git/apache-tomcat-10.1.11/webapps/towl/WEB-INF/lib/xss-1.0.8.jar

Description The server encountered an unexpected condition that
prevented
it from fulfilling the request.

5) Also https://example.lbg.com doesnot work anymore

Before you do anything with redirecting, can you just make sure you are
only deploying ROOT.war and nothing else?
   How can I do that. I already changed towl.war to ROOT.war

But still both the urls have error as mentioned above.


Si I revereted back the changes.
That's weird. Try stopping, deleting the work/ directory and restarting.
--> I have this wierd behavior for some reason, thoudh index.jsp is
located
no changes were made to file. After deleting cookies url works

where Am I going wrong.

Thanks,
Lavanya


On Fri, May 10, 2024 at 6:50 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:

Lavanya,


On 5/10/24 04:37, lavanya tech wrote:

I tried the below and have the issues.

1)proxyPort="443" and proxyName="example.lbg.com" to the connector
2) remanmed towl.war to ROOT.war
3) created 

Re: Regarding Tomcat url redirection

[lavanya tech]

Hi Chris,

>
> IMHO removing the port number is always the preferred solution — I never
> did it
>
>>
>> can we achieve this with tomcat or we need to setup an reverse proxy here.
>>
>
> Your application uses whatever internal URLs it wants. Are you building
> those yourself, or are you asking Tomcat for the e.g. hostname, etc.? If
> it's Tomcat, this is where the proxyName and proxyPort come in.

 - Yes, I have not built these UrLs before. It’s was working from the very
beginning. As. I mentioned we are not able to reach goal or whatever.

Rather than saying redirection, I would say it’s aliasing.
Instead of moving applications or changing tomcat configuration it’s easier
to achieve with reverse proxy ?

https://example.lbg.com/ to https://server.lbg.com:8443/towl

Kindly let me know what’s the best way.

Thanks,
Ammu




>
> -chris
>
> On Mon, May 13, 2024 at 10:17 PM lavanya tech 
> wrote:
>
> Hi Chris,
>
> Sorry, If I did confuse. It’s important that
> https://server.lbg.com:8443/towl is always working. Goal is not to
> disable /towl, but just redirect or aliasing
>
> https//example.lbg.com/ to https://server.lbg.com:8443/towl
>
>
>
>
> Thanks,
> Lavanya
>
> On Monday, May 13, 2024, Christopher Schultz  >
> wrote:
>
> Lavanya,
>
> On 5/13/24 05:57, lavanya tech wrote:
>
> Somehow made it work now i can only access urls as you mentioned before
> https://example.lbg.com and https://server.lbg.com with port 8443 and
> with
> out
>
>https://example.lbg.com/towl and https://server.lbg.com/towl --> I
> have an
> error now File not found.
>
> So i think we need to make work https://example.lbg.com/ to
> https://server.lbg.com/towl
>
>
> I'm sorry, I'm still confused as to which way you want things.
>
> Do you want to redirect /towl -> / or do you want to redirect / - > /towl?
>
> Or does it depend upon the hostname? It would really be better if you
> could settle on one specific beahvior.
>
> -chris
>
> On Mon, May 13, 2024 at 9:41 AM lavanya tech 
>
> wrote:
>
> Hi Chris,
>
>
> Where are you defining the RewriteValve itself?
>
> Defined rewritevalve here
>unpackWARs="true" autoDeploy="true">
>
>  className="org.apache.catalina.valves.rewrite.RewriteValve" />
>resource="conf/rewrite.config" />
>
> 2) reated rewrite.config and added as below under conf/
>
>RewriteCond %{REQUEST_URI} ^/towl/(.*)
>RewriteRule ^/towl/(.*) https://example.lbg.com/%1 [R]
>
> 3) After renaming towl to ROOT -> /webapps/ROOT/WEB-INF/web.xml ( I
> already have this mappings /* in web.xml file)
>
>  
> 
>   Logging Area
>   
>   Authentication for registered users.
>   
>   /*
>   /api/v1/search 
>   /api/v1/suggest/* 
> 
>   
>   LDAP_USER
>   api
>   
>   
>
> 4) Restarted Tomcat, Then I cannot access
> https://server.lbg.com:8443/towl
> --> Have below error
>
> Message java.nio.file.NoSuchFileException:
> /git/apache-tomcat-10.1.11/webapps/towl/WEB-INF/lib/xss-1.0.8.jar
>
> Description The server encountered an unexpected condition that
> prevented
> it from fulfilling the request.
>
> 5) Also https://example.lbg.com doesnot work anymore
>
> Before you do anything with redirecting, can you just make sure you are
> only deploying ROOT.war and nothing else?
>   How can I do that. I already changed towl.war to ROOT.war
>
> But still both the urls have error as mentioned above.
>
>
> Si I revereted back the changes.
> That's weird. Try stopping, deleting the work/ directory and restarting.
> --> I have this wierd behavior for some reason, thoudh index.jsp is
> located
> no changes were made to file. After deleting cookies url works
>
> where Am I going wrong.
>
> Thanks,
> Lavanya
>
>
> On Fri, May 10, 2024 at 6:50 PM Christopher Schultz <
> ch...@christopherschultz.net> wrote:
>
> Lavanya,
>
>
> On 5/10/24 04:37, lavanya tech wrote:
>
> I tried the below and have the issues.
>
> 1)proxyPort="443" and proxyName="example.lbg.com" to the connector
> 2) remanmed towl.war to ROOT.war
> 3) created rewrite.config and added as below under conf/
>
>
> Where are you defining the RewriteValve itself?
>
> RewriteCond %{REQUEST_URI} ^/towl/(.*)
>
> RewriteRule ^/towl/(.*) https://example.lbg.com/%1 [R]
>
>
> If this is being handled by the ROOT servlet then I think it's right.
>
> 4) added this in web.xml file of /webapps/towl/web.xml/
>
>
>  
>
>
>
>
>
>Restricted Access to
> /towl
>/towl/*
>
>
> No, this is wrong. Since this is the "towl" application and not ROOT,
> you want to map /* and not /towl/* because the application will never
> see the /towl/ as it's an application/context prefix that Tomcat will
> remove.
>
>
>
>
>
>
>
>
> Also I noticed that even if I rename the towl application to ROOT,
> when
>
> i
>
> call the url 

Re: Regarding Tomcat url redirection

[Christopher Schultz]

Lavanya,

On 5/14/24 03:47, lavanya tech wrote:

Hi Chris,

Tried the below steps. I have the redirection working. But the URL is not
in the browser anymore.

1)   
   

2) /conf/Catalina/localhost --> I added the below in rewrite.config

RewriteCond %{HTTP_HOST} ^example\.lbg\.com$
RewriteCond %{REQUEST_URI} !^/towl$
RewriteRule ^/(.*) https://server.lbg.com:8443/towl [R=301,L]


The problem with this is that it can redirect forever.

/towl/foo -> /towl/towl/foo -> /towl/towl/towl/foo and so on.

Your "stop criteria" ( !^/towl$ ) needs to be more like !^/towl/ without 
the $.



Then it redirects from https://example.lbg.com -->
https://server.lbg.com:8443/towl but the application team raised a concern
the

- alias https://example.lbg.com/--> url stays in the browser


IMHO removing the port number is always the preferred solution.

If https://example.lbg.com/ isn't returning a 301 response, then 
something is not quite right with your configuration.



- towl indexer uses the internal address https://
server.lbg.com.8443/towl rsp.
localhost:8443/towl

can we achieve this with tomcat or we need to setup an reverse proxy here.


Your application uses whatever internal URLs it wants. Are you building 
those yourself, or are you asking Tomcat for the e.g. hostname, etc.? If 
it's Tomcat, this is where the proxyName and proxyPort come in.


-chris


On Mon, May 13, 2024 at 10:17 PM lavanya tech 
wrote:


Hi Chris,

Sorry, If I did confuse. It’s important that
https://server.lbg.com:8443/towl is always working. Goal is not to
disable /towl, but just redirect or aliasing

https//example.lbg.com/ to https://server.lbg.com:8443/towl




Thanks,
Lavanya

On Monday, May 13, 2024, Christopher Schultz 
wrote:


Lavanya,

On 5/13/24 05:57, lavanya tech wrote:


Somehow made it work now i can only access urls as you mentioned before
https://example.lbg.com and https://server.lbg.com with port 8443 and
with
out

   https://example.lbg.com/towl and https://server.lbg.com/towl --> I
have an
error now File not found.

So i think we need to make work https://example.lbg.com/ to
https://server.lbg.com/towl



I'm sorry, I'm still confused as to which way you want things.

Do you want to redirect /towl -> / or do you want to redirect / - > /towl?

Or does it depend upon the hostname? It would really be better if you
could settle on one specific beahvior.

-chris

On Mon, May 13, 2024 at 9:41 AM lavanya tech 

wrote:

Hi Chris,


Where are you defining the RewriteValve itself?

Defined rewritevalve here



   resource="conf/rewrite.config" />

2) reated rewrite.config and added as below under conf/

   RewriteCond %{REQUEST_URI} ^/towl/(.*)
   RewriteRule ^/towl/(.*) https://example.lbg.com/%1 [R]

3) After renaming towl to ROOT -> /webapps/ROOT/WEB-INF/web.xml ( I
already have this mappings /* in web.xml file)

 

  Logging Area
  
  Authentication for registered users.
  
  /*
  /api/v1/search 
  /api/v1/suggest/* 

  
  LDAP_USER
  api
  
  

4) Restarted Tomcat, Then I cannot access
https://server.lbg.com:8443/towl
--> Have below error

Message java.nio.file.NoSuchFileException:
/git/apache-tomcat-10.1.11/webapps/towl/WEB-INF/lib/xss-1.0.8.jar

Description The server encountered an unexpected condition that
prevented
it from fulfilling the request.

5) Also https://example.lbg.com doesnot work anymore

Before you do anything with redirecting, can you just make sure you are
only deploying ROOT.war and nothing else?
  How can I do that. I already changed towl.war to ROOT.war

But still both the urls have error as mentioned above.


Si I revereted back the changes.
That's weird. Try stopping, deleting the work/ directory and restarting.
--> I have this wierd behavior for some reason, thoudh index.jsp is
located
no changes were made to file. After deleting cookies url works

where Am I going wrong.

Thanks,
Lavanya


On Fri, May 10, 2024 at 6:50 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:

Lavanya,


On 5/10/24 04:37, lavanya tech wrote:


I tried the below and have the issues.

1)proxyPort="443" and proxyName="example.lbg.com" to the connector
2) remanmed towl.war to ROOT.war
3) created rewrite.config and added as below under conf/



Where are you defining the RewriteValve itself?

RewriteCond %{REQUEST_URI} ^/towl/(.*)

RewriteRule ^/towl/(.*) https://example.lbg.com/%1 [R]



If this is being handled by the ROOT servlet then I think it's right.

4) added this in web.xml file of /webapps/towl/web.xml/


 
   

   
   
   
   Restricted Access to
/towl
   /towl/*



No, this is wrong. Since this is the "towl" application and not ROOT,
you want to map /* and not /towl/* because the application will never
see the /towl/ as it's an 

Re: Regarding Tomcat url redirection

[lavanya tech]

Hi Chris,

Tried the below steps. I have the redirection working. But the URL is not
in the browser anymore.

1)   
  

2) /conf/Catalina/localhost --> I added the below in rewrite.config

RewriteCond %{HTTP_HOST} ^example\.lbg\.com$
RewriteCond %{REQUEST_URI} !^/towl$
RewriteRule ^/(.*) https://server.lbg.com:8443/towl [R=301,L]

Then it redirects from https://example.lbg.com -->
https://server.lbg.com:8443/towl but the application team raised a concern
the

   - alias https://example.lbg.com/--> url stays in the browser
   - towl indexer uses the internal address https://
   server.lbg.com.8443/towl rsp.
   localhost:8443/towl

can we achieve this with tomcat or we need to setup an reverse proxy here.
Pleaes kindly suggest

Thanks,
Lavanya



On Mon, May 13, 2024 at 10:17 PM lavanya tech 
wrote:

> Hi Chris,
>
> Sorry, If I did confuse. It’s important that
> https://server.lbg.com:8443/towl is always working. Goal is not to
> disable /towl, but just redirect or aliasing
>
> https//example.lbg.com/ to https://server.lbg.com:8443/towl
>
>
>
>
> Thanks,
> Lavanya
>
> On Monday, May 13, 2024, Christopher Schultz 
> wrote:
>
>> Lavanya,
>>
>> On 5/13/24 05:57, lavanya tech wrote:
>>
>>> Somehow made it work now i can only access urls as you mentioned before
>>> https://example.lbg.com and https://server.lbg.com with port 8443 and
>>> with
>>> out
>>>
>>>   https://example.lbg.com/towl and https://server.lbg.com/towl --> I
>>> have an
>>> error now File not found.
>>>
>>> So i think we need to make work https://example.lbg.com/ to
>>> https://server.lbg.com/towl
>>>
>>
>> I'm sorry, I'm still confused as to which way you want things.
>>
>> Do you want to redirect /towl -> / or do you want to redirect / - > /towl?
>>
>> Or does it depend upon the hostname? It would really be better if you
>> could settle on one specific beahvior.
>>
>> -chris
>>
>> On Mon, May 13, 2024 at 9:41 AM lavanya tech 
>>> wrote:
>>>
>>> Hi Chris,

 Where are you defining the RewriteValve itself?

 Defined rewritevalve here
>>>  unpackWARs="true" autoDeploy="true">

>>> className="org.apache.catalina.valves.rewrite.RewriteValve" />
   resource="conf/rewrite.config" />

 2) reated rewrite.config and added as below under conf/

   RewriteCond %{REQUEST_URI} ^/towl/(.*)
   RewriteRule ^/towl/(.*) https://example.lbg.com/%1 [R]

 3) After renaming towl to ROOT -> /webapps/ROOT/WEB-INF/web.xml ( I
 already have this mappings /* in web.xml file)

 

  Logging Area
  
  Authentication for registered users.
  
  /*
  /api/v1/search 
  /api/v1/suggest/* 

  
  LDAP_USER
  api
  
  

 4) Restarted Tomcat, Then I cannot access
 https://server.lbg.com:8443/towl
 --> Have below error

 Message java.nio.file.NoSuchFileException:
 /git/apache-tomcat-10.1.11/webapps/towl/WEB-INF/lib/xss-1.0.8.jar

 Description The server encountered an unexpected condition that
 prevented
 it from fulfilling the request.

 5) Also https://example.lbg.com doesnot work anymore

 Before you do anything with redirecting, can you just make sure you are
 only deploying ROOT.war and nothing else?
  How can I do that. I already changed towl.war to ROOT.war

 But still both the urls have error as mentioned above.


 Si I revereted back the changes.
 That's weird. Try stopping, deleting the work/ directory and restarting.
 --> I have this wierd behavior for some reason, thoudh index.jsp is
 located
 no changes were made to file. After deleting cookies url works

 where Am I going wrong.

 Thanks,
 Lavanya


 On Fri, May 10, 2024 at 6:50 PM Christopher Schultz <
 ch...@christopherschultz.net> wrote:

 Lavanya,
>
> On 5/10/24 04:37, lavanya tech wrote:
>
>> I tried the below and have the issues.
>>
>> 1)proxyPort="443" and proxyName="example.lbg.com" to the connector
>> 2) remanmed towl.war to ROOT.war
>> 3) created rewrite.config and added as below under conf/
>>
>
> Where are you defining the RewriteValve itself?
>
> RewriteCond %{REQUEST_URI} ^/towl/(.*)
>> RewriteRule ^/towl/(.*) https://example.lbg.com/%1 [R]
>>
>
> If this is being handled by the ROOT servlet then I think it's right.
>
> 4) added this in web.xml file of /webapps/towl/web.xml/
>>
>> 
>>   
>>
>>   
>>   
>>   
>>   Restricted Access to
>> /towl
>>   /towl/*
>>
>
> No, this is wrong. Since this is the "towl" application and not ROOT,
> 

Re: Regarding Tomcat url redirection

[lavanya tech]

Hi Chris,

Sorry, If I did confuse. It’s important that
https://server.lbg.com:8443/towl is always working. Goal is not to disable
/towl, but just redirect or aliasing

https//example.lbg.com/ to https://server.lbg.com:8443/towl




Thanks,
Lavanya

On Monday, May 13, 2024, Christopher Schultz 
wrote:

> Lavanya,
>
> On 5/13/24 05:57, lavanya tech wrote:
>
>> Somehow made it work now i can only access urls as you mentioned before
>> https://example.lbg.com and https://server.lbg.com with port 8443 and
>> with
>> out
>>
>>   https://example.lbg.com/towl and https://server.lbg.com/towl --> I
>> have an
>> error now File not found.
>>
>> So i think we need to make work https://example.lbg.com/ to
>> https://server.lbg.com/towl
>>
>
> I'm sorry, I'm still confused as to which way you want things.
>
> Do you want to redirect /towl -> / or do you want to redirect / - > /towl?
>
> Or does it depend upon the hostname? It would really be better if you
> could settle on one specific beahvior.
>
> -chris
>
> On Mon, May 13, 2024 at 9:41 AM lavanya tech 
>> wrote:
>>
>> Hi Chris,
>>>
>>> Where are you defining the RewriteValve itself?
>>>
>>> Defined rewritevalve here
>>>>>  unpackWARs="true" autoDeploy="true">
>>>
>>>>> className="org.apache.catalina.valves.rewrite.RewriteValve" />
>>>   resource="conf/rewrite.config" />
>>>
>>> 2) reated rewrite.config and added as below under conf/
>>>
>>>   RewriteCond %{REQUEST_URI} ^/towl/(.*)
>>>   RewriteRule ^/towl/(.*) https://example.lbg.com/%1 [R]
>>>
>>> 3) After renaming towl to ROOT -> /webapps/ROOT/WEB-INF/web.xml ( I
>>> already have this mappings /* in web.xml file)
>>>
>>> 
>>>
>>>  Logging Area
>>>  
>>>  Authentication for registered users.
>>>  
>>>  /*
>>>  /api/v1/search 
>>>  /api/v1/suggest/* 
>>>
>>>  
>>>  LDAP_USER
>>>  api
>>>  
>>>  
>>>
>>> 4) Restarted Tomcat, Then I cannot access https://server.lbg.com:8443/to
>>> wl
>>> --> Have below error
>>>
>>> Message java.nio.file.NoSuchFileException:
>>> /git/apache-tomcat-10.1.11/webapps/towl/WEB-INF/lib/xss-1.0.8.jar
>>>
>>> Description The server encountered an unexpected condition that prevented
>>> it from fulfilling the request.
>>>
>>> 5) Also https://example.lbg.com doesnot work anymore
>>>
>>> Before you do anything with redirecting, can you just make sure you are
>>> only deploying ROOT.war and nothing else?
>>>  How can I do that. I already changed towl.war to ROOT.war
>>>
>>> But still both the urls have error as mentioned above.
>>>
>>>
>>> Si I revereted back the changes.
>>> That's weird. Try stopping, deleting the work/ directory and restarting.
>>> --> I have this wierd behavior for some reason, thoudh index.jsp is
>>> located
>>> no changes were made to file. After deleting cookies url works
>>>
>>> where Am I going wrong.
>>>
>>> Thanks,
>>> Lavanya
>>>
>>>
>>> On Fri, May 10, 2024 at 6:50 PM Christopher Schultz <
>>> ch...@christopherschultz.net> wrote:
>>>
>>> Lavanya,

 On 5/10/24 04:37, lavanya tech wrote:

> I tried the below and have the issues.
>
> 1)proxyPort="443" and proxyName="example.lbg.com" to the connector
> 2) remanmed towl.war to ROOT.war
> 3) created rewrite.config and added as below under conf/
>

 Where are you defining the RewriteValve itself?

 RewriteCond %{REQUEST_URI} ^/towl/(.*)
> RewriteRule ^/towl/(.*) https://example.lbg.com/%1 [R]
>

 If this is being handled by the ROOT servlet then I think it's right.

 4) added this in web.xml file of /webapps/towl/web.xml/
>
> 
>   
>
>   
>   
>   
>   Restricted Access to
> /towl
>   /towl/*
>

 No, this is wrong. Since this is the "towl" application and not ROOT,
 you want to map /* and not /towl/* because the application will never
 see the /towl/ as it's an application/context prefix that Tomcat will
 remove.

   
>   
>   
>   
>   
>
> Also I noticed that even if I rename the towl application to ROOT, when
>
 i

> call the url with https://example.lbg.com/towl --> this towl directory
>
 is

> getting created under webapps by default
>

 If webapps/towl is being created, then it's happening for some other
 reason. Do you have anything under conf/Catalina/*/towl.xml which points
 to a WAR file or something? If so, remove that.

 5) Resarted tomcat and I have the below error and all the urls have the
> same issue
>
> Message org.apache.jasper.JasperException:
> java.lang.ClassNotFoundException: org.apache.jsp.index_jsp
>

 That's weird. Try stopping, deleting the work/ directory and restarting.

 

Re: Regarding Tomcat url redirection

[Christopher Schultz]

Lavanya,

On 5/13/24 05:57, lavanya tech wrote:

Somehow made it work now i can only access urls as you mentioned before
https://example.lbg.com and https://server.lbg.com with port 8443 and with
out

  https://example.lbg.com/towl and https://server.lbg.com/towl --> I have an
error now File not found.

So i think we need to make work https://example.lbg.com/ to
https://server.lbg.com/towl


I'm sorry, I'm still confused as to which way you want things.

Do you want to redirect /towl -> / or do you want to redirect / - > /towl?

Or does it depend upon the hostname? It would really be better if you 
could settle on one specific beahvior.


-chris


On Mon, May 13, 2024 at 9:41 AM lavanya tech 
wrote:


Hi Chris,

Where are you defining the RewriteValve itself?

Defined rewritevalve here
   

   
  resource="conf/rewrite.config" />

2) reated rewrite.config and added as below under conf/

  RewriteCond %{REQUEST_URI} ^/towl/(.*)
  RewriteRule ^/towl/(.*) https://example.lbg.com/%1 [R]

3) After renaming towl to ROOT -> /webapps/ROOT/WEB-INF/web.xml ( I
already have this mappings /* in web.xml file)


   
 Logging Area
 
 Authentication for registered users.
 
 /*
 /api/v1/search 
 /api/v1/suggest/* 
   
 
 LDAP_USER
 api
 
 

4) Restarted Tomcat, Then I cannot access https://server.lbg.com:8443/towl
--> Have below error

Message java.nio.file.NoSuchFileException:
/git/apache-tomcat-10.1.11/webapps/towl/WEB-INF/lib/xss-1.0.8.jar

Description The server encountered an unexpected condition that prevented
it from fulfilling the request.

5) Also https://example.lbg.com doesnot work anymore

Before you do anything with redirecting, can you just make sure you are
only deploying ROOT.war and nothing else?
 How can I do that. I already changed towl.war to ROOT.war

But still both the urls have error as mentioned above.


Si I revereted back the changes.
That's weird. Try stopping, deleting the work/ directory and restarting.
--> I have this wierd behavior for some reason, thoudh index.jsp is located
no changes were made to file. After deleting cookies url works

where Am I going wrong.

Thanks,
Lavanya


On Fri, May 10, 2024 at 6:50 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:


Lavanya,

On 5/10/24 04:37, lavanya tech wrote:

I tried the below and have the issues.

1)proxyPort="443" and proxyName="example.lbg.com" to the connector
2) remanmed towl.war to ROOT.war
3) created rewrite.config and added as below under conf/


Where are you defining the RewriteValve itself?


RewriteCond %{REQUEST_URI} ^/towl/(.*)
RewriteRule ^/towl/(.*) https://example.lbg.com/%1 [R]


If this is being handled by the ROOT servlet then I think it's right.


4) added this in web.xml file of /webapps/towl/web.xml/


  

  
  
  
  Restricted Access to
/towl
  /towl/*


No, this is wrong. Since this is the "towl" application and not ROOT,
you want to map /* and not /towl/* because the application will never
see the /towl/ as it's an application/context prefix that Tomcat will
remove.


  
  
  
  
  

Also I noticed that even if I rename the towl application to ROOT, when

i

call the url with https://example.lbg.com/towl --> this towl directory

is

getting created under webapps by default


If webapps/towl is being created, then it's happening for some other
reason. Do you have anything under conf/Catalina/*/towl.xml which points
to a WAR file or something? If so, remove that.


5) Resarted tomcat and I have the below error and all the urls have the
same issue

Message org.apache.jasper.JasperException:
java.lang.ClassNotFoundException: org.apache.jsp.index_jsp


That's weird. Try stopping, deleting the work/ directory and restarting.


Description The server encountered an unexpected condition that

prevented

it from fulfilling the request.

Exception

org.apache.jasper.JasperException: org.apache.jasper.JasperException:
java.lang.ClassNotFoundException: org.apache.jsp.index_jsp


org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:578)



org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:422)

org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:380)
org.apache.jasper.servlet.JspServlet.service(JspServlet.java:328)
jakarta.servlet.http.HttpServlet.service(HttpServlet.java:658)
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)


Before you do anything with redirecting, can you just make sure you are
only deploying ROOT.war and nothing else?

This should allow you to reach the application at both
https://example.lbg.com/ and https://server.lbg.com/ as well as both of
those with port 8443.

Then use the applications and make sure they are working as expected.
Then, we'll add the /towl handling.

Re: Upgrade query

[Christopher Schultz]

Kalaivani,

On 5/13/24 06:13, GANESAN, Kalaivani wrote:

I have a question regarding upgrading to 9.0.86.
The current version is 9.0.8 and needs to be upgraded to 9.0.86.
We have apache tomcat running in our openptk servers.

Do you have any detailed steps on the process?
We have downloaded apache-tomcat-9.0.86.tar.gz.


https://tomcat.apache.org/upgrading.html

?

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Upgrade query

[GANESAN, Kalaivani]

Hi,

I have a question regarding upgrading to 9.0.86.
The current version is 9.0.8 and needs to be upgraded to 9.0.86.
We have apache tomcat running in our openptk servers.

Do you have any detailed steps on the process?
We have downloaded apache-tomcat-9.0.86.tar.gz.

Thanks,
Kalaivani G



This e-mail is sent by Suncorp Group Limited ABN 66 145 290 124 or one of its 
related entities "Suncorp".
Suncorp may be contacted at Level 23, 80 Ann Street, Brisbane or on 13 11 55 or 
at suncorp.com.au.
Important Notice: This email may contain an individual's personal information 
(including sensitive information). Our handling of this information is subject 
to privacy laws. As an authorised recipient, please ensure that you take 
reasonable steps to protect and ensure the security of the information.
The content of this e-mail is the view of the sender or stated author and does 
not necessarily reflect the view of Suncorp. The content, including 
attachments, is a confidential communication between Suncorp and the intended 
recipient. If you are not the intended recipient, any use, interference with, 
disclosure or copying of this e-mail, including attachments, is unauthorised 
and expressly prohibited. If you have received this e-mail in error please 
contact the sender immediately and delete the e-mail and any attachments from 
your system.
?

Re: Regarding Tomcat url redirection

[lavanya tech]

Hi Chris,

Somehow made it work now i can only access urls as you mentioned before
https://example.lbg.com and https://server.lbg.com with port 8443 and with
out

 https://example.lbg.com/towl and https://server.lbg.com/towl --> I have an
error now File not found.

So i think we need to make work https://example.lbg.com/ to
https://server.lbg.com/towl

Thanks,
Lavanya


On Mon, May 13, 2024 at 9:41 AM lavanya tech 
wrote:

> Hi Chris,
>
> Where are you defining the RewriteValve itself?
>
> Defined rewritevalve here
>unpackWARs="true" autoDeploy="true">
>
>className="org.apache.catalina.valves.rewrite.RewriteValve" />
>  resource="conf/rewrite.config" />
>
> 2) reated rewrite.config and added as below under conf/
>
>  RewriteCond %{REQUEST_URI} ^/towl/(.*)
>  RewriteRule ^/towl/(.*) https://example.lbg.com/%1 [R]
>
> 3) After renaming towl to ROOT -> /webapps/ROOT/WEB-INF/web.xml ( I
> already have this mappings /* in web.xml file)
>
>
>   
> Logging Area
> 
> Authentication for registered users.
> 
> /*
> /api/v1/search 
> /api/v1/suggest/* 
>   
> 
> LDAP_USER
> api
> 
> 
>
> 4) Restarted Tomcat, Then I cannot access https://server.lbg.com:8443/towl
> --> Have below error
>
> Message java.nio.file.NoSuchFileException:
> /git/apache-tomcat-10.1.11/webapps/towl/WEB-INF/lib/xss-1.0.8.jar
>
> Description The server encountered an unexpected condition that prevented
> it from fulfilling the request.
>
> 5) Also https://example.lbg.com doesnot work anymore
>
> Before you do anything with redirecting, can you just make sure you are
> only deploying ROOT.war and nothing else?
> How can I do that. I already changed towl.war to ROOT.war
>
> But still both the urls have error as mentioned above.
>
>
> Si I revereted back the changes.
> That's weird. Try stopping, deleting the work/ directory and restarting.
> --> I have this wierd behavior for some reason, thoudh index.jsp is located
> no changes were made to file. After deleting cookies url works
>
> where Am I going wrong.
>
> Thanks,
> Lavanya
>
>
> On Fri, May 10, 2024 at 6:50 PM Christopher Schultz <
> ch...@christopherschultz.net> wrote:
>
>> Lavanya,
>>
>> On 5/10/24 04:37, lavanya tech wrote:
>> > I tried the below and have the issues.
>> >
>> > 1)proxyPort="443" and proxyName="example.lbg.com" to the connector
>> > 2) remanmed towl.war to ROOT.war
>> > 3) created rewrite.config and added as below under conf/
>>
>> Where are you defining the RewriteValve itself?
>>
>> > RewriteCond %{REQUEST_URI} ^/towl/(.*)
>> > RewriteRule ^/towl/(.*) https://example.lbg.com/%1 [R]
>>
>> If this is being handled by the ROOT servlet then I think it's right.
>>
>> > 4) added this in web.xml file of /webapps/towl/web.xml/
>> >
>> >
>> >  
>> >
>> >  
>> >  
>> >  
>> >  Restricted Access to
>> > /towl
>> >  /towl/*
>>
>> No, this is wrong. Since this is the "towl" application and not ROOT,
>> you want to map /* and not /towl/* because the application will never
>> see the /towl/ as it's an application/context prefix that Tomcat will
>> remove.
>>
>> >  
>> >  
>> >  
>> >  
>> >  
>> >
>> > Also I noticed that even if I rename the towl application to ROOT, when
>> i
>> > call the url with https://example.lbg.com/towl --> this towl directory
>> is
>> > getting created under webapps by default
>>
>> If webapps/towl is being created, then it's happening for some other
>> reason. Do you have anything under conf/Catalina/*/towl.xml which points
>> to a WAR file or something? If so, remove that.
>>
>> > 5) Resarted tomcat and I have the below error and all the urls have the
>> > same issue
>> >
>> > Message org.apache.jasper.JasperException:
>> > java.lang.ClassNotFoundException: org.apache.jsp.index_jsp
>>
>> That's weird. Try stopping, deleting the work/ directory and restarting.
>>
>> > Description The server encountered an unexpected condition that
>> prevented
>> > it from fulfilling the request.
>> >
>> > Exception
>> >
>> > org.apache.jasper.JasperException: org.apache.jasper.JasperException:
>> > java.lang.ClassNotFoundException: org.apache.jsp.index_jsp
>> >
>> org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:578)
>> >
>> org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:422)
>> > org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:380)
>> > org.apache.jasper.servlet.JspServlet.service(JspServlet.java:328)
>> > jakarta.servlet.http.HttpServlet.service(HttpServlet.java:658)
>> > org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)
>>
>> Before you do anything with redirecting, can you just make sure you are
>> only deploying ROOT.war and nothing else?
>>
>> This should allow you to reach the application at both
>> 

Re: Regarding Tomcat url redirection

[lavanya tech]

Hi Chris,

Where are you defining the RewriteValve itself?

Defined rewritevalve here
  

  
 resource="conf/rewrite.config" />

2) reated rewrite.config and added as below under conf/

 RewriteCond %{REQUEST_URI} ^/towl/(.*)
 RewriteRule ^/towl/(.*) https://example.lbg.com/%1 [R]

3) After renaming towl to ROOT -> /webapps/ROOT/WEB-INF/web.xml ( I already
have this mappings /* in web.xml file)

   
  
Logging Area

Authentication for registered users.

/*
/api/v1/search 
/api/v1/suggest/* 
  

LDAP_USER
api



4) Restarted Tomcat, Then I cannot access https://server.lbg.com:8443/towl
--> Have below error

Message java.nio.file.NoSuchFileException:
/git/apache-tomcat-10.1.11/webapps/towl/WEB-INF/lib/xss-1.0.8.jar

Description The server encountered an unexpected condition that prevented
it from fulfilling the request.

5) Also https://example.lbg.com doesnot work anymore

Before you do anything with redirecting, can you just make sure you are
only deploying ROOT.war and nothing else?
How can I do that. I already changed towl.war to ROOT.war

But still both the urls have error as mentioned above.


Si I revereted back the changes.
That's weird. Try stopping, deleting the work/ directory and restarting.
--> I have this wierd behavior for some reason, thoudh index.jsp is located
no changes were made to file. After deleting cookies url works

where Am I going wrong.

Thanks,
Lavanya


On Fri, May 10, 2024 at 6:50 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> Lavanya,
>
> On 5/10/24 04:37, lavanya tech wrote:
> > I tried the below and have the issues.
> >
> > 1)proxyPort="443" and proxyName="example.lbg.com" to the connector
> > 2) remanmed towl.war to ROOT.war
> > 3) created rewrite.config and added as below under conf/
>
> Where are you defining the RewriteValve itself?
>
> > RewriteCond %{REQUEST_URI} ^/towl/(.*)
> > RewriteRule ^/towl/(.*) https://example.lbg.com/%1 [R]
>
> If this is being handled by the ROOT servlet then I think it's right.
>
> > 4) added this in web.xml file of /webapps/towl/web.xml/
> >
> >
> >  
> >
> >  
> >  
> >  
> >  Restricted Access to
> > /towl
> >  /towl/*
>
> No, this is wrong. Since this is the "towl" application and not ROOT,
> you want to map /* and not /towl/* because the application will never
> see the /towl/ as it's an application/context prefix that Tomcat will
> remove.
>
> >  
> >  
> >  
> >  
> >  
> >
> > Also I noticed that even if I rename the towl application to ROOT, when i
> > call the url with https://example.lbg.com/towl --> this towl directory
> is
> > getting created under webapps by default
>
> If webapps/towl is being created, then it's happening for some other
> reason. Do you have anything under conf/Catalina/*/towl.xml which points
> to a WAR file or something? If so, remove that.
>
> > 5) Resarted tomcat and I have the below error and all the urls have the
> > same issue
> >
> > Message org.apache.jasper.JasperException:
> > java.lang.ClassNotFoundException: org.apache.jsp.index_jsp
>
> That's weird. Try stopping, deleting the work/ directory and restarting.
>
> > Description The server encountered an unexpected condition that prevented
> > it from fulfilling the request.
> >
> > Exception
> >
> > org.apache.jasper.JasperException: org.apache.jasper.JasperException:
> > java.lang.ClassNotFoundException: org.apache.jsp.index_jsp
> >
> org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:578)
> >
> org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:422)
> > org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:380)
> > org.apache.jasper.servlet.JspServlet.service(JspServlet.java:328)
> > jakarta.servlet.http.HttpServlet.service(HttpServlet.java:658)
> > org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)
>
> Before you do anything with redirecting, can you just make sure you are
> only deploying ROOT.war and nothing else?
>
> This should allow you to reach the application at both
> https://example.lbg.com/ and https://server.lbg.com/ as well as both of
> those with port 8443.
>
> Then use the applications and make sure they are working as expected.
> Then, we'll add the /towl handling.
>
> -chris
>
> > On Thu, May 9, 2024 at 11:20 PM Christopher Schultz <
> > ch...@christopherschultz.net> wrote:
> >
> >> Lavanya,
> >>
> >> On 5/9/24 13:48, lavanya tech wrote:
> >>> Thank you so much for your explanation. I will try these options.
> >>>
> >>> Do server and example both resolve to the same IP?
> >>>   -yes
> >>
> >> Good, that significantly reduces the complexity required, since you can
> >> do it will a single process (Tomcat) in a single environment.
> >>
> >>> So I need follow both 4a/b and 5a/b steps here or 

Re: Regarding Tomcat url redirection

[Christopher Schultz]

Lavanya,

On 5/10/24 06:03, lavanya tech wrote:

If we create new java.filter as below then we can redirect the urls  ?

import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

@WebFilter("/*")
public class UrlRedirectionFilter implements Filter {

 @Override
 public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain)
 throws IOException, ServletException {
 HttpServletRequest httpRequest = (HttpServletRequest) request;
 HttpServletResponse httpResponse = (HttpServletResponse) response;

 String requestUrl = httpRequest.getRequestURL().toString();

 // Check if the request URL matches the target URL
 if (requestUrl.equals("https://example.lbg.com;)) {
 // Perform redirect to the desired destination URL
 httpResponse.sendRedirect("https://server.lbg.com/towl;);



This is the exact opposite of the stated goal.

You said you wanted server.lbg.com/towl to be redirected to 
example.lbg.com/ but this does the opposite.


I also wouldn't both to check the protocol. Let's save this until after 
the ROOT application is working as expected.


-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Regarding Tomcat url redirection

[Christopher Schultz]

Lavanya,

On 5/10/24 04:37, lavanya tech wrote:

I tried the below and have the issues.

1)proxyPort="443" and proxyName="example.lbg.com" to the connector
2) remanmed towl.war to ROOT.war
3) created rewrite.config and added as below under conf/


Where are you defining the RewriteValve itself?


RewriteCond %{REQUEST_URI} ^/towl/(.*)
RewriteRule ^/towl/(.*) https://example.lbg.com/%1 [R]


If this is being handled by the ROOT servlet then I think it's right.


4) added this in web.xml file of /webapps/towl/web.xml/

   
 

 
 
 
 Restricted Access to
/towl
 /towl/*


No, this is wrong. Since this is the "towl" application and not ROOT, 
you want to map /* and not /towl/* because the application will never 
see the /towl/ as it's an application/context prefix that Tomcat will 
remove.



 
 
 
 
 

Also I noticed that even if I rename the towl application to ROOT, when i
call the url with https://example.lbg.com/towl --> this towl directory is
getting created under webapps by default


If webapps/towl is being created, then it's happening for some other 
reason. Do you have anything under conf/Catalina/*/towl.xml which points 
to a WAR file or something? If so, remove that.



5) Resarted tomcat and I have the below error and all the urls have the
same issue

Message org.apache.jasper.JasperException:
java.lang.ClassNotFoundException: org.apache.jsp.index_jsp


That's weird. Try stopping, deleting the work/ directory and restarting.


Description The server encountered an unexpected condition that prevented
it from fulfilling the request.

Exception

org.apache.jasper.JasperException: org.apache.jasper.JasperException:
java.lang.ClassNotFoundException: org.apache.jsp.index_jsp
org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:578)
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:422)
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:380)
org.apache.jasper.servlet.JspServlet.service(JspServlet.java:328)
jakarta.servlet.http.HttpServlet.service(HttpServlet.java:658)
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)


Before you do anything with redirecting, can you just make sure you are 
only deploying ROOT.war and nothing else?


This should allow you to reach the application at both 
https://example.lbg.com/ and https://server.lbg.com/ as well as both of 
those with port 8443.


Then use the applications and make sure they are working as expected. 
Then, we'll add the /towl handling.


-chris


On Thu, May 9, 2024 at 11:20 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:


Lavanya,

On 5/9/24 13:48, lavanya tech wrote:

Thank you so much for your explanation. I will try these options.

Do server and example both resolve to the same IP?
  -yes


Good, that significantly reduces the complexity required, since you can
do it will a single process (Tomcat) in a single environment.


So I need follow both 4a/b and 5a/b steps here or any of them ?

If I setup exactly by using below steps , then I should access both the
urls right ? https://server.lbg.com:8443/towl and

https://example.lbg.com

If you visit either hostname with /towl, you will be redirected to
example.lbg.com/ with no port number. example:8443 will still work and
no redirect will take place... unless you specifically make arrangements
for that. We can do that later if you really want to.

Let's get the other things working, first.

-chris


On Thursday, May 9, 2024, Christopher Schultz <

ch...@christopherschultz.net>

wrote:


Lavanya,

On 5/9/24 02:58, lavanya tech wrote:


Just giving background again of this topic again.

1) The application team who is working they wanted to access the url
https://server.lbg.com:8443/towl —> which should redirect or point to
https://example.lbg.com

Is that a typo? You want specifically https://server.lbg.com/towl and
https://example.lbg.com/ to point to your application?
 — It’s not the Typo the requirements are still the

same.




Okay.

Do server and example both resolve to the same IP?

2) Hence I added firewall rule to redirect port 443 to 8443. And the url

https://example.lbg.com started working but its pointing to
https://server.lbg.com:8443 indeed and not

https://server.lbg.com:8443/to

wl

But then they wanted the point 1 to have it. If I understood

correctly. So

basically to achieve this we wanted a reverse proxy setup ?

I didnot define any additional host in server.xml file on just left to
default to  local host.



Here's what you have to do in order to support this odd configuration.

1. Configure your firewall to route port 443 -> 8443. I suspect this is
already done.

2. Deploy Tomcat on server.lbg.com with a  on port 8443.

This

is the default, so there shouldn't be anything to do. I suspect this is
already done. You should set proxyPort="443" and proxyName="

Re: Regarding Tomcat url redirection

[lavanya tech]

Hi Chris,
If we create new java.filter as below then we can redirect the urls  ?

import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

@WebFilter("/*")
public class UrlRedirectionFilter implements Filter {

@Override
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain)
throws IOException, ServletException {
HttpServletRequest httpRequest = (HttpServletRequest) request;
HttpServletResponse httpResponse = (HttpServletResponse) response;

String requestUrl = httpRequest.getRequestURL().toString();

// Check if the request URL matches the target URL
if (requestUrl.equals("https://example.lbg.com;)) {
// Perform redirect to the desired destination URL
httpResponse.sendRedirect("https://server.lbg.com/towl;);
return;
}

// For all other URLs, disable access
httpResponse.sendError(HttpServletResponse.SC_NOT_FOUND);
}

// Other methods of the Filter interface (init(), destroy()) can be
left empty for this example
}

Thanks,
Lavanya

On Fri, May 10, 2024 at 10:37 AM lavanya tech 
wrote:

> Hi Chris,
>
> I tried the below and have the issues.
>
> 1)proxyPort="443" and proxyName="example.lbg.com" to the connector
> 2) remanmed towl.war to ROOT.war
> 3) created rewrite.config and added as below under conf/
>
> RewriteCond %{REQUEST_URI} ^/towl/(.*)
> RewriteRule ^/towl/(.*) https://example.lbg.com/%1 [R]
>
> 4) added this in web.xml file of /webapps/towl/web.xml/
>
>   
> 
>
> 
> 
> 
> Restricted Access to
> /towl
> /towl/*
> 
> 
> 
> 
> 
>
> Also I noticed that even if I rename the towl application to ROOT, when i
> call the url with https://example.lbg.com/towl --> this towl directory is
> getting created under webapps by default
>
> 5) Resarted tomcat and I have the below error and all the urls have the
> same issue
>
> Message org.apache.jasper.JasperException:
> java.lang.ClassNotFoundException: org.apache.jsp.index_jsp
>
> Description The server encountered an unexpected condition that prevented
> it from fulfilling the request.
>
> Exception
>
> org.apache.jasper.JasperException: org.apache.jasper.JasperException:
> java.lang.ClassNotFoundException: org.apache.jsp.index_jsp
>
> org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:578)
>
> org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:422)
> org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:380)
> org.apache.jasper.servlet.JspServlet.service(JspServlet.java:328)
> jakarta.servlet.http.HttpServlet.service(HttpServlet.java:658)
> org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)
>
> On Thu, May 9, 2024 at 11:20 PM Christopher Schultz <
> ch...@christopherschultz.net> wrote:
>
>> Lavanya,
>>
>> On 5/9/24 13:48, lavanya tech wrote:
>> > Thank you so much for your explanation. I will try these options.
>> >
>> > Do server and example both resolve to the same IP?
>> >  -yes
>>
>> Good, that significantly reduces the complexity required, since you can
>> do it will a single process (Tomcat) in a single environment.
>>
>> > So I need follow both 4a/b and 5a/b steps here or any of them ?
>> >
>> > If I setup exactly by using below steps , then I should access both the
>> > urls right ? https://server.lbg.com:8443/towl and
>> https://example.lbg.com
>>
>> If you visit either hostname with /towl, you will be redirected to
>> example.lbg.com/ with no port number. example:8443 will still work and
>> no redirect will take place... unless you specifically make arrangements
>> for that. We can do that later if you really want to.
>>
>> Let's get the other things working, first.
>>
>> -chris
>>
>> > On Thursday, May 9, 2024, Christopher Schultz <
>> ch...@christopherschultz.net>
>> > wrote:
>> >
>> >> Lavanya,
>> >>
>> >> On 5/9/24 02:58, lavanya tech wrote:
>> >>
>> >>> Just giving background again of this topic again.
>> >>>
>> >>> 1) The application team who is working they wanted to access the url
>> >>> https://server.lbg.com:8443/towl —> which should redirect or point to
>> >>> https://example.lbg.com
>> >>>
>> >>> Is that a typo? You want specifically https://server.lbg.com/towl and
>> >>> https://example.lbg.com/ to point to your application?
>> >>> — It’s not the Typo the requirements are still the
>> same.
>> >>>
>> >>
>> >> Okay.
>> >>
>> >> Do server and example both resolve to the same IP?
>> >>
>> >> 2) Hence I added firewall rule to redirect port 443 to 8443. And the
>> url
>> >>> https://example.lbg.com started working but its pointing to
>> >>> https://server.lbg.com:8443 indeed and not
>> https://server.lbg.com:8443/to
>> >>> wl
>> >>>
>> >>> But then they 

Re: Regarding Tomcat url redirection

[lavanya tech]

Hi Chris,

I tried the below and have the issues.

1)proxyPort="443" and proxyName="example.lbg.com" to the connector
2) remanmed towl.war to ROOT.war
3) created rewrite.config and added as below under conf/

RewriteCond %{REQUEST_URI} ^/towl/(.*)
RewriteRule ^/towl/(.*) https://example.lbg.com/%1 [R]

4) added this in web.xml file of /webapps/towl/web.xml/

  





Restricted Access to
/towl
/towl/*






Also I noticed that even if I rename the towl application to ROOT, when i
call the url with https://example.lbg.com/towl --> this towl directory is
getting created under webapps by default

5) Resarted tomcat and I have the below error and all the urls have the
same issue

Message org.apache.jasper.JasperException:
java.lang.ClassNotFoundException: org.apache.jsp.index_jsp

Description The server encountered an unexpected condition that prevented
it from fulfilling the request.

Exception

org.apache.jasper.JasperException: org.apache.jasper.JasperException:
java.lang.ClassNotFoundException: org.apache.jsp.index_jsp
org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:578)
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:422)
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:380)
org.apache.jasper.servlet.JspServlet.service(JspServlet.java:328)
jakarta.servlet.http.HttpServlet.service(HttpServlet.java:658)
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)

On Thu, May 9, 2024 at 11:20 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> Lavanya,
>
> On 5/9/24 13:48, lavanya tech wrote:
> > Thank you so much for your explanation. I will try these options.
> >
> > Do server and example both resolve to the same IP?
> >  -yes
>
> Good, that significantly reduces the complexity required, since you can
> do it will a single process (Tomcat) in a single environment.
>
> > So I need follow both 4a/b and 5a/b steps here or any of them ?
> >
> > If I setup exactly by using below steps , then I should access both the
> > urls right ? https://server.lbg.com:8443/towl and
> https://example.lbg.com
>
> If you visit either hostname with /towl, you will be redirected to
> example.lbg.com/ with no port number. example:8443 will still work and
> no redirect will take place... unless you specifically make arrangements
> for that. We can do that later if you really want to.
>
> Let's get the other things working, first.
>
> -chris
>
> > On Thursday, May 9, 2024, Christopher Schultz <
> ch...@christopherschultz.net>
> > wrote:
> >
> >> Lavanya,
> >>
> >> On 5/9/24 02:58, lavanya tech wrote:
> >>
> >>> Just giving background again of this topic again.
> >>>
> >>> 1) The application team who is working they wanted to access the url
> >>> https://server.lbg.com:8443/towl —> which should redirect or point to
> >>> https://example.lbg.com
> >>>
> >>> Is that a typo? You want specifically https://server.lbg.com/towl and
> >>> https://example.lbg.com/ to point to your application?
> >>> — It’s not the Typo the requirements are still the
> same.
> >>>
> >>
> >> Okay.
> >>
> >> Do server and example both resolve to the same IP?
> >>
> >> 2) Hence I added firewall rule to redirect port 443 to 8443. And the url
> >>> https://example.lbg.com started working but its pointing to
> >>> https://server.lbg.com:8443 indeed and not
> https://server.lbg.com:8443/to
> >>> wl
> >>>
> >>> But then they wanted the point 1 to have it. If I understood
> correctly. So
> >>> basically to achieve this we wanted a reverse proxy setup ?
> >>>
> >>> I didnot define any additional host in server.xml file on just left to
> >>> default to  local host.
> >>>
> >>
> >> Here's what you have to do in order to support this odd configuration.
> >>
> >> 1. Configure your firewall to route port 443 -> 8443. I suspect this is
> >> already done.
> >>
> >> 2. Deploy Tomcat on server.lbg.com with a  on port 8443.
> This
> >> is the default, so there shouldn't be anything to do. I suspect this is
> >> already done. You should set proxyPort="443" and proxyName="
> >> example.lbg.com" in your . This will ensure that any URLs
> >> generated by Tomcat or your application will point to
> >> https://example.lbg.com/ and not to server.lbg.com or have a port
> number
> >> or whatever.
> >>
> >> 3. Re-name your application directory or WAR file from towl -> ROOT
> (upper
> >> case is important). So if you have tomcat/webapps/towl re-name that to
> >> tomcat/webapps/ROOT or if you have tomcat/webapps/towl.war re-name that
> to
> >> tomcat/webapps/ROOT.war.
> >>
> >> The last thing to do is get /towl to re-direct to /. There are a few
> ways
> >> of doing that.
> >>
> >> 4a. Configure your application (now called ROOT and deployed on / and
> not
> >> /towl anymore) to handle the /towl URL and specifically redirect this
> back
> >> to /. This is oddly specific and has 

Re: Regarding Tomcat url redirection

[Christopher Schultz]

Lavanya,

On 5/9/24 13:48, lavanya tech wrote:

Thank you so much for your explanation. I will try these options.

Do server and example both resolve to the same IP?
 -yes


Good, that significantly reduces the complexity required, since you can 
do it will a single process (Tomcat) in a single environment.



So I need follow both 4a/b and 5a/b steps here or any of them ?

If I setup exactly by using below steps , then I should access both the
urls right ? https://server.lbg.com:8443/towl and https://example.lbg.com


If you visit either hostname with /towl, you will be redirected to 
example.lbg.com/ with no port number. example:8443 will still work and 
no redirect will take place... unless you specifically make arrangements 
for that. We can do that later if you really want to.


Let's get the other things working, first.

-chris


On Thursday, May 9, 2024, Christopher Schultz 
wrote:


Lavanya,

On 5/9/24 02:58, lavanya tech wrote:


Just giving background again of this topic again.

1) The application team who is working they wanted to access the url
https://server.lbg.com:8443/towl —> which should redirect or point to
https://example.lbg.com

Is that a typo? You want specifically https://server.lbg.com/towl and
https://example.lbg.com/ to point to your application?
— It’s not the Typo the requirements are still the same.



Okay.

Do server and example both resolve to the same IP?

2) Hence I added firewall rule to redirect port 443 to 8443. And the url

https://example.lbg.com started working but its pointing to
https://server.lbg.com:8443 indeed and not https://server.lbg.com:8443/to
wl

But then they wanted the point 1 to have it. If I understood correctly. So
basically to achieve this we wanted a reverse proxy setup ?

I didnot define any additional host in server.xml file on just left to
default to  local host.



Here's what you have to do in order to support this odd configuration.

1. Configure your firewall to route port 443 -> 8443. I suspect this is
already done.

2. Deploy Tomcat on server.lbg.com with a  on port 8443. This
is the default, so there shouldn't be anything to do. I suspect this is
already done. You should set proxyPort="443" and proxyName="
example.lbg.com" in your . This will ensure that any URLs
generated by Tomcat or your application will point to
https://example.lbg.com/ and not to server.lbg.com or have a port number
or whatever.

3. Re-name your application directory or WAR file from towl -> ROOT (upper
case is important). So if you have tomcat/webapps/towl re-name that to
tomcat/webapps/ROOT or if you have tomcat/webapps/towl.war re-name that to
tomcat/webapps/ROOT.war.

The last thing to do is get /towl to re-direct to /. There are a few ways
of doing that.

4a. Configure your application (now called ROOT and deployed on / and not
/towl anymore) to handle the /towl URL and specifically redirect this back
to /. This is oddly specific and has the application trying to redirect to
itself which is weird.

4b. Create a new application called towl or towl.war which will be
deployed on /towl and have THAT redirect to /. I think this is cleaner
because you can call the application anything you'd like and it will still
work. You don't have to match URL patterns yourself, you just re-name the
WAR file if you suddenly want to use /towl2 instead of /towl.

There are several ways to redirect.

5a. Use the rewrite valve and map /(*) to (global redirect) /\1. A few
notes: (1) the (*) means "capture this string" and \1 means "put the string
back. This allows you to redirect /towl/foo/bar to /foo/bar instead of
losing the /foo/bar. This syntax may not be perfect, adapt it to your
needs. (2) Remember that the towl application is deployed on /towl so you
don't want to redirect /towl/foo/bar you only want redirect /foo/bar since
the URL will be relative to the current context (/towl). Got that? Finally,
(3) you need to use a global redirect that does *NOT* redirect back to the
/towl application. Normally, if you redirect to /foo you'll get an
application-relative redirect from something like a rewrite
valve/filter/whatever. Take care to redirect relative to the SERVER and not
to the application.

5b. Write your own servlet to do a specific redirect.

I hope that helps,
-chris

On Wednesday, May 8, 2024, Christopher Schultz <

ch...@christopherschultz.net>
wrote:

Lavanya,


On 5/8/24 06:48, lavanya tech wrote:

I figured out how I can it make it work with 443. Now the URls are

working.
I added iptables route 443 to 8443 and it started working.

nslookup example.lbg.com

Non-authoritative answer:
Name:server.lbg.com
Address:  192.168.200.105
Aliases:  example.lbg.com


I have some application towl running with apache tomcat. I have the
below
URLs working.

https://server.lbg.com:8443/towl
https://server.lbg.com
https://example.lbg.com
https://example.lbg.com/towl


Now i wanted to disable the url https://example.lbg.com/towl and
https://server.lbg.com and 

Re: Regarding Tomcat url redirection

[lavanya tech]

Hi Chris,

Thank you so much for your explanation. I will try these options.

Do server and example both resolve to the same IP?
-yes

So I need follow both 4a/b and 5a/b steps here or any of them ?

If I setup exactly by using below steps , then I should access both the
urls right ? https://server.lbg.com:8443/towl and https://example.lbg.com

I will configure and if I face any issues I will write to you.

Thanks,
Lavanya


On Thursday, May 9, 2024, Christopher Schultz 
wrote:

> Lavanya,
>
> On 5/9/24 02:58, lavanya tech wrote:
>
>> Just giving background again of this topic again.
>>
>> 1) The application team who is working they wanted to access the url
>> https://server.lbg.com:8443/towl —> which should redirect or point to
>> https://example.lbg.com
>>
>> Is that a typo? You want specifically https://server.lbg.com/towl and
>> https://example.lbg.com/ to point to your application?
>>— It’s not the Typo the requirements are still the same.
>>
>
> Okay.
>
> Do server and example both resolve to the same IP?
>
> 2) Hence I added firewall rule to redirect port 443 to 8443. And the url
>> https://example.lbg.com started working but its pointing to
>> https://server.lbg.com:8443 indeed and not https://server.lbg.com:8443/to
>> wl
>>
>> But then they wanted the point 1 to have it. If I understood correctly. So
>> basically to achieve this we wanted a reverse proxy setup ?
>>
>> I didnot define any additional host in server.xml file on just left to
>> default to  local host.
>>
>
> Here's what you have to do in order to support this odd configuration.
>
> 1. Configure your firewall to route port 443 -> 8443. I suspect this is
> already done.
>
> 2. Deploy Tomcat on server.lbg.com with a  on port 8443. This
> is the default, so there shouldn't be anything to do. I suspect this is
> already done. You should set proxyPort="443" and proxyName="
> example.lbg.com" in your . This will ensure that any URLs
> generated by Tomcat or your application will point to
> https://example.lbg.com/ and not to server.lbg.com or have a port number
> or whatever.
>
> 3. Re-name your application directory or WAR file from towl -> ROOT (upper
> case is important). So if you have tomcat/webapps/towl re-name that to
> tomcat/webapps/ROOT or if you have tomcat/webapps/towl.war re-name that to
> tomcat/webapps/ROOT.war.
>
> The last thing to do is get /towl to re-direct to /. There are a few ways
> of doing that.
>
> 4a. Configure your application (now called ROOT and deployed on / and not
> /towl anymore) to handle the /towl URL and specifically redirect this back
> to /. This is oddly specific and has the application trying to redirect to
> itself which is weird.
>
> 4b. Create a new application called towl or towl.war which will be
> deployed on /towl and have THAT redirect to /. I think this is cleaner
> because you can call the application anything you'd like and it will still
> work. You don't have to match URL patterns yourself, you just re-name the
> WAR file if you suddenly want to use /towl2 instead of /towl.
>
> There are several ways to redirect.
>
> 5a. Use the rewrite valve and map /(*) to (global redirect) /\1. A few
> notes: (1) the (*) means "capture this string" and \1 means "put the string
> back. This allows you to redirect /towl/foo/bar to /foo/bar instead of
> losing the /foo/bar. This syntax may not be perfect, adapt it to your
> needs. (2) Remember that the towl application is deployed on /towl so you
> don't want to redirect /towl/foo/bar you only want redirect /foo/bar since
> the URL will be relative to the current context (/towl). Got that? Finally,
> (3) you need to use a global redirect that does *NOT* redirect back to the
> /towl application. Normally, if you redirect to /foo you'll get an
> application-relative redirect from something like a rewrite
> valve/filter/whatever. Take care to redirect relative to the SERVER and not
> to the application.
>
> 5b. Write your own servlet to do a specific redirect.
>
> I hope that helps,
> -chris
>
> On Wednesday, May 8, 2024, Christopher Schultz <
>> ch...@christopherschultz.net>
>> wrote:
>>
>> Lavanya,
>>>
>>> On 5/8/24 06:48, lavanya tech wrote:
>>>
>>> I figured out how I can it make it work with 443. Now the URls are
 working.
 I added iptables route 443 to 8443 and it started working.

 nslookup example.lbg.com

 Non-authoritative answer:
 Name:server.lbg.com
 Address:  192.168.200.105
 Aliases:  example.lbg.com


 I have some application towl running with apache tomcat. I have the
 below
 URLs working.

 https://server.lbg.com:8443/towl
 https://server.lbg.com
 https://example.lbg.com
 https://example.lbg.com/towl


 Now i wanted to disable the url https://example.lbg.com/towl and
 https://server.lbg.com and access only the other remaining two.


>>>
>>
>>
>>> I would *highly* recommend that you pick either /towl or / and not try 

Re: FileUpload class not working with Tomcat 10.1

[Christopher Schultz]

Mark and Chuck,

On 5/9/24 09:35, Chuck Caldarale wrote:

You need the web.xml entries because you have extra configuration
items (the  settings) that aren’t part of the
default JSP servlet definition.

+1

If you didn't need to upload files to your JSP, you wouldn't have needed 
any of this in your web.xml file.


It's very weird to do this kind of logic in a JSP. I *highly* recommend 
that you split your JSP into at least two pieces:


1. A servlet that handles the upload, produces no output, and handles 
error conditions gracefully. It then forwards or redirects (as 
appropriate) to the page you want to display post-upload. You will need 
to map this servlet in web.xml, but it's less-stupid than mapping a JSP 
to a servlet-name and then mapping that same servlet-name back to a URL 
pattern which is the same as the JSP's path. I can see why you were 
saying "I have no idea why this is necessary": it seems useless but you 
must attach the file-upload metadata to something, and this is how you 
do it.


Note that you didn't have to do it that way. You could have done this:


  uploadfile
  /schDistImports.jsp
  ...


  uploadfile
  /schDistImports NOTE: no .jsp extension


In your case, the generic name "uploadfile" for a very specific type of 
upload (schDistImports) might be a mistake, since you might want to 
upload all kinds of files, such as 1099 forms or whatnot. One called 
"uploadfile" seems generic when it's not really generic: it's specific 
to that one workflow.


You can use any name you like. You can use any URL pattern you like as 
well, such as /sch/dist/imports. You don't have to be tied to your 
filesystem layout.


2. A page template (JSP is fine) that only generates page content. No 
mapping in web.xml is necessary for this, which is probably what you are 
used to.


-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Regarding Tomcat url redirection

[Christopher Schultz]

Lavanya,

On 5/9/24 02:58, lavanya tech wrote:

Just giving background again of this topic again.

1) The application team who is working they wanted to access the url
https://server.lbg.com:8443/towl —> which should redirect or point to
https://example.lbg.com

Is that a typo? You want specifically https://server.lbg.com/towl and
https://example.lbg.com/ to point to your application?
   — It’s not the Typo the requirements are still the same.


Okay.

Do server and example both resolve to the same IP?


2) Hence I added firewall rule to redirect port 443 to 8443. And the url
https://example.lbg.com started working but its pointing to
https://server.lbg.com:8443 indeed and not https://server.lbg.com:8443/towl

But then they wanted the point 1 to have it. If I understood correctly. So
basically to achieve this we wanted a reverse proxy setup ?

I didnot define any additional host in server.xml file on just left to
default to  local host.


Here's what you have to do in order to support this odd configuration.

1. Configure your firewall to route port 443 -> 8443. I suspect this is 
already done.


2. Deploy Tomcat on server.lbg.com with a  on port 8443. This 
is the default, so there shouldn't be anything to do. I suspect this is 
already done. You should set proxyPort="443" and 
proxyName="example.lbg.com" in your . This will ensure that 
any URLs generated by Tomcat or your application will point to 
https://example.lbg.com/ and not to server.lbg.com or have a port number 
or whatever.


3. Re-name your application directory or WAR file from towl -> ROOT 
(upper case is important). So if you have tomcat/webapps/towl re-name 
that to tomcat/webapps/ROOT or if you have tomcat/webapps/towl.war 
re-name that to tomcat/webapps/ROOT.war.


The last thing to do is get /towl to re-direct to /. There are a few 
ways of doing that.


4a. Configure your application (now called ROOT and deployed on / and 
not /towl anymore) to handle the /towl URL and specifically redirect 
this back to /. This is oddly specific and has the application trying to 
redirect to itself which is weird.


4b. Create a new application called towl or towl.war which will be 
deployed on /towl and have THAT redirect to /. I think this is cleaner 
because you can call the application anything you'd like and it will 
still work. You don't have to match URL patterns yourself, you just 
re-name the WAR file if you suddenly want to use /towl2 instead of /towl.


There are several ways to redirect.

5a. Use the rewrite valve and map /(*) to (global redirect) /\1. A few 
notes: (1) the (*) means "capture this string" and \1 means "put the 
string back. This allows you to redirect /towl/foo/bar to /foo/bar 
instead of losing the /foo/bar. This syntax may not be perfect, adapt it 
to your needs. (2) Remember that the towl application is deployed on 
/towl so you don't want to redirect /towl/foo/bar you only want redirect 
/foo/bar since the URL will be relative to the current context (/towl). 
Got that? Finally, (3) you need to use a global redirect that does *NOT* 
redirect back to the /towl application. Normally, if you redirect to 
/foo you'll get an application-relative redirect from something like a 
rewrite valve/filter/whatever. Take care to redirect relative to the 
SERVER and not to the application.


5b. Write your own servlet to do a specific redirect.

I hope that helps,
-chris


On Wednesday, May 8, 2024, Christopher Schultz 
wrote:


Lavanya,

On 5/8/24 06:48, lavanya tech wrote:


I figured out how I can it make it work with 443. Now the URls are
working.
I added iptables route 443 to 8443 and it started working.

nslookup example.lbg.com

Non-authoritative answer:
Name:server.lbg.com
Address:  192.168.200.105
Aliases:  example.lbg.com


I have some application towl running with apache tomcat. I have the below
URLs working.

https://server.lbg.com:8443/towl
https://server.lbg.com
https://example.lbg.com
https://example.lbg.com/towl


Now i wanted to disable the url https://example.lbg.com/towl and
https://server.lbg.com and access only the other remaining two.








I would *highly* recommend that you pick either /towl or / and not try to
do both, unless you want to deploy the application twice (which is fine,
just deploy towl.war and ROOT.war as copies of each other). If you try to
re-write /towl to / or / to /towl, you'll find you spend the rest of your
days tracking-down edge-cases and "fixing" them -- likely making things
confusing and, probably, worse.

In the end our goal to makesure that the links are not  always dead as soon

as the towl is moved to a new machine. Can you pelase assit me how to do
that?



The goal should be that "moving" the application only means changing DNS
and everything else works as expected.

If you:

1. Deploy the application with a single context (e.g. /towl, which I
recommend)

2. Re-direct / to /towl (this requires a reverse-proxy or a ROOT
application that does nothing but 

Re: FileUpload class not working with Tomcat 10.1

[Chuck Caldarale]

> On May 9, 2024, at 01:25, Mark Foley  wrote:
> 
>> Does the JSP need to reference the "program" (servlet?) at all? 
> The program, as shown above didn'twork at all until I put that servlet 
> definition on WEB-INF/web.xml, so I suppose the answer is "yes". As to why, I 
> have not a clue.


A reading of the servlet spec might be in order here. Servlets (including JSPs) 
are selected based on the mapping of the  to the .


>> When you make a request, Tomcat determines which servlet in your application 
>> will service the request. If that's a JSP, then the JSP is invoked. A JSP 
>> just compiles to a servlet, just as if you had written a .java file with a 
>> class that "extends HttpServlet" or similar.
>> 
>> It's not clear what "the program" is: JSP or servlet? Or something else? 
> The programs are written in Java/JSP and, yes, Tomcat "compiles" them to 
> .class -- probably servlets.


No probably about it - JSPs are always compiled into servlets. “Program” is too 
generic a term to be used here - you need to be specific with what you’re 
talking about: servlets you coded and compiled, or JSPs that Tomcat turns into 
servlets. It’s hard to figure out exactly what you’re really talking about.


> I think I may have figured this out. Here are my two servlet definitions in 
> WEB-INF/web.xml:
> 
>   
>   uploadfile
>   /schDistImportResults.jsp
>   
>   /tmp
>   20848820
>   418018841
>   1048576
>   
>   
>   
>uploadfile
>   /schDistImportResults.jsp
>   
> 
>   
>   *upload1099*


I presume the asterisks are not actually present in your config.


>   /1099R-Etrans.jsp
>   
>   /tmp
>   20848820
>   418018841
>   1048576
>   
>   
>   
>*upload1099*
>   /1099R-Etrans.jsp
>   
> 
> In the 2nd definition, Taking Chuck's hint, I changed the servlet-name to 
> "upload1099". That seemed to work for the 1099R-Etrans.jsp program, but I 
> haven't been able to test the schDistImportResults.jsp program yet to see if 
> I broke that one. Why these definitions are needed in web.xml and how all 
> that works under the hood is, as Chuck said, "magic”.


It’s not magic at all - it’s how servlet selection works, as defined in the 
servlet spec. The “magic” was your expectation that servlets with the same name 
could co-exist. You need the web.xml entries because you have extra 
configuration items (the  settings) that aren’t part of the 
default JSP servlet definition.

  - Chuck

Re: Regarding Tomcat url redirection

[lavanya tech]

Hi Chris,

Thanks.

Just giving background again of this topic again.

1) The application team who is working they wanted to access the url
https://server.lbg.com:8443/towl —> which should redirect or point to
https://example.lbg.com

Is that a typo? You want specifically https://server.lbg.com/towl and
https://example.lbg.com/ to point to your application?
  — It’s not the Typo the requirements are still the same.

2) Hence I added firewall rule to redirect port 443 to 8443. And the url
https://example.lbg.com started working but its pointing to
https://server.lbg.com:8443 indeed and not https://server.lbg.com:8443/towl

But then they wanted the point 1 to have it. If I understood correctly. So
basically to achieve this we wanted a reverse proxy setup ?

I didnot define any additional host in server.xml file on just left to
default to  local host.



Thanks,
Lavanya



On Wednesday, May 8, 2024, Christopher Schultz 
wrote:

> Lavanya,
>
> On 5/8/24 06:48, lavanya tech wrote:
>
>> I figured out how I can it make it work with 443. Now the URls are
>> working.
>> I added iptables route 443 to 8443 and it started working.
>>
>> nslookup example.lbg.com
>>
>> Non-authoritative answer:
>> Name:server.lbg.com
>> Address:  192.168.200.105
>> Aliases:  example.lbg.com
>>
>>
>> I have some application towl running with apache tomcat. I have the below
>> URLs working.
>>
>> https://server.lbg.com:8443/towl
>> https://server.lbg.com
>> https://example.lbg.com
>> https://example.lbg.com/towl
>>
>>
>> Now i wanted to disable the url https://example.lbg.com/towl and
>> https://server.lbg.com and access only the other remaining two.
>>
>


>
> I would *highly* recommend that you pick either /towl or / and not try to
> do both, unless you want to deploy the application twice (which is fine,
> just deploy towl.war and ROOT.war as copies of each other). If you try to
> re-write /towl to / or / to /towl, you'll find you spend the rest of your
> days tracking-down edge-cases and "fixing" them -- likely making things
> confusing and, probably, worse.
>
> In the end our goal to makesure that the links are not  always dead as soon
>> as the towl is moved to a new machine. Can you pelase assit me how to do
>> that?
>>
>
> The goal should be that "moving" the application only means changing DNS
> and everything else works as expected.
>
> If you:
>
> 1. Deploy the application with a single context (e.g. /towl, which I
> recommend)
>
> 2. Re-direct / to /towl (this requires a reverse-proxy or a ROOT
> application that does nothing but redirect ; my personal preference)
>
> 3. Do not define any  other than "localhost" and make it the
> default. Do not bother with any  elements since they are not
> necessary.
>
> Moving the application should only require that you:
>
> 4. Deploy the same application with the same configuration in the new
> location
>
> 5. Change DNS to point example.lbg.com and server.lbg.com to the new
> location of the service
>
> Hope that helps,
> -chris
>
> On Tue, Apr 30, 2024 at 5:44 PM Christopher Schultz <
> ch...@christopherschultz.net> wrote:
>
> Lavanya,
>
> On 4/30/24 07:10, lavanya tech wrote:
>
> Can you tell me how to do the below ? How should I setup Tomcat in
> server.xml ?
>
>
> If you want to use port 443 (the default port for HTTPS) then you will
> need to change Tomcat to bind to port 443 (if that's allowed on your OS)
> or arrange to have port 443 routed to port 8443. You may need additional
> configuration in Tomcat (specifically: proxyPort) to avoid having Tomcat
> generate URLs with ":8443" in them.
>
> Looking forward to your reply.
>
>
> If Tomcat is listening on port 8443 then you will need to include that
> in your URL, period. If you want to allow URLs without a port number,
> you will have to arrange to have something listening on port 443.
>
> On Windows, Tomcat can listen directly on port 443. On UNIX and
> UNIX-like systems, you won't be able to do this without running Tomcat
> as root WHICH YOU ABSOLUTELY SHOULD NOT DO.
>
> There are other ways to get port 443 working, but I'll need to know more
> about your environment. The port issue is "easier" than figuring out
> whatever is going on with your DNS, aliases, etc. so I would recommend
> we fix one thing at a time.
>
> -chris
>
> On Mon, Apr 29, 2024 at 2:03 PM lavanya tech 
> wrote:
>
> Hi Chris,
>
> There is no issues with browser, because I tested with different
>
> browsers
>
> and it all works fine. I am sure that there is no issue with the
> certificate.
>Because I was able to establish successful connections with port
>
> 8443, it
>
> just doesnot work with out port
>
>curl  https://example.lbg.com/towl
> curl: (56) Received HTTP code 504 from proxy after CONNECT
> curl: (56) Received HTTP code 504 from proxy after CONNECT
>
>
> If you want to use port 443 (the default port for HTTPS) then you will
> need to change Tomcat to bind to port 443 (if that's allowed on your OS)
> or arrange to have port 

Re: FileUpload class not working with Tomcat 10.1

[Mark Foley]

On 5/7/2024 4:52 PM, Christopher Schultz wrote:

Mark,

On 5/3/24 12:16, Mark Foley wrote:


On 4/23/24 18:44, Chuck Caldarale wrote:


   uploadfile






   uploadfile
/schDistImportResults.jsp


The first servlet is named “uploadfile”.


On Apr 23, 2024, at 12:42, Mark Foley  wrote:

Now I need to add another program to the system that does file 
uploads. I
created another  definition in WEB-INF/web.xml following 
the original:



   uploadfile






   uploadfile
   /1099R-Etrans.jsp


This second servlet is also named “uploadfile”.

That didn't work so well.  Now, any and all programs using the 
fileupload
function launches this 2nd program 1099R-Etrans.jsp.  It appears 
that this

second  definition replaces the first.

You gave them the same names, so the second one wins...

What magic were you expecting to differentiate between the two?

   - Chuck

I can easily change the name of the second servlet, but how would 
the respective jsp programs (schDistImportResults.jsp, 
1099R-Etrans.jsp) specify one or the other? The programs do:

String contentType = request.getContentType();

if (contentType.startsWith("multipart/form-data;"))
{
 Part fileUpload = request.getPart("taxResults");  // for 
schDistImportResults.jsp

// or
 Part fileUpload = request.getPart("vendor1099-MISC"); // for 
1099R-Etrans.jsp


 InputStream inFile = fileUpload.getInputStream();
  :
}

That's it. There is nothing in the program that specifies a servlet 
name. My initial servlet definition (for schDistImportResults.jsp) 
was based on the XML suggestion from Christopher Schultz back in 
November, 2023. Since only the one jsp program was involved, there 
was no discussion of how to specify more than one program in web.xml.


So, I can (and will) give the servlets different names in web.xml, 
but how does the jsp program select the one for its use?


Does the JSP need to reference the "program" (servlet?) at all? 
The program, as shown above didn'twork at all until I put that servlet 
definition on WEB-INF/web.xml, so I suppose the answer is "yes". As to 
why, I have not a clue.


When you make a request, Tomcat determines which servlet in your 
application will service the request. If that's a JSP, then the JSP is 
invoked. A JSP just compiles to a servlet, just as if you had written 
a .java file with a class that "extends HttpServlet" or similar.


It's not clear what "the program" is: JSP or servlet? Or something else? 
The programs are written in Java/JSP and, yes, Tomcat "compiles" them to 
.class -- probably servlets.


It's also not clear how "the program" would or should reference a 
servlet name.


Maybe you can explain (again)?

-chris
I think I may have figured this out. Here are my two servlet definitions 
in WEB-INF/web.xml:


   
   uploadfile
   /schDistImportResults.jsp
   
   /tmp
   20848820
   418018841
   1048576
   
   
   
    uploadfile
   /schDistImportResults.jsp
   

   
   *upload1099*
   /1099R-Etrans.jsp
   
   /tmp
   20848820
   418018841
   1048576
   
   
   
    *upload1099*
   /1099R-Etrans.jsp
   

In the 2nd definition, Taking Chuck's hint, I changed the servlet-name 
to "upload1099". That seemed to work for the 1099R-Etrans.jsp program, 
but I haven't been able to test the schDistImportResults.jsp program yet 
to see if I broke that one. Why these definitions are needed in web.xml 
and how all that works under the hood is, as Chuck said, "magic".

Re: Regarding Tomcat url redirection

[Christopher Schultz]

Lavanya,

On 5/8/24 06:48, lavanya tech wrote:

I figured out how I can it make it work with 443. Now the URls are working.
I added iptables route 443 to 8443 and it started working.

nslookup example.lbg.com

Non-authoritative answer:
Name:server.lbg.com
Address:  192.168.200.105
Aliases:  example.lbg.com


I have some application towl running with apache tomcat. I have the below
URLs working.

https://server.lbg.com:8443/towl
https://server.lbg.com
https://example.lbg.com
https://example.lbg.com/towl


Now i wanted to disable the url https://example.lbg.com/towl and
https://server.lbg.com and access only the other remaining two.


Is that a typo? You want specifically https://server.lbg.com/towl and 
https://example.lbg.com/ to point to your application?


I would *highly* recommend that you pick either /towl or / and not try 
to do both, unless you want to deploy the application twice (which is 
fine, just deploy towl.war and ROOT.war as copies of each other). If you 
try to re-write /towl to / or / to /towl, you'll find you spend the rest 
of your days tracking-down edge-cases and "fixing" them -- likely making 
things confusing and, probably, worse.



In the end our goal to makesure that the links are not  always dead as soon
as the towl is moved to a new machine. Can you pelase assit me how to do
that?


The goal should be that "moving" the application only means changing DNS 
and everything else works as expected.


If you:

1. Deploy the application with a single context (e.g. /towl, which I 
recommend)


2. Re-direct / to /towl (this requires a reverse-proxy or a ROOT 
application that does nothing but redirect ; my personal preference)


3. Do not define any  other than "localhost" and make it the 
default. Do not bother with any  elements since they are not 
necessary.


Moving the application should only require that you:

4. Deploy the same application with the same configuration in the new 
location


5. Change DNS to point example.lbg.com and server.lbg.com to the new 
location of the service


Hope that helps,
-chris


On Tue, Apr 30, 2024 at 5:44 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:


Lavanya,

On 4/30/24 07:10, lavanya tech wrote:

Can you tell me how to do the below ? How should I setup Tomcat in
server.xml ?


If you want to use port 443 (the default port for HTTPS) then you will
need to change Tomcat to bind to port 443 (if that's allowed on your OS)
or arrange to have port 443 routed to port 8443. You may need additional
configuration in Tomcat (specifically: proxyPort) to avoid having Tomcat
generate URLs with ":8443" in them.

Looking forward to your reply.


If Tomcat is listening on port 8443 then you will need to include that
in your URL, period. If you want to allow URLs without a port number,
you will have to arrange to have something listening on port 443.

On Windows, Tomcat can listen directly on port 443. On UNIX and
UNIX-like systems, you won't be able to do this without running Tomcat
as root WHICH YOU ABSOLUTELY SHOULD NOT DO.

There are other ways to get port 443 working, but I'll need to know more
about your environment. The port issue is "easier" than figuring out
whatever is going on with your DNS, aliases, etc. so I would recommend
we fix one thing at a time.

-chris


On Mon, Apr 29, 2024 at 2:03 PM lavanya tech 
wrote:


Hi Chris,

There is no issues with browser, because I tested with different

browsers

and it all works fine. I am sure that there is no issue with the
certificate.
   Because I was able to establish successful connections with port

8443, it

just doesnot work with out port

   curl  https://example.lbg.com/towl
curl: (56) Received HTTP code 504 from proxy after CONNECT
curl: (56) Received HTTP code 504 from proxy after CONNECT


If you want to use port 443 (the default port for HTTPS) then you will
need to change Tomcat to bind to port 443 (if that's allowed on your OS)
or arrange to have port 443 routed to port 8443. You may need additional
configuration in Tomcat (specifically: proxyPort) to avoid having Tomcat
generate URLs with ":8443" in them.



should i use connect port like the above ?  But you mentioned before we
dont need any configuration changes. Please clarify I am not able to

figure

this out and I have this issue many days pending. How to make it work

with

port 8443 and with out port

Also I wanted to use weburl with alias name permanently instead of the
hostname. How can I achieve both

Thanks,
Lavanya


-->


On Fri, Apr 26, 2024 at 9:28 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:


Lavanya,

On 4/25/24 07:24, lavanya tech wrote:

Hi Chris,

One question / doubt:

As I mentioned earlier, the below URLS already working in the browser

https://server.lbg.com:8443/towl
https://example.lbg.com:8443/towl -> redirect ( which means when I

hit in

browser) it points to https://server.lbg.com:8443/towl ---> To be

frank,

even I donot need redirect here, not sure why it redirects.

Re: Regarding Tomcat url redirection

[lavanya tech]

Hello Chris,

I figured out how I can it make it work with 443. Now the URls are working.
I added iptables route 443 to 8443 and it started working.

nslookup example.lbg.com

Non-authoritative answer:
Name:server.lbg.com
Address:  192.168.200.105
Aliases:  example.lbg.com


I have some application towl running with apache tomcat. I have the below
URLs working.

https://server.lbg.com:8443/towl
https://server.lbg.com
https://example.lbg.com
https://example.lbg.com/towl


Now i wanted to disable the url https://example.lbg.com/towl and
https://server.lbg.com and access only the other remaining two.

In the end our goal to makesure that the links are not  always dead as soon
as the towl is moved to a new machine. Can you pelase assit me how to do
that ?

Thanks,
Lavanya

On Tue, Apr 30, 2024 at 5:44 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> Lavanya,
>
> On 4/30/24 07:10, lavanya tech wrote:
> > Can you tell me how to do the below ? How should I setup Tomcat in
> > server.xml ?
> >
> >
> > If you want to use port 443 (the default port for HTTPS) then you will
> > need to change Tomcat to bind to port 443 (if that's allowed on your OS)
> > or arrange to have port 443 routed to port 8443. You may need additional
> > configuration in Tomcat (specifically: proxyPort) to avoid having Tomcat
> > generate URLs with ":8443" in them.
> >
> > Looking forward to your reply.
>
> If Tomcat is listening on port 8443 then you will need to include that
> in your URL, period. If you want to allow URLs without a port number,
> you will have to arrange to have something listening on port 443.
>
> On Windows, Tomcat can listen directly on port 443. On UNIX and
> UNIX-like systems, you won't be able to do this without running Tomcat
> as root WHICH YOU ABSOLUTELY SHOULD NOT DO.
>
> There are other ways to get port 443 working, but I'll need to know more
> about your environment. The port issue is "easier" than figuring out
> whatever is going on with your DNS, aliases, etc. so I would recommend
> we fix one thing at a time.
>
> -chris
>
> > On Mon, Apr 29, 2024 at 2:03 PM lavanya tech 
> > wrote:
> >
> >> Hi Chris,
> >>
> >> There is no issues with browser, because I tested with different
> browsers
> >> and it all works fine. I am sure that there is no issue with the
> >> certificate.
> >>   Because I was able to establish successful connections with port
> 8443, it
> >> just doesnot work with out port
> >>
> >>   curl  https://example.lbg.com/towl
> >> curl: (56) Received HTTP code 504 from proxy after CONNECT
> >> curl: (56) Received HTTP code 504 from proxy after CONNECT
> >>
> >>
> >> If you want to use port 443 (the default port for HTTPS) then you will
> >> need to change Tomcat to bind to port 443 (if that's allowed on your OS)
> >> or arrange to have port 443 routed to port 8443. You may need additional
> >> configuration in Tomcat (specifically: proxyPort) to avoid having Tomcat
> >> generate URLs with ":8443" in them.
> >>
> >>  >> connectionTimeout="2"
> >> redirectPort="8443"
> >> maxThreads="150"
> >> scheme="https" secure="true" SSLEnabled="true"
> >> keystoreFile="path_to_your_keystore_file"
> >> keystorePass="your_keystore_password"
> >> keystoreType="PKCS12"
> >> clientAuth="false" sslProtocol="TLS"
> >> proxyPort="443"/>
> >>
> >> should i use connect port like the above ?  But you mentioned before we
> >> dont need any configuration changes. Please clarify I am not able to
> figure
> >> this out and I have this issue many days pending. How to make it work
> with
> >> port 8443 and with out port
> >>
> >> Also I wanted to use weburl with alias name permanently instead of the
> >> hostname. How can I achieve both
> >>
> >> Thanks,
> >> Lavanya
> >>
> >>
> >>-->
> >>
> >>
> >> On Fri, Apr 26, 2024 at 9:28 PM Christopher Schultz <
> >> ch...@christopherschultz.net> wrote:
> >>
> >>> Lavanya,
> >>>
> >>> On 4/25/24 07:24, lavanya tech wrote:
>  Hi Chris,
> 
>  One question / doubt:
> 
>  As I mentioned earlier, the below URLS already working in the browser
> > https://server.lbg.com:8443/towl
> > https://example.lbg.com:8443/towl -> redirect ( which means when I
> >>> hit in
>  browser) it points to https://server.lbg.com:8443/towl ---> To be
> >>> frank,
>  even I donot need redirect here, not sure why it redirects.
> 
>  My question is why its working even though SAN is not registered with
> >>> the
>  certificate ? It doesnot even throw warning in the browser.
> >>>
> >>> I'm not sure. Is it possible you have dismissed this error in the past
> >>> and the browser is remembering that? Try this with a different web
> >>> browser or maybe with curl from the command-line to see what happens.
> >>>
>  Why https://server.lbg.com/towl or https://example.lbg.com/towl -->
> >>> How it
>  should work with New SAN certificate 

Re: [EXTERNAL] RE: After Windows Server Restart, tomcat generating New JSESSIONID even with <%@ page session="false" %>

[Christopher Schultz]

Joey,

On 5/7/24 10:50, Joey Cochran wrote:

Coud this be the culprit ?

${CATALINA_BASE}/conf/context.xml

 
 


Possible, but the report was that every single request generates a new 
JSESSIONID, not that every session seems to have expired and needs to be 
re-initialized.


-chris



From: Hamdan Khan 
Sent: Tuesday, May 7, 2024 9:09 AM
To: users@tomcat.apache.org 
Subject: [EXTERNAL] RE: After Windows Server Restart, tomcat generating New JSESSIONID even 
with <%@ page session="false" %>

Thank you Mark,

We have har files when the server is in error state, it shows that the
jsessionid is sent in request.

*Is there a reverse proxy in the mix?*
No. we directly access tomcat.

*Are you using sessions at all*
Yes, we are using the default tomcat session in debugger it says
(org.apache.catalina.session.StandardSessionFacade)

*That is just a single page and any page can potentially trigger session
cre*ation.
It is a multi page application we create and maintain our UserSession
object, which is used to auth on subsequent requests. The application is
working ok on many of our servers,  but starts to generate jsessionid for
every request once the server goes in the problem state.

*It would be interesting to know if you need to clear both of these or
whether clearing just one is sufficient to resolve the issue. That might
narrow down potential root causes.*
I have requested the team to restart without removing work/temp will update
later in the week.

*You could try attaching a profiler and recording object allocations. That
should show you where/how sessions are being created.*
I don't think that is possible for a production server, but if we can get a
clue on how to reproduce this case.

We have a SessionListener, will add logging to it.

thanks,
Hamdan



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: FileUpload class not working with Tomcat 10.1

[Christopher Schultz]

Mark,

On 5/3/24 12:16, Mark Foley wrote:


On 4/23/24 18:44, Chuck Caldarale wrote:


   uploadfile






   uploadfile
   /schDistImportResults.jsp


The first servlet is named “uploadfile”.


On Apr 23, 2024, at 12:42, Mark Foley  wrote:

Now I need to add another program to the system that does file 
uploads. I
created another  definition in WEB-INF/web.xml following the 
original:



   uploadfile






   uploadfile
   /1099R-Etrans.jsp


This second servlet is also named “uploadfile”.

That didn't work so well.  Now, any and all programs using the 
fileupload
function launches this 2nd program 1099R-Etrans.jsp.  It appears that 
this

second  definition replaces the first.

You gave them the same names, so the second one wins...

What magic were you expecting to differentiate between the two?

   - Chuck

I can easily change the name of the second servlet, but how would the 
respective jsp programs (schDistImportResults.jsp, 1099R-Etrans.jsp) 
specify one or the other? The programs do:

String contentType = request.getContentType();

if (contentType.startsWith("multipart/form-data;"))
{
     Part fileUpload = request.getPart("taxResults");  // for 
schDistImportResults.jsp

// or
     Part fileUpload = request.getPart("vendor1099-MISC"); // for 
1099R-Etrans.jsp


     InputStream inFile = fileUpload.getInputStream();
  :
}

That's it. There is nothing in the program that specifies a servlet 
name. My initial servlet definition (for schDistImportResults.jsp) was 
based on the XML suggestion from Christopher Schultz back in November, 
2023. Since only the one jsp program was involved, there was no 
discussion of how to specify more than one program in web.xml.


So, I can (and will) give the servlets different names in web.xml, but 
how does the jsp program select the one for its use?


Does the JSP need to reference the "program" (servlet?) at all? When you 
make a request, Tomcat determines which servlet in your application will 
service the request. If that's a JSP, then the JSP is invoked. A JSP 
just compiles to a servlet, just as if you had written a .java file with 
a class that "extends HttpServlet" or similar.


It's not clear what "the program" is: JSP or servlet? Or something else? 
It's also not clear how "the program" would or should reference a 
servlet name.


Maybe you can explain (again)?

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

[ANN] Apache Tomcat 9.0.89 available

[Rémy Maucherat]

The Apache Tomcat team announces the immediate availability of Apache
Tomcat 9.0.89.

Apache Tomcat 9 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language, Java
WebSocket and JASPIC technologies.

Apache Tomcat 9.0.89 is a bugfix and feature release. The notable
changes compared to 9.0.88 include:

- Refactor HTTP header parsing to use common parsing code and fix
   non-blocking reads of chunked request bodies including trailer fields

- Add more timescale options to AccessLogValve and
   ExtendedAccessLogValve

- WebDAV locking handling fixes

Along with lots of other bug fixes and improvements.

Please refer to the change log for the complete list of changes:
https://tomcat.apache.org/tomcat-9.0-doc/changelog.html

Downloads:
https://tomcat.apache.org/download-90.cgi

Migration guides from Apache Tomcat 7.x and 8.x:
https://tomcat.apache.org/migration.html

Enjoy!

- The Apache Tomcat team

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [EXTERNAL] RE: After Windows Server Restart, tomcat generating New JSESSIONID even with <%@ page session="false" %>

[Joey Cochran]

Coud this be the culprit ?

${CATALINA_BASE}/conf/context.xml






From: Hamdan Khan 
Sent: Tuesday, May 7, 2024 9:09 AM
To: users@tomcat.apache.org 
Subject: [EXTERNAL] RE: After Windows Server Restart, tomcat generating New 
JSESSIONID even with <%@ page session="false" %>

Thank you Mark,

We have har files when the server is in error state, it shows that the
jsessionid is sent in request.

*Is there a reverse proxy in the mix?*
No. we directly access tomcat.

*Are you using sessions at all*
Yes, we are using the default tomcat session in debugger it says
(org.apache.catalina.session.StandardSessionFacade)

*That is just a single page and any page can potentially trigger session
cre*ation.
It is a multi page application we create and maintain our UserSession
object, which is used to auth on subsequent requests. The application is
working ok on many of our servers,  but starts to generate jsessionid for
every request once the server goes in the problem state.

*It would be interesting to know if you need to clear both of these or
whether clearing just one is sufficient to resolve the issue. That might
narrow down potential root causes.*
I have requested the team to restart without removing work/temp will update
later in the week.

*You could try attaching a profiler and recording object allocations. That
should show you where/how sessions are being created.*
I don't think that is possible for a production server, but if we can get a
clue on how to reproduce this case.

We have a SessionListener, will add logging to it.

thanks,
Hamdan

RE: After Windows Server Restart, tomcat generating New JSESSIONID even with <%@ page session="false" %>

[Hamdan Khan]

Thank you Mark,

We have har files when the server is in error state, it shows that the
jsessionid is sent in request.

*Is there a reverse proxy in the mix?*
No. we directly access tomcat.

*Are you using sessions at all*
Yes, we are using the default tomcat session in debugger it says
(org.apache.catalina.session.StandardSessionFacade)

*That is just a single page and any page can potentially trigger session
cre*ation.
It is a multi page application we create and maintain our UserSession
object, which is used to auth on subsequent requests. The application is
working ok on many of our servers,  but starts to generate jsessionid for
every request once the server goes in the problem state.

*It would be interesting to know if you need to clear both of these or
whether clearing just one is sufficient to resolve the issue. That might
narrow down potential root causes.*
I have requested the team to restart without removing work/temp will update
later in the week.

*You could try attaching a profiler and recording object allocations. That
should show you where/how sessions are being created.*
I don't think that is possible for a production server, but if we can get a
clue on how to reproduce this case.

We have a SessionListener, will add logging to it.

thanks,
Hamdan

Re: SPNEGO GSSCaller {UNKNOWN} No Delegated Creds

[Michael Osipov]

We need to split between constrained and unconstrained delegation. Let's stay 
with uncontrained, simplest one.

For that to happen you need:
* Enable it for the service account (acceptor side)
* Set the delegate flag (also there is a policy) on the security context 
(initiator side)

Try again. The best thing would be to do with with gss-client/gss-server which 
comes with MIT Kerberos otherwise  you have too many variables in the game.

Alternatively, use https://github.com/pythongssapi/python-gssapi. It has a 
fantastic interface to MIT Kerberos or Heimdal to exactly evaluate your 
environment. I use it as well.

Michael

On 2024/05/03 13:42:39 Tom Delaney wrote:
> Thanks for the reply Michael,
> 
> I'm trying to achieve retrieving delegated credentials. I'm confused by the
> debug output because I'm being told that authentication succeeded but no
> indication of why I'm not receiving delegated credentials other than there
> are none.I have looked over the delegation rules for the service account
> and SPN multiple times. When you mentioned "S4U is tried, but not
> configured for that account. Totally fine" What does that mean? Is there a
> specific place on Tomcat or Windows I need to look for this?
> 
> What I'm expecting to see outputted "Delegated Creds have pname=
> tdela...@subdomain.domain.com sname=krbtgt/SUBDOMAIN.DOMAIN.COM
> authtime=null starttime={date/timestamp} endtime={date/timestamp}"
> 
> P.S
> I see in my ktpass command I made a typo and meant to put SA_EX_VAISSO
> instead of "SA_EX_SSO"
> 
> On Fri, May 3, 2024 at 8:26 AM Michael Osipov  wrote:
> 
> > On 2024/05/02 19:20:59 Tom Delaney wrote:
> > > Hi All,
> > >
> > > Sorry for the duplicate requests. The first one was accidentally flagged
> > > for Google's new Confidential Mode which happened to be flagged.
> > > I have a red hat 9.2 server hosting a web application on a single
> > instance
> > > of Apache Tomcat. This instance is behind an apache HTTP server on
> > version
> > > 2.4.57.The application is hosted on Tomcat 9.0.54.
> > >
> > > Domain: subdomain.domain.com
> > > Site: devexample.domain.com
> > >
> > > URL hit: https://example.subdomain.domain.com/webclient/
> > > exclient.jsp
> > >
> > > *I keep getting this in the Tomcat Logs when accessing the application:*
> > > *>>> Constrained deleg from GSSCaller{UNKNOWN}*
> >
> > You should first try to describe what you are trying to achieve and not
> > what the debug output is. The debug message comes from:
> > https://github.com/openjdk/jdk8u-dev/blob/6b53212ef78ad50f9eede829c5ff87cadcdb434b/jdk/src/share/classes/sun/security/jgss/krb5/Krb5Context.java#L540
> > The message is obviously caused by this call:
> > https://github.com/openjdk/jdk8u-dev/blob/6b53212ef78ad50f9eede829c5ff87cadcdb434b/jdk/src/share/classes/sun/security/jgss/krb5/Krb5Context.java#L254-L263
> >
> > S4U is tried, but not configured for that account. Totally fine.
> >
> > BTW: The filter you use isn't from us.
> >
> > M
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >
> 

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: After Windows Server Restart, tomcat generating New JSESSIONID even with <%@ page session="false" %>

[Mark Thomas]

On 06/05/2024 11:05, Hamdan Khan wrote:

Hello everyone,

We're having a problem with Tomcat on Windows servers. It only happens when:

Tomcat is running as a service (automatically started by Windows).
The Windows server automatically restarts for updates.
After the restart, Tomcat starts creating new session IDs for
every request,


That suggests that the client isn't returning the session ID to Tomcat 
for the subsequent request. I'd be asking why that is the case.


Is there a reverse proxy in the mix?

Are you using sessions at all or are they completely disabled? If yes, 
which session manager are you using?



even though our jsp tells it not to.

<%@ page session="false" %>


That is just a single page and any page can potentially trigger session 
creation.



We can fix this by deleting temp and work files from Tomcat and restarting
the service ourselves.  However, this is a manual process, and we'd like to
find a more permanent solution.


It would be interesting to know if you need to clear both of these or 
whether clearing just one is sufficient to resolve the issue. That might 
narrow down potential root causes.



Can anyone help us understand why this might be happening?


I can't think of any way Tomcat would do this. This feels more like an 
application issue at this point.



Or what logs to
configure and monitor.


My preference would always be to attach an IDE and use remote debugging 
but that probably isn't an option in production.


You could try attaching a profiler and recording object allocations. 
That should show you where/how sessions are being created.


The minimally invasive option would probably be to add an 
HttpSessionListener to your application that logs the current stack 
trace every time a session is created.



Version of Tomcat is Tomcat-9.0.83

To emphasize we are not able to reproduce this in our local computer it
only happens to the longrunning production servers.


If you manually reboot the production servers (without clearing out work 
or temp) can you trigger the issue?


Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

After Windows Server Restart, tomcat generating New JSESSIONID even with <%@ page session="false" %>

[Hamdan Khan]

Hello everyone,

We're having a problem with Tomcat on Windows servers. It only happens when:

Tomcat is running as a service (automatically started by Windows).
The Windows server automatically restarts for updates.
After the restart, Tomcat starts creating new session IDs for
every request, even though our jsp tells it not to.

<%@ page session="false" %>

We can fix this by deleting temp and work files from Tomcat and restarting
the service ourselves.  However, this is a manual process, and we'd like to
find a more permanent solution.

Can anyone help us understand why this might be happening? Or what logs to
configure and monitor.

Version of Tomcat is Tomcat-9.0.83

To emphasize we are not able to reproduce this in our local computer it
only happens to the longrunning production servers.

Thanks in advance for your help!
Hamdan

Re: FileUpload class not working with Tomcat 10.1

[Mark Foley]

On 4/23/24 18:44, Chuck Caldarale wrote:


   uploadfile






   uploadfile
   /schDistImportResults.jsp


The first servlet is named “uploadfile”.


On Apr 23, 2024, at 12:42, Mark Foley  wrote:

Now I need to add another program to the system that does file uploads. I
created another  definition in WEB-INF/web.xml following the original:


   uploadfile






   uploadfile
   /1099R-Etrans.jsp


This second servlet is also named “uploadfile”.


That didn't work so well.  Now, any and all programs using the fileupload
function launches this 2nd program 1099R-Etrans.jsp.  It appears that this
second  definition replaces the first.

You gave them the same names, so the second one wins...

What magic were you expecting to differentiate between the two?

   - Chuck

I can easily change the name of the second servlet, but how would the 
respective jsp programs (schDistImportResults.jsp, 1099R-Etrans.jsp) specify 
one or the other? The programs do:

String contentType = request.getContentType();

if (contentType.startsWith("multipart/form-data;"))
{
    Part fileUpload = request.getPart("taxResults");  // for 
schDistImportResults.jsp

// or
    Part fileUpload = request.getPart("vendor1099-MISC"); // for 
1099R-Etrans.jsp


    InputStream inFile = fileUpload.getInputStream();
 :
}

That's it. There is nothing in the program that specifies a servlet 
name. My initial servlet definition (for schDistImportResults.jsp) was 
based on the XML suggestion from Christopher Schultz back in November, 
2023. Since only the one jsp program was involved, there was no 
discussion of how to specify more than one program in web.xml.


So, I can (and will) give the servlets different names in web.xml, but 
how does the jsp program select the one for its use?


Thanks --Mark

Re: SPNEGO GSSCaller {UNKNOWN} No Delegated Creds

[Tom Delaney]

Thanks for the reply Michael,

I'm trying to achieve retrieving delegated credentials. I'm confused by the
debug output because I'm being told that authentication succeeded but no
indication of why I'm not receiving delegated credentials other than there
are none.I have looked over the delegation rules for the service account
and SPN multiple times. When you mentioned "S4U is tried, but not
configured for that account. Totally fine" What does that mean? Is there a
specific place on Tomcat or Windows I need to look for this?

What I'm expecting to see outputted "Delegated Creds have pname=
tdela...@subdomain.domain.com sname=krbtgt/SUBDOMAIN.DOMAIN.COM
authtime=null starttime={date/timestamp} endtime={date/timestamp}"

P.S
I see in my ktpass command I made a typo and meant to put SA_EX_VAISSO
instead of "SA_EX_SSO"

On Fri, May 3, 2024 at 8:26 AM Michael Osipov  wrote:

> On 2024/05/02 19:20:59 Tom Delaney wrote:
> > Hi All,
> >
> > Sorry for the duplicate requests. The first one was accidentally flagged
> > for Google's new Confidential Mode which happened to be flagged.
> > I have a red hat 9.2 server hosting a web application on a single
> instance
> > of Apache Tomcat. This instance is behind an apache HTTP server on
> version
> > 2.4.57.The application is hosted on Tomcat 9.0.54.
> >
> > Domain: subdomain.domain.com
> > Site: devexample.domain.com
> >
> > URL hit: https://example.subdomain.domain.com/webclient/
> > exclient.jsp
> >
> > *I keep getting this in the Tomcat Logs when accessing the application:*
> > *>>> Constrained deleg from GSSCaller{UNKNOWN}*
>
> You should first try to describe what you are trying to achieve and not
> what the debug output is. The debug message comes from:
> https://github.com/openjdk/jdk8u-dev/blob/6b53212ef78ad50f9eede829c5ff87cadcdb434b/jdk/src/share/classes/sun/security/jgss/krb5/Krb5Context.java#L540
> The message is obviously caused by this call:
> https://github.com/openjdk/jdk8u-dev/blob/6b53212ef78ad50f9eede829c5ff87cadcdb434b/jdk/src/share/classes/sun/security/jgss/krb5/Krb5Context.java#L254-L263
>
> S4U is tried, but not configured for that account. Totally fine.
>
> BTW: The filter you use isn't from us.
>
> M
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Package URLs for Apache Tomcat distributions

[von Loewenstein, Jan]

Hi,

I think in the end it boils down to something very simple (and probably very 
complicated from another perpsective ): Can the id of a piece of software be 
used to find vulnerabilities?

In the context of this mailing list and the example you brought up with 
defaulting to pkg:maven, the important question is: Will a security reseacher 
finding a vulnerability in e.g. the catalina.sh script - that’s probably not 
published to Maven Central (?) – report this against 
pkg:maven/org.apache.tomcat/tomcat, which points to artefacts that are 
published to Maven Central?

Best regards
Jan

From: Arnout Engelen 
Date: Friday, 3. May 2024 at 14:28
To: security-disc...@community.apache.org 

Cc: Tomcat Users List 
Subject: Re: Package URLs for Apache Tomcat distributions
[You don't often get email from enge...@apache.org. Learn why this is important 
at https://aka.ms/LearnAboutSenderIdentification ]

Thanks for bringing this up! The topic of software (artifact)
identification is indeed a tricky one. CPEs have long been the main
contender, but are not great for the SBOM (and 'vulnerability scanning'
based on SBOMs) use case because CPE allocations need through the NVD CPE
team, and generally are only allocated when the project has its first CVE
vulnerability advisory.

Indeed purl's seem like a promising candidate. The use of several 'purl
types' and piggy-backing on existing popular distribution mechanisms help
it scale.

A possible limitation of having the different 'purl types' is that a single
piece of software may have a name in different namespaces: if a
vulnerability is found in Tomcat, should its advisory refer to
"pkg:github/apache/tomcat", or "pkg:maven/org.apache.tomcat/tomcat", or a
to-be-introduced "apache" or "asf" type? All of them? Should there be a
database of "equivalences" or similar relationships between purls for the
same software under different types?

I've actually prototyped an approach for an 'asf' purl type based on an
Apache identifier registry in
https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.apache.org%2Fthread%2Fddl2lnm2mbm0vm62yxlwyh3cbv47wyr7=05%7C02%7Cjan.von.loewenstein%40sap.com%7C7c65d1d7e6434f1ac5bb08dc6b6c81fd%7C42f7676cf455423c82f6dc2d99791af7%7C0%7C0%7C638503360979632497%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C=%2BPSnqhRXL7gKYvmbCT5N3kuTX0x1stgLMDjWYztx5Hs%3D=0.
 However,
that somewhat goes against the purl design where the purl can ideally be
'inferred from context' rather than explicitly 'defined'. For example for
artifacts that are typically published to Maven Central, it currently
doesn't seem to be the convention to use any other purl type: the CycloneDX
Maven plugin pretty much hard-codes the 'maven' type (
https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FCycloneDX%2Fcyclonedx-maven-plugin%2Fblob%2Fmaster%2Fsrc%2Fmain%2Fjava%2Forg%2Fcyclonedx%2Fmaven%2FDefaultModelConverter.java%23L147=05%7C02%7Cjan.von.loewenstein%40sap.com%7C7c65d1d7e6434f1ac5bb08dc6b6c81fd%7C42f7676cf455423c82f6dc2d99791af7%7C0%7C0%7C638503360979642858%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C=7enw%2FbIYob1koLI8BvvdGpZzUuZQqnZVd8g8gg7%2FgPM%3D=0).
Should we then not have an 'apache'/'asf' type at all? Or only for
artifacts that cannot be described using any other type? Or for all
artifacts, making an 'equivalences database' a mandatory part of any
vulnerability scanner?


Kind regards,

Arnout

On Mon, Apr 15, 2024 at 2:20 PM von Loewenstein, Jan
 wrote:

> Hi all,
>
> I recently started a discussion about pURLs as package identifier on the
> Tomcat mailing list and it was brought up, that this might be a broader
> topic to be discussed here.
>
> Best regards
> Jan
>
> From: Thomas Hoffmann (Speed4Trade GmbH)
> 
> Date: Monday, 15. April 2024 at 13:14
> To: Tomcat Users List 
> Subject: AW: Package URLs for Apache Tomcat distributions
> [You don't often get email from thomas.hoffm...@speed4trade.com.invalid.
> Learn why this is important at
> https://aka.ms/LearnAboutSenderIdentification ]
>
> > On 11/04/2024 16:52, von Loewenstein, Jan wrote:
> > > Hi folks,
> > >
> > > I am part of the Paketo community, and we are providing Cloud Native
> > Buildpacks to create container images with – amongst other technologies –
> > Apache Tomcat and Apache TomEE as application runtimes.
> > >
> > > One of the features of Cloud Native Buildpacks is that images come with
> > Software-Bill-of-Material. When installing Apache Tomcat, we issue the
> > following CPE and pURL to the SBOM:
> > >
> > >1.  cpe:2.3:a:apache:tomcat:10.1.20:*:*:*:*:*:*:*
> > >2.  pkg:generic/apache-tomcat@10.1.20
> > >
> > > The former should be the right 

Re: Package URLs for Apache Tomcat distributions

[Lars Francke]

Just as an FYI that we established an official TG (Task Group) for
PURL in yesterdays Ecma TC54 (CycloneDX) meeting:
https://docs.google.com/document/d/1BkBd4PRhpP_u1WO_GueYB89vehT_HPKgFMMfbTuKWV4/edit#heading=h.si64e7edhupe
This will take a bit to get set up but this may be something some
people here may be interested in participating in?

Cheers,
Lars

On Fri, May 3, 2024 at 2:28 PM Arnout Engelen  wrote:
>
> Thanks for bringing this up! The topic of software (artifact)
> identification is indeed a tricky one. CPEs have long been the main
> contender, but are not great for the SBOM (and 'vulnerability scanning'
> based on SBOMs) use case because CPE allocations need through the NVD CPE
> team, and generally are only allocated when the project has its first CVE
> vulnerability advisory.
>
> Indeed purl's seem like a promising candidate. The use of several 'purl
> types' and piggy-backing on existing popular distribution mechanisms help
> it scale.
>
> A possible limitation of having the different 'purl types' is that a single
> piece of software may have a name in different namespaces: if a
> vulnerability is found in Tomcat, should its advisory refer to
> "pkg:github/apache/tomcat", or "pkg:maven/org.apache.tomcat/tomcat", or a
> to-be-introduced "apache" or "asf" type? All of them? Should there be a
> database of "equivalences" or similar relationships between purls for the
> same software under different types?
>
> I've actually prototyped an approach for an 'asf' purl type based on an
> Apache identifier registry in
> https://lists.apache.org/thread/ddl2lnm2mbm0vm62yxlwyh3cbv47wyr7. However,
> that somewhat goes against the purl design where the purl can ideally be
> 'inferred from context' rather than explicitly 'defined'. For example for
> artifacts that are typically published to Maven Central, it currently
> doesn't seem to be the convention to use any other purl type: the CycloneDX
> Maven plugin pretty much hard-codes the 'maven' type (
> https://github.com/CycloneDX/cyclonedx-maven-plugin/blob/master/src/main/java/org/cyclonedx/maven/DefaultModelConverter.java#L147).
> Should we then not have an 'apache'/'asf' type at all? Or only for
> artifacts that cannot be described using any other type? Or for all
> artifacts, making an 'equivalences database' a mandatory part of any
> vulnerability scanner?
>
>
> Kind regards,
>
> Arnout
>
> On Mon, Apr 15, 2024 at 2:20 PM von Loewenstein, Jan
>  wrote:
>
> > Hi all,
> >
> > I recently started a discussion about pURLs as package identifier on the
> > Tomcat mailing list and it was brought up, that this might be a broader
> > topic to be discussed here.
> >
> > Best regards
> > Jan
> >
> > From: Thomas Hoffmann (Speed4Trade GmbH)
> > 
> > Date: Monday, 15. April 2024 at 13:14
> > To: Tomcat Users List 
> > Subject: AW: Package URLs for Apache Tomcat distributions
> > [You don't often get email from thomas.hoffm...@speed4trade.com.invalid.
> > Learn why this is important at
> > https://aka.ms/LearnAboutSenderIdentification ]
> >
> > > On 11/04/2024 16:52, von Loewenstein, Jan wrote:
> > > > Hi folks,
> > > >
> > > > I am part of the Paketo community, and we are providing Cloud Native
> > > Buildpacks to create container images with – amongst other technologies –
> > > Apache Tomcat and Apache TomEE as application runtimes.
> > > >
> > > > One of the features of Cloud Native Buildpacks is that images come with
> > > Software-Bill-of-Material. When installing Apache Tomcat, we issue the
> > > following CPE and pURL to the SBOM:
> > > >
> > > >1.  cpe:2.3:a:apache:tomcat:10.1.20:*:*:*:*:*:*:*
> > > >2.  pkg:generic/apache-tomcat@10.1.20
> > > >
> > > > The former should be the right one for users to find relevant CVEs in
> > > > e.g. the nvd.nist.gov. The latter however is made up and will likely
> > > > not lead to any findings on e.g.
> > https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fosv.dev%2F=05%7C02%7Cjan.von.loewenstein%40sap.com%7Cb85c9c7b0ef84a12888a08dc5d3d36f8%7C42f7676cf455423c82f6dc2d99791af7%7C0%7C0%7C638487764973925741%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C4%7C%7C%7C=THsJsmmmf%2BYnOFsfX2ET%2B9qosC%2F3%2BTmn73piJBppidA%3D=0
> > 
> > > >
> > > > Now I am wondering if you report Tomcat vulnerabilities under any pURL
> > and
> > > which one that would be.
> > >
> > > We don't.
> > >
> > > > There is a proposal<
> > https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fpackage-url%2Fpurl-=05%7C02%7Cjan.von.loewenstein%40sap.com%7Cb85c9c7b0ef84a12888a08dc5d3d36f8%7C42f7676cf455423c82f6dc2d99791af7%7C0%7C0%7C638487764973934423%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C4%7C%7C%7C=qob5tUw6pGi%2F3crVP%2BlA%2BSqiAo4I2vWTMArkC%2F4%2BtXc%3D=0
> > > spec/blob/master/PURL-TYPES.rst#other-candidate-types-to-define> to
> > > introduce `pkg:apache` as a namespace, which would open 

Re: Package URLs for Apache Tomcat distributions

[Arnout Engelen]

Thanks for bringing this up! The topic of software (artifact)
identification is indeed a tricky one. CPEs have long been the main
contender, but are not great for the SBOM (and 'vulnerability scanning'
based on SBOMs) use case because CPE allocations need through the NVD CPE
team, and generally are only allocated when the project has its first CVE
vulnerability advisory.

Indeed purl's seem like a promising candidate. The use of several 'purl
types' and piggy-backing on existing popular distribution mechanisms help
it scale.

A possible limitation of having the different 'purl types' is that a single
piece of software may have a name in different namespaces: if a
vulnerability is found in Tomcat, should its advisory refer to
"pkg:github/apache/tomcat", or "pkg:maven/org.apache.tomcat/tomcat", or a
to-be-introduced "apache" or "asf" type? All of them? Should there be a
database of "equivalences" or similar relationships between purls for the
same software under different types?

I've actually prototyped an approach for an 'asf' purl type based on an
Apache identifier registry in
https://lists.apache.org/thread/ddl2lnm2mbm0vm62yxlwyh3cbv47wyr7. However,
that somewhat goes against the purl design where the purl can ideally be
'inferred from context' rather than explicitly 'defined'. For example for
artifacts that are typically published to Maven Central, it currently
doesn't seem to be the convention to use any other purl type: the CycloneDX
Maven plugin pretty much hard-codes the 'maven' type (
https://github.com/CycloneDX/cyclonedx-maven-plugin/blob/master/src/main/java/org/cyclonedx/maven/DefaultModelConverter.java#L147).
Should we then not have an 'apache'/'asf' type at all? Or only for
artifacts that cannot be described using any other type? Or for all
artifacts, making an 'equivalences database' a mandatory part of any
vulnerability scanner?


Kind regards,

Arnout

On Mon, Apr 15, 2024 at 2:20 PM von Loewenstein, Jan
 wrote:

> Hi all,
>
> I recently started a discussion about pURLs as package identifier on the
> Tomcat mailing list and it was brought up, that this might be a broader
> topic to be discussed here.
>
> Best regards
> Jan
>
> From: Thomas Hoffmann (Speed4Trade GmbH)
> 
> Date: Monday, 15. April 2024 at 13:14
> To: Tomcat Users List 
> Subject: AW: Package URLs for Apache Tomcat distributions
> [You don't often get email from thomas.hoffm...@speed4trade.com.invalid.
> Learn why this is important at
> https://aka.ms/LearnAboutSenderIdentification ]
>
> > On 11/04/2024 16:52, von Loewenstein, Jan wrote:
> > > Hi folks,
> > >
> > > I am part of the Paketo community, and we are providing Cloud Native
> > Buildpacks to create container images with – amongst other technologies –
> > Apache Tomcat and Apache TomEE as application runtimes.
> > >
> > > One of the features of Cloud Native Buildpacks is that images come with
> > Software-Bill-of-Material. When installing Apache Tomcat, we issue the
> > following CPE and pURL to the SBOM:
> > >
> > >1.  cpe:2.3:a:apache:tomcat:10.1.20:*:*:*:*:*:*:*
> > >2.  pkg:generic/apache-tomcat@10.1.20
> > >
> > > The former should be the right one for users to find relevant CVEs in
> > > e.g. the nvd.nist.gov. The latter however is made up and will likely
> > > not lead to any findings on e.g.
> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fosv.dev%2F=05%7C02%7Cjan.von.loewenstein%40sap.com%7Cb85c9c7b0ef84a12888a08dc5d3d36f8%7C42f7676cf455423c82f6dc2d99791af7%7C0%7C0%7C638487764973925741%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C4%7C%7C%7C=THsJsmmmf%2BYnOFsfX2ET%2B9qosC%2F3%2BTmn73piJBppidA%3D=0
> 
> > >
> > > Now I am wondering if you report Tomcat vulnerabilities under any pURL
> and
> > which one that would be.
> >
> > We don't.
> >
> > > There is a proposal<
> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fpackage-url%2Fpurl-=05%7C02%7Cjan.von.loewenstein%40sap.com%7Cb85c9c7b0ef84a12888a08dc5d3d36f8%7C42f7676cf455423c82f6dc2d99791af7%7C0%7C0%7C638487764973934423%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C4%7C%7C%7C=qob5tUw6pGi%2F3crVP%2BlA%2BSqiAo4I2vWTMArkC%2F4%2BtXc%3D=0
> > spec/blob/master/PURL-TYPES.rst#other-candidate-types-to-define> to
> > introduce `pkg:apache` as a namespace, which would open up
> > `pkg:apache/tomcat@10.1.20` as a canonical pURL.
> >
> > That is a foundation wide decision and not one the Tomcat project can
> make
> > unilaterally. That is probably a topic for security-
> > disc...@community.apache.org where pURL has already been touched on this
> > thread:
> >
> 

Re: SPNEGO GSSCaller {UNKNOWN} No Delegated Creds

[Michael Osipov]

On 2024/05/02 19:20:59 Tom Delaney wrote:
> Hi All,
> 
> Sorry for the duplicate requests. The first one was accidentally flagged
> for Google's new Confidential Mode which happened to be flagged.
> I have a red hat 9.2 server hosting a web application on a single instance
> of Apache Tomcat. This instance is behind an apache HTTP server on version
> 2.4.57.The application is hosted on Tomcat 9.0.54.
> 
> Domain: subdomain.domain.com
> Site: devexample.domain.com
> 
> URL hit: https://example.subdomain.domain.com/webclient/
> exclient.jsp
> 
> *I keep getting this in the Tomcat Logs when accessing the application:*
> *>>> Constrained deleg from GSSCaller{UNKNOWN}*

You should first try to describe what you are trying to achieve and not what 
the debug output is. The debug message comes from: 
https://github.com/openjdk/jdk8u-dev/blob/6b53212ef78ad50f9eede829c5ff87cadcdb434b/jdk/src/share/classes/sun/security/jgss/krb5/Krb5Context.java#L540
 The message is obviously caused by this call: 
https://github.com/openjdk/jdk8u-dev/blob/6b53212ef78ad50f9eede829c5ff87cadcdb434b/jdk/src/share/classes/sun/security/jgss/krb5/Krb5Context.java#L254-L263

S4U is tried, but not configured for that account. Totally fine.

BTW: The filter you use isn't from us.

M

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

SPNEGO GSSCaller {UNKNOWN} No Delegated Creds

[Tom Delaney]

Hi All,

Sorry for the duplicate requests. The first one was accidentally flagged
for Google's new Confidential Mode which happened to be flagged.
I have a red hat 9.2 server hosting a web application on a single instance
of Apache Tomcat. This instance is behind an apache HTTP server on version
2.4.57.The application is hosted on Tomcat 9.0.54.

Domain: subdomain.domain.com
Site: devexample.domain.com

URL hit: https://example.subdomain.domain.com/webclient/
exclient.jsp

*I keep getting this in the Tomcat Logs when accessing the application:*
*>>> Constrained deleg from GSSCaller{UNKNOWN}*

*The site outputs: No Delegated Creds*

==> /usr/local/tomcat.base1/logs/catalina.out <==
Entered SpNegoContext.acceptSecContext with state=STATE_NEW
SpNegoContext.acceptSecContext: receiving token = a0 82 07 9c 30 82 07 98
a0 30 30 2e 06 09 2a 86 48 82 f7 12 01 02 02 06 09 2a 86 48 86 f7 12 01 02
02 06 0a 2b 06 01 04 01 82 37 02 02 1e 06 0a 2b 06 01 04 01 82 37 02 02 0a
a2 82 07 62 04 82 07 5e 60 82 07 5a 06 09 2a 86 48 86 f7 12 01 02 02 01 00
6e 82 07 49 30 82 07 45 a0 03 02 01 05 a1 03 02 01 0e a2 07 03 05 00 20 00
00 00 a3 82 05 5c 61 82 05 58 30 82 05 54 a0 03 02 01 05 a1 15 1b 13 46 55
54 55 52 45 54 45 43 48 2e 46 54 45 49 2e 43 4f 4d a2 2a 30 28 a0 03 02 01
02 a1 21 30 1f 1b 04 48 54 54 50 1b 17 73 32 6b 2e 66 75 74 75 72 65 74 65
63 68 2e 66 74 65 69 2e 63 6f 6d a3 82 05 08 30 82 05 04 a0 03 02 01 12 a1
03 02 01 08 a2 82 04 f6 04 82 04 f2 6f c8 bd c5 94 ec a6 05 e6 36 6e 51 f4
ef c5 06 64 3d ba b8 01 c0 f3 0b 61 7f da 55 bc ba ae 8b dd d1 d0 f8 f0 b1
be 99 36 ae 6b 60 c2 31 88 af 4e f2 de a4 ce 6e e7 56 58 62 15 76 fc 41 e9
38 99 bc 3c 83 5a d7 b3 41 fa 65 0e 14 ae 6e f8 ea 23 3a d4 d8 61 37 bf 22
db 0f 48 e1 31 42 59 e9 08 55 cd 6f 50 fc 8e f7 11 76 3a 7f 69 a4 1e 3d 36
9d c8 98 00 e1 43 d0 fc cd 66 97 4a ac 41 d9 76 a4 a1 31 c8 df 11 10 dc f8
74 c4 56 1e cc f9 bc 72 41 e4 ab d6 d4 a0 79 1d 47 4a d0 61 f5 9b 72 9d fb
8a 9a 6b ec 7e d4 72 45 67 66 ff 35 3c b0 42 c1 07 38 c1 4c 90 77 c3 d8 98
64 04 fa 29 d1 37 aa be 32 03 43 5c 1e 31 ce c0 dc 42 1d 51 8f d9 bb 53 35
3c 85 42 ba e9 84 e5 c6 bd b2 e0 1b cb b0 79 00 39 4d b2 71 9d 8d 4a d9 03
35 38 d0 2c f0 1c 2b 61 29 b4 9e 73 15 f2 8a 94 cd 2a ff 61 09 0d 9f 91 2f
3f af d3 99 da 67 1e e0 14 01 fe 60 24 23 40 a0 17 b3 6f 8d 22 19 a7 59 4b
1b b3 86 94 4a 2b 55 e0 b8 77 84 19 fe 25 34 ca 7e 08 a9 f1 39 87 5c f8 bb
33 53 aa 21 48 53 f6 dc 33 39 77 87 cc 20 8b a9 33 d4 bd c6 43 17 a3 0b 0b
bd fd b3 02 a8 32 ad ee c3 35 4d 89 0a 33 de 04 7a 0a cb 6b 6d dc db dd 4f
65 23 4a 1d ba af eb 33 4a 9a e0 87 c3 14 44 bf 6a 1c 5d a3 9c 8b 32 fc e7
e1 ad df 67 cf 49 2e 18 f7 f7 1c de e1 60 6d d0 e9 47 33 d2 19 a4 6c da 49
03 d8 b5 d9 0f 1e d3 81 1b 51 f5 d7 56 a0 f7 48 fa aa 9a ba f6 11 6c c9 64
43 77 8e d6 fe 5d 56 d4 77 34 c0 28 db 22 23 5b 52 97 10 5d 42 ed 67 ad 01
75 a3 ac fe da a4 e6 46 7d c1 b7 3a 8a 07 87 fb 79 3a a1 c0 79 c4 35 7a 2a
53 2d 8f 88 8a 85 73 c4 8e 12 34 1d c4 d9 f6 10 f5 ce f5 9e 35 2f 12 fd 00
84 d4 9e 8c 39 8c 5b ee bd 79 8a 1b f1 7b af 41 3e ec 57 71 2b a7 8c 47 7c
fe ff 88 ff f9 b4 e1 86 0b 6f 05 5b 58 36 d9 85 d8 6c 18 77 de b2 d4 16 91
d5 74 d2 8a 45 bd 4a c7 a1 99 1b bd f2 9a d3 53 2d 6b 45 47 9b e0 31 80 d7
63 b4 f1 c7 a9 64 6d 68 45 56 14 85 02 16 26 df 64 47 77 5e 35 13 55 10 a3
f5 70 3d 9c 4a c7 9f c8 a5 65 e1 63 ed 20 49 39 65 a0 ce 2a d8 c3 f0 06 7f
b1 df 89 f8 29 b5 21 90 ae 32 8a 1e d4 f5 d6 38 87 5b 5a e6 2f c3 ab c1 ed
cb 22 ca 1d 80 29 c6 c7 c4 c1 df b3 e8 02 9f b2 eb ec 49 d3 e6 90 2a b2 05
24 8b e5 ac 73 94 ba 9d 9f 6e 7b 4b fb 66 ae 73 27 30 0d 32 9d a8 07 63 4b
fa 53 44 9e 29 ae ec 7f 15 16 82 12 18 7a a4 31 90 0f 43 3c b1 c7 7f 66 4d
e1 3d 6e b6 c1 13 23 a5 6b 56 09 dd a5 df 27 4e fd 4c ec 93 48 2b d5 b0 d4
91 87 39 e9 e9 53 b9 84 7a 64 f3 e7 11 02 ba b3 7d 7a 92 86 82 c9 bd 48 03
dc cc 60 a1 ad 5f 15 96 a8 88 79 92 1c c5 6a 33 1e c4 0b 5e 3a 12 36 fd bb
d9 c7 dd 77 56 73 ae e6 d5 d9 7d b5 a3 66 75 8a 51 9b 65 ff e3 42 c3 8f dd
5a bf 65 33 96 d2 81 75 ff c4 0c 41 91 10 83 ea 78 f8 1e 3c 65 ab 42 ba 19
57 a5 a7 6d ba 3e 3a f3 01 67 eb 60 7d 5a 30 94 e7 60 9a bd 16 47 f6 21 d2
68 c1 63 30 f5 3b 4e f6 1c fe 99 a1 ea c1 c2 8b 17 b6 bb b3 13 20 73 69 99
9b fb d6 8c d4 21 90 b7 b1 dd 30 5d f2 7b 56 59 ea aa 7e ec b8 62 a3 32 c3
c0 40 4e 88 f9 95 54 85 17 83 06 1a 37 8c f4 21 07 d5 44 c2 ed 3c 8a 76 58
2b 73 2f 0d 7e 57 3c 2d 72 b8 03 e6 46 fa 80 8e 3e 45 93 65 6a 59 77 b4 b0
d2 20 95 1d fd 95 fb e5 e0 b0 40 91 e1 16 b9 4d 9c 4e bc c8 97 15 f2 9c e8
0a fa a4 14 27 42 ad da 03 54 72 c3 f2 b4 5b 69 ce 14 68 ed fe 20 67 3f ad
95 f6 05 4f 30 e3 62 ae a9 eb 46 7e 54 31 47 9e 08 e8 90 54 17 19 80 73 99
6d a6 c2 f3 47 b2 59 84 18 24 fb a0 60 ec ec cf ce 6a f6 3c 9d 99 53 34 c9
de e2 96 00 76 51 9e a3 fa 4d 3f fd 28 69 02 ce 9d 4e 7e 18 5b 22 58 cb 21
24 63 fd 05 0a 1c d7 ff f9 d8 15 3a f4 d5 33 59 00 7e 84 43 87 27 ab 05 b3
d9 5d ba 6b 39 4f 80 f3 47 7d eb 98 44 f7 46 24 f9 a5 00 df 47 

Re: SPNEGO GSSCaller {UNKNOWN} No Delegated Creds

[Tom Delaney]

Tom Delaney has sent you an email via Gmail confidential mode:

[image: Gmail logo]Re: SPNEGO GSSCaller {UNKNOWN} No Delegated Creds 


This message was sent on May 2, 2024 at 6:21:50 AM PDT
You can open it by clicking the link below. This link will only work for 
users@tomcat.apache.org.

View the email 


Gmail confidential mode gives you more control over the messages you send. The 
sender may have chosen to set an expiration time, disable printing or 
forwarding, or track access to this message. Learn more 

Gmail: Email by Google
Use is subject to the Google Privacy Policy 

Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
You have received this message because someone sent you an email via Gmail 
confidential mode.
[image: Google logo]

Re: missing headers

[Mark Thomas]

On 02/05/2024 06:15, Piyush Sharma wrote:

Hi,

How to forward custom headers from frontend tomcat to backend tomcat witn
mod_jk?


When using mod_jk the front end is always httpd, not Tomcat.

You don't need to do anything. mod_jk passes all the http headers it 
receives.



*Scenario :*

1. APP1 : Apache (mod_jk) + Tomcat
2. APP2 : Apache (mod_jk) + Tomcat

Now, when a user accesses APP1 it add fews headers via SSO app user details
etc..
I can see in Tomcat logs as by adding filters. Now when the request goes to
APP2 (backend Tomcat via Apache), it drops those custom headers.


That sounds like a client issue. Client sends request to app1 and 
receives some custom headers. If you want those headers sent to app2 
then that is a client issue, not a Tomcat issue.



I came to
know that *mod_jk does not use the http protocol to talk to the tomcat
server.* Is there any way to forward all the custom headers from frontend
application to backend applications.


This already happens.


https://stackoverflow.com/questions/18998715/http-response-header-not-coming-with-apache-tomcat-connection-using-mod-jk


There is a fair amount of nonsense in both the question and some of the 
responses.


It would be a lot easier to help you if you provided a lot more 
information. For example:


- httpd version
- tomcat version
- mod_jk version
- httpd configuration
- tomcat configuration
- mod_jk configuration
- sample request as sent by the client
- sample request as received by Tomcat
- sample response as sent by Tomcat
- sample response as received by the client
- the previous 4 to be provided both by going via the reverse proxy and
  by going directly to Tomcat

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

missing headers

[Piyush Sharma]

Hi,

How to forward custom headers from frontend tomcat to backend tomcat witn
mod_jk?

*Scenario :*

1. APP1 : Apache (mod_jk) + Tomcat
2. APP2 : Apache (mod_jk) + Tomcat

Now, when a user accesses APP1 it add fews headers via SSO app user details
etc..
I can see in Tomcat logs as by adding filters. Now when the request goes to
APP2 (backend Tomcat via Apache), it drops those custom headers. I came to
know that *mod_jk does not use the http protocol to talk to the tomcat
server.* Is there any way to forward all the custom headers from frontend
application to backend applications.

https://stackoverflow.com/questions/18998715/http-response-header-not-coming-with-apache-tomcat-connection-using-mod-jk


Thanks

SPNEGO GSSCaller {UNKNOWN} No Delegated Creds

[Tom Delaney]

Tom Delaney has sent you an email via Gmail confidential mode:

[image: Gmail logo]SPNEGO GSSCaller {UNKNOWN} No Delegated Creds 


This message was sent on May 1, 2024 at 12:51:56 PM PDT
You can open it by clicking the link below. This link will only work for 
users@tomcat.apache.org.

View the email 


Gmail confidential mode gives you more control over the messages you send. The 
sender may have chosen to set an expiration time, disable printing or 
forwarding, or track access to this message. Learn more 

Gmail: Email by Google
Use is subject to the Google Privacy Policy 

Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
You have received this message because someone sent you an email via Gmail 
confidential mode.
[image: Google logo]

Re: Monitoring and Tuning Tomcat

[Christopher Schultz]

Mark and Jerry,

On 5/1/24 04:00, Mark Thomas wrote:

On 30/04/2024 21:24, Jerry Malcolm wrote:
I'm trying to optimize my instance, CPU, tuning, and size requirements 
for Tomcat.  It's easy to see CPU usage.  But this TC instance is 
running a lot of microservices that are often in and out fairly 
quickly.  So there can be a huge number of requests coming in.  I'm 
not sure that CPU starving is my biggest concern. I'm more interested 
is getting an understanding of TC front end bottlenecks and also JDBC 
data connection bottlenecks.   So I need a bit of education.   Am I 
correct that maxThreads on the connector throttles the number of 
requests that can come in at one time?


Not quite.

maxThreads is the maximum number of concurrent requests that Tomcat can 
process. This excludes:

- connections in keep-alive
- requests that have entered async mode and have exited the original
   container thread
This includes:
- multiple requests received on a single HTTP/2 connection

The maximum number of connections is controlled by maxConnections.

And connectionTimeout is the time to wait to get in the door if 
threads are maxed out before giving up and failing, correct?


No. It is the maximum time Tomcat will wait from the point the 
connection is accepted to reading the first byte of data.


I'd really like to track total threads in use and then track wait time 
if total threads are maxed out.  Likewise, with database connections.


You can track the status of the thread pool but wait time isn't 
available as Tomcat has no visibility into the accept queue (see 
acceptCount). Your OS might provide some stats here.


  I'd like to monitor the jdbc connection pool as well and see when 
and where the code is having to wait for a db connection and how long 
the average wait is.  I assume there are jms hooks to monitor this?


Correct. You probably want the stats from the o.a.t.u.dbcp.pool2.impl 
package.


But I don't want to reinvent the wheel.  Are there tools out there to 
assist with this already? Thx


Generally, I start with a profiler when looking at questions like this. 
I use YourKit because they given me a free copy to use for Tomcat 
development but there are lots of different profilers available.


There are some good places to look in this monitoring presentation from 
ApacheCon:


https://tomcat.apache.org/presentations.html#latest-monitoring-with-jmx

It's easy to set up periodic monitoring of those various values and then 
use your tool of choice to graph, investigate, etc. how those values 
change over time and possibly correlate.


Tomcat is unlikely to be the bottleneck in any of these cases. You are 
likely to find that your database is the limiting factor. On the other 
hand, if your database is beefy but your JDBC connection pool is limited 
to 10 connections and you have a lot of concurrency, then your database 
is probably sitting idle while your application server has lots of 
waiting requests.


Just be careful about ramping things up on the database side. Not all 
database queries are equal ;)


-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Monitoring and Tuning Tomcat

[Mark Thomas]

On 30/04/2024 21:24, Jerry Malcolm wrote:
I'm trying to optimize my instance, CPU, tuning, and size requirements 
for Tomcat.  It's easy to see CPU usage.  But this TC instance is 
running a lot of microservices that are often in and out fairly 
quickly.  So there can be a huge number of requests coming in.  I'm not 
sure that CPU starving is my biggest concern. I'm more interested is 
getting an understanding of TC front end bottlenecks and also JDBC data 
connection bottlenecks.   So I need a bit of education.   Am I correct 
that maxThreads on the connector throttles the number of requests that 
can come in at one time?


Not quite.

maxThreads is the maximum number of concurrent requests that Tomcat can 
process. This excludes:

- connections in keep-alive
- requests that have entered async mode and have exited the original
  container thread
This includes:
- multiple requests received on a single HTTP/2 connection

The maximum number of connections is controlled by maxConnections.

And connectionTimeout is the time to wait to 
get in the door if threads are maxed out before giving up and failing, 
correct?


No. It is the maximum time Tomcat will wait from the point the 
connection is accepted to reading the first byte of data.


I'd really like to track total threads in use and then track 
wait time if total threads are maxed out.  Likewise, with database 
connections.


You can track the status of the thread pool but wait time isn't 
available as Tomcat has no visibility into the accept queue (see 
acceptCount). Your OS might provide some stats here.


  I'd like to monitor the jdbc connection pool as well and 
see when and where the code is having to wait for a db connection and 
how long the average wait is.  I assume there are jms hooks to monitor 
this?


Correct. You probably want the stats from the o.a.t.u.dbcp.pool2.impl 
package.


But I don't want to reinvent the wheel.  Are there tools out there 
to assist with this already? Thx


Generally, I start with a profiler when looking at questions like this. 
I use YourKit because they given me a free copy to use for Tomcat 
development but there are lots of different profilers available.


Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Disabling OPTIONS HTTP method with * path

[Mark Thomas]

On 30/04/2024 19:56, Oleg Frenkel wrote:

This issue exists in 9.0.88 and 10.1.23.

I am looking to disable the following HTTP request (note 'OPTIONS *' in the 
request):


Why?


Please confirm if this is a bug in Tomcat or if I am missing something in 
Tomcat configuration.


Neither. Tomcat is working as designed.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Monitoring and Tuning Tomcat

[Jerry Malcolm]

I'm trying to optimize my instance, CPU, tuning, and size requirements 
for Tomcat.  It's easy to see CPU usage.  But this TC instance is 
running a lot of microservices that are often in and out fairly 
quickly.  So there can be a huge number of requests coming in.  I'm not 
sure that CPU starving is my biggest concern. I'm more interested is 
getting an understanding of TC front end bottlenecks and also JDBC data 
connection bottlenecks.   So I need a bit of education.   Am I correct 
that maxThreads on the connector throttles the number of requests that 
can come in at one time?  And connectionTimeout is the time to wait to 
get in the door if threads are maxed out before giving up and failing, 
correct?  I'd really like to track total threads in use and then track 
wait time if total threads are maxed out.  Likewise, with database 
connections.  I'd like to monitor the jdbc connection pool as well and 
see when and where the code is having to wait for a db connection and 
how long the average wait is.  I assume there are jms hooks to monitor 
this? But I don't want to reinvent the wheel.  Are there tools out there 
to assist with this already? Thx



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [EXTERNAL] Disabling OPTIONS HTTP method with * path

[Joey Cochran]

From: Oleg Frenkel 
Sent: Tuesday, April 30, 2024 1:56 PM
To: users@tomcat.apache.org 
Subject: [EXTERNAL] Disabling OPTIONS HTTP method with * path

This issue exists in 9.0.88 and 10.1.23.

I am looking to disable the following HTTP request (note 'OPTIONS *' in the 
request):

$ curl -v --request-target "*" -X OPTIONS 
http://:
* Rebuilt URL to: :/
*   Trying ...
* TCP_NODELAY set
* Connected to  () port  (#0)
> OPTIONS * HTTP/1.1
> Host: :
> User-Agent: curl/7.61.1
> Accept: */*

I don't seem to be able to disable this OPTIONS request in Tomcat.

  Perhaps a CorsFilter setup can help ?

The following configuration doesn't work either:






Available HTTP 
methods
/*
GET
POST



The above section properly disables OPTIONS request to '/' path, but not to '*' 
path. In fact, the Tomcat response is that all methods are allowed:

$ curl -v --request-target "*" -X OPTIONS 
http://:
* Rebuilt URL to: http://:/
  % Total% Received % Xferd  Average Speed   TimeTime Time  Current
 Dload  Upload   Total   SpentLeft  Speed
  0 00 00 0  0  0 --:--:-- --:--:-- --:--:-- 0* 
  Trying ...
* TCP_NODELAY set
* Connected to  () port  (#0)
> OPTIONS * HTTP/1.1
> Host: :
> User-Agent: curl/7.61.1
> Accept: */*
>
< HTTP/1.1 200
< Allow: GET, HEAD, POST, PUT, DELETE, OPTIONS
< Content-Length: 0
< Date: Tue, 30 Apr 2024 18:49:07 GMT
<
  0 00 00 0  0  0 --:--:-- --:--:-- --:--:-- 0
* Connection #0 to host  left intact

Note that it is impossible to put '*' as URL pattern - Tomcat fails to start 
complaining that '*' is not a valid url pattern.

Please confirm if this is a bug in Tomcat or if I am missing something in 
Tomcat configuration.

Thanks,
Oleg Frenkel
SS Technologies Inc
Lead Software Engineer
ofren...@sscinc.com | 
www.ssctech.com

Disabling OPTIONS HTTP method with * path

[Oleg Frenkel]

This issue exists in 9.0.88 and 10.1.23.

I am looking to disable the following HTTP request (note 'OPTIONS *' in the 
request):

$ curl -v --request-target "*" -X OPTIONS 
http://:
* Rebuilt URL to: :/
*   Trying ...
* TCP_NODELAY set
* Connected to  () port  (#0)
> OPTIONS * HTTP/1.1
> Host: :
> User-Agent: curl/7.61.1
> Accept: */*

I don't seem to be able to disable this OPTIONS request in Tomcat.

The following configuration doesn't work either:






Available HTTP 
methods
/*
GET
POST



The above section properly disables OPTIONS request to '/' path, but not to '*' 
path. In fact, the Tomcat response is that all methods are allowed:

$ curl -v --request-target "*" -X OPTIONS 
http://:
* Rebuilt URL to: http://:/
  % Total% Received % Xferd  Average Speed   TimeTime Time  Current
 Dload  Upload   Total   SpentLeft  Speed
  0 00 00 0  0  0 --:--:-- --:--:-- --:--:-- 0* 
  Trying ...
* TCP_NODELAY set
* Connected to  () port  (#0)
> OPTIONS * HTTP/1.1
> Host: :
> User-Agent: curl/7.61.1
> Accept: */*
>
< HTTP/1.1 200
< Allow: GET, HEAD, POST, PUT, DELETE, OPTIONS
< Content-Length: 0
< Date: Tue, 30 Apr 2024 18:49:07 GMT
<
  0 00 00 0  0  0 --:--:-- --:--:-- --:--:-- 0
* Connection #0 to host  left intact

Note that it is impossible to put '*' as URL pattern - Tomcat fails to start 
complaining that '*' is not a valid url pattern.

Please confirm if this is a bug in Tomcat or if I am missing something in 
Tomcat configuration.

Thanks,
Oleg Frenkel
SS Technologies Inc
Lead Software Engineer
ofren...@sscinc.com | 
www.ssctech.com

Re: Regarding Tomcat url redirection

[Christopher Schultz]

Lavanya,

On 4/30/24 07:10, lavanya tech wrote:

Can you tell me how to do the below ? How should I setup Tomcat in
server.xml ?


If you want to use port 443 (the default port for HTTPS) then you will
need to change Tomcat to bind to port 443 (if that's allowed on your OS)
or arrange to have port 443 routed to port 8443. You may need additional
configuration in Tomcat (specifically: proxyPort) to avoid having Tomcat
generate URLs with ":8443" in them.

Looking forward to your reply.


If Tomcat is listening on port 8443 then you will need to include that 
in your URL, period. If you want to allow URLs without a port number, 
you will have to arrange to have something listening on port 443.


On Windows, Tomcat can listen directly on port 443. On UNIX and 
UNIX-like systems, you won't be able to do this without running Tomcat 
as root WHICH YOU ABSOLUTELY SHOULD NOT DO.


There are other ways to get port 443 working, but I'll need to know more 
about your environment. The port issue is "easier" than figuring out 
whatever is going on with your DNS, aliases, etc. so I would recommend 
we fix one thing at a time.


-chris


On Mon, Apr 29, 2024 at 2:03 PM lavanya tech 
wrote:


Hi Chris,

There is no issues with browser, because I tested with different browsers
and it all works fine. I am sure that there is no issue with the
certificate.
  Because I was able to establish successful connections with port 8443, it
just doesnot work with out port

  curl  https://example.lbg.com/towl
curl: (56) Received HTTP code 504 from proxy after CONNECT
curl: (56) Received HTTP code 504 from proxy after CONNECT


If you want to use port 443 (the default port for HTTPS) then you will
need to change Tomcat to bind to port 443 (if that's allowed on your OS)
or arrange to have port 443 routed to port 8443. You may need additional
configuration in Tomcat (specifically: proxyPort) to avoid having Tomcat
generate URLs with ":8443" in them.



should i use connect port like the above ?  But you mentioned before we
dont need any configuration changes. Please clarify I am not able to figure
this out and I have this issue many days pending. How to make it work with
port 8443 and with out port

Also I wanted to use weburl with alias name permanently instead of the
hostname. How can I achieve both

Thanks,
Lavanya


   -->


On Fri, Apr 26, 2024 at 9:28 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:


Lavanya,

On 4/25/24 07:24, lavanya tech wrote:

Hi Chris,

One question / doubt:

As I mentioned earlier, the below URLS already working in the browser

https://server.lbg.com:8443/towl
https://example.lbg.com:8443/towl -> redirect ( which means when I

hit in

browser) it points to https://server.lbg.com:8443/towl ---> To be

frank,

even I donot need redirect here, not sure why it redirects.

My question is why its working even though SAN is not registered with

the

certificate ? It doesnot even throw warning in the browser.


I'm not sure. Is it possible you have dismissed this error in the past
and the browser is remembering that? Try this with a different web
browser or maybe with curl from the command-line to see what happens.


Why https://server.lbg.com/towl or https://example.lbg.com/towl -->

How it

should work with New SAN certificate ?


You don't need to worry about the port number or application name, only
the hostname is a part of the SAN.

-chris


On Thu, Apr 25, 2024 at 10:16 AM lavanya tech 
Hi Chris,


Thanks I will request new certificate with SANs and I will try to fix

the

things from our end.

Best Regards,
Lavanya

On Wed, Apr 24, 2024 at 11:12 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:


Lavanya,

On 4/24/24 15:39, lavanya tech wrote:

Local host means the machine i am logged in to server.lbg.com

You are right, example.lbg.com is CNAME record.


Okay, thanks for clearing that up.


I dont have any SAN configured for the certificate. The certificate

is

requested for only server.lbg.com


You will never be able to make a secure request to anything other than
server.lbg.com without seeing an error. I highly recommend adding the
other hostname as a SAN to your certificate if you really want to
support this.

Even if you wanted https://example.lbg.com/whatever to return an HTTP
302 redirect to https://server.lbg.com/whatever, the user would see a
certificate hostname mismatch error which is ugly. It's best to make

it

work without users seeing ugly things.


So if i just request new certificate with SAN it should work ? If

yes, I

will request for it and follow your steps as below suggested.


Yes, it should.


Should i use CName record or DNS? Does it make difference?


CNAME *is* DNS.

Whenever possible, use hostnames and not IP addresses as SANs. It's

more

flexible that way, and users get to see hostnames instead of IP

addresses.


-chris


On Wednesday, April 24, 2024, Christopher Schultz <
ch...@christopherschultz.net> wrote:


Lavanya,

On 4/24/24 07:37, lavanya 

Re: Regarding Tomcat url redirection

[lavanya tech]

Hi Chris,

Can you tell me how to do the below ? How should I setup Tomcat in
server.xml ?


If you want to use port 443 (the default port for HTTPS) then you will
need to change Tomcat to bind to port 443 (if that's allowed on your OS)
or arrange to have port 443 routed to port 8443. You may need additional
configuration in Tomcat (specifically: proxyPort) to avoid having Tomcat
generate URLs with ":8443" in them.

Looking forward to your reply.

Thanks,
Lavanya

On Mon, Apr 29, 2024 at 2:03 PM lavanya tech 
wrote:

> Hi Chris,
>
> There is no issues with browser, because I tested with different browsers
> and it all works fine. I am sure that there is no issue with the
> certificate.
>  Because I was able to establish successful connections with port 8443, it
> just doesnot work with out port
>
>  curl  https://example.lbg.com/towl
> curl: (56) Received HTTP code 504 from proxy after CONNECT
> curl: (56) Received HTTP code 504 from proxy after CONNECT
>
>
> If you want to use port 443 (the default port for HTTPS) then you will
> need to change Tomcat to bind to port 443 (if that's allowed on your OS)
> or arrange to have port 443 routed to port 8443. You may need additional
> configuration in Tomcat (specifically: proxyPort) to avoid having Tomcat
> generate URLs with ":8443" in them.
>
> connectionTimeout="2"
>redirectPort="8443"
>maxThreads="150"
>scheme="https" secure="true" SSLEnabled="true"
>keystoreFile="path_to_your_keystore_file"
>keystorePass="your_keystore_password"
>keystoreType="PKCS12"
>clientAuth="false" sslProtocol="TLS"
>proxyPort="443"/>
>
> should i use connect port like the above ?  But you mentioned before we
> dont need any configuration changes. Please clarify I am not able to figure
> this out and I have this issue many days pending. How to make it work with
> port 8443 and with out port
>
> Also I wanted to use weburl with alias name permanently instead of the
> hostname. How can I achieve both
>
> Thanks,
> Lavanya
>
>
>   -->
>
>
> On Fri, Apr 26, 2024 at 9:28 PM Christopher Schultz <
> ch...@christopherschultz.net> wrote:
>
>> Lavanya,
>>
>> On 4/25/24 07:24, lavanya tech wrote:
>> > Hi Chris,
>> >
>> > One question / doubt:
>> >
>> > As I mentioned earlier, the below URLS already working in the browser
>> >> https://server.lbg.com:8443/towl
>> >> https://example.lbg.com:8443/towl -> redirect ( which means when I
>> hit in
>> > browser) it points to https://server.lbg.com:8443/towl ---> To be
>> frank,
>> > even I donot need redirect here, not sure why it redirects.
>> >
>> > My question is why its working even though SAN is not registered with
>> the
>> > certificate ? It doesnot even throw warning in the browser.
>>
>> I'm not sure. Is it possible you have dismissed this error in the past
>> and the browser is remembering that? Try this with a different web
>> browser or maybe with curl from the command-line to see what happens.
>>
>> > Why https://server.lbg.com/towl or https://example.lbg.com/towl -->
>> How it
>> > should work with New SAN certificate ?
>>
>> You don't need to worry about the port number or application name, only
>> the hostname is a part of the SAN.
>>
>> -chris
>>
>> > On Thu, Apr 25, 2024 at 10:16 AM lavanya tech > >
>> > wrote:
>> >
>> >> Hi Chris,
>> >>
>> >>
>> >> Thanks I will request new certificate with SANs and I will try to fix
>> the
>> >> things from our end.
>> >>
>> >> Best Regards,
>> >> Lavanya
>> >>
>> >> On Wed, Apr 24, 2024 at 11:12 PM Christopher Schultz <
>> >> ch...@christopherschultz.net> wrote:
>> >>
>> >>> Lavanya,
>> >>>
>> >>> On 4/24/24 15:39, lavanya tech wrote:
>>  Local host means the machine i am logged in to server.lbg.com
>> 
>>  You are right, example.lbg.com is CNAME record.
>> >>>
>> >>> Okay, thanks for clearing that up.
>> >>>
>>  I dont have any SAN configured for the certificate. The certificate
>> is
>>  requested for only server.lbg.com
>> >>>
>> >>> You will never be able to make a secure request to anything other than
>> >>> server.lbg.com without seeing an error. I highly recommend adding the
>> >>> other hostname as a SAN to your certificate if you really want to
>> >>> support this.
>> >>>
>> >>> Even if you wanted https://example.lbg.com/whatever to return an HTTP
>> >>> 302 redirect to https://server.lbg.com/whatever, the user would see a
>> >>> certificate hostname mismatch error which is ugly. It's best to make
>> it
>> >>> work without users seeing ugly things.
>> >>>
>>  So if i just request new certificate with SAN it should work ? If
>> yes, I
>>  will request for it and follow your steps as below suggested.
>> >>>
>> >>> Yes, it should.
>> >>>
>>  Should i use CName record or DNS? Does it make difference?
>> >>>
>> >>> CNAME *is* DNS.
>> >>>
>> >>> Whenever possible, use hostnames and not IP addresses as SANs. It's
>> more
>> >>> flexible that way, and 

Re: Tomcat closes connections on unexpected status codes

[Pawel Veselov]

Chris,

On Fri, Apr 19, 2024 at 4:40 AM Christopher Schultz
 wrote:
>
> Pawel,
>
> On 4/18/24 20:21, Pawel Veselov wrote:
> >> On 18/04/2024 15:18, Stefan Ansing wrote:
> >>> Hi Rémy, Mark,
> >>> I just want to make sure that we’re understanding each other. I can see
> >>> that the connection needs to be closed in certain conditions to prevent
> >>> request smuggling attacks. I certainly don’t want to change that 
> >>> behaviour.
> >>> However, I’m facing a scenario where an application is responding to a
> >>> valid request (from HTTP perspective), with a valid response using these
> >>> status codes (more specifically status codes 400 and 500).
> >> If the request is a valid HTTP request then a 400 status doesn't seem
> >> appropriate to me.
> >
> > It's by now, however, a de-facto standard. Every time I try to
> > determine "which HTTP response should I send back in case of issues
> > with the data", I find myself scrolling through the list of defined
> > codes and not finding anything that would otherwise fit. The HTTP
> > spec states what should the server do in case of HTTP protocol errors
> > (respond with an appropriate 4xx), but that's all that the spec
> > covers for the protocol, and it doesn't prohibit use of 400 for
> > application-level errors. Out of the entire 4xx codes, 400 is (maybe
> > also 414?) the only one that is used for protocol problems, others
> > are for application level errors, but they are very specific and
> > limiting (IMHO).
> When you say "protocol problems", what protocol are you referring to?

In this instance, I meant the actual problems with the HTTP protocol contents.
400 is normally returned by the container because it couldn't
understand the HTTP.
414 is probably as well (because container ran out of maximum
available space to read
in the URI). The rest of the error codes are expected to be produced by the
application, but they were devised for that application being a web server.

> Because if the request is readable and syntactically correct, there is
> no protocol problem. Everything else is ... something else. If you are
> establishing a protocol ON TOP OF HTTP then it's a violation of whatever
> protocol THAT is, not HTTP. So it's better to return { "error" : "Foo
> Protocol violation" } with an appropriate HTTP status code, possibly
> even *200*.

Yes. But (again, assuming web-service-like implementation), the application can
return other HTTP codes for other data (on top of HTTP) issues, i.e., when an
endpoint is not found, 404, when data type is wrong - 415; there are also those
exuberant codes like 409 and 410. So, on the surface, it looks like
the application
can use 4xx codes to signal an error, so one can lay down a contract that says
"2xx means OK response from the application's perspective, and if there is an
error, we'll return some 4xx code", but there *was* (see below) no good 4xx
code for saying "Hey, you forgot a JSON property in your input".

You're right, it probably should have been 2xx, but it's also cringy
to say things like
"there are some errors that we will return 4xx for, but for some it will be 2xx,
and here is how you differentiate successful 2xx from error response 2xx".
I did do that in at least one w/s implementation, and had the customer
yell at me for my trouble. This path is also not well supported by standards
like OAS/RAML (last time I checked, at least). The description of the responses
becomes significantly more complicated in this case.

And, again, there is AWS that is a rather large supplier of web services,
and they did decide to use 400 for this. The web-service client still needs
to distinguish between "400 because the header is mangled", or "400 because
a JSON property was missing". The RFC doesn't explicitly limit the use of
400 to HTTP protocol problems, even though all the examples that are listed
in the spec *are* such.

I did look again at the specs just now, and lo and behold, there is now a
code 422. Which, at least on the surface, looks like exactly the code to use
for responding with application-related content problems. It wasn't there in
RFC#7231 (and neither in #2616 or #2068), but #9110 does have it (yet
the language around 400 is still overly broad), which makes it about 2
years old.
Now, of course, existing w/s contracts aren't likely to switch to using that,
but for any new ones I'll certainly consider it.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Regarding Tomcat url redirection

[lavanya tech]

Hi Chris,

There is no issues with browser, because I tested with different browsers
and it all works fine. I am sure that there is no issue with the
certificate.
 Because I was able to establish successful connections with port 8443, it
just doesnot work with out port

 curl  https://example.lbg.com/towl
curl: (56) Received HTTP code 504 from proxy after CONNECT
curl: (56) Received HTTP code 504 from proxy after CONNECT


If you want to use port 443 (the default port for HTTPS) then you will
need to change Tomcat to bind to port 443 (if that's allowed on your OS)
or arrange to have port 443 routed to port 8443. You may need additional
configuration in Tomcat (specifically: proxyPort) to avoid having Tomcat
generate URLs with ":8443" in them.



should i use connect port like the above ?  But you mentioned before we
dont need any configuration changes. Please clarify I am not able to figure
this out and I have this issue many days pending. How to make it work with
port 8443 and with out port

Also I wanted to use weburl with alias name permanently instead of the
hostname. How can I achieve both

Thanks,
Lavanya


  -->


On Fri, Apr 26, 2024 at 9:28 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> Lavanya,
>
> On 4/25/24 07:24, lavanya tech wrote:
> > Hi Chris,
> >
> > One question / doubt:
> >
> > As I mentioned earlier, the below URLS already working in the browser
> >> https://server.lbg.com:8443/towl
> >> https://example.lbg.com:8443/towl -> redirect ( which means when I hit
> in
> > browser) it points to https://server.lbg.com:8443/towl ---> To be frank,
> > even I donot need redirect here, not sure why it redirects.
> >
> > My question is why its working even though SAN is not registered with the
> > certificate ? It doesnot even throw warning in the browser.
>
> I'm not sure. Is it possible you have dismissed this error in the past
> and the browser is remembering that? Try this with a different web
> browser or maybe with curl from the command-line to see what happens.
>
> > Why https://server.lbg.com/towl or https://example.lbg.com/towl --> How
> it
> > should work with New SAN certificate ?
>
> You don't need to worry about the port number or application name, only
> the hostname is a part of the SAN.
>
> -chris
>
> > On Thu, Apr 25, 2024 at 10:16 AM lavanya tech 
> > wrote:
> >
> >> Hi Chris,
> >>
> >>
> >> Thanks I will request new certificate with SANs and I will try to fix
> the
> >> things from our end.
> >>
> >> Best Regards,
> >> Lavanya
> >>
> >> On Wed, Apr 24, 2024 at 11:12 PM Christopher Schultz <
> >> ch...@christopherschultz.net> wrote:
> >>
> >>> Lavanya,
> >>>
> >>> On 4/24/24 15:39, lavanya tech wrote:
>  Local host means the machine i am logged in to server.lbg.com
> 
>  You are right, example.lbg.com is CNAME record.
> >>>
> >>> Okay, thanks for clearing that up.
> >>>
>  I dont have any SAN configured for the certificate. The certificate is
>  requested for only server.lbg.com
> >>>
> >>> You will never be able to make a secure request to anything other than
> >>> server.lbg.com without seeing an error. I highly recommend adding the
> >>> other hostname as a SAN to your certificate if you really want to
> >>> support this.
> >>>
> >>> Even if you wanted https://example.lbg.com/whatever to return an HTTP
> >>> 302 redirect to https://server.lbg.com/whatever, the user would see a
> >>> certificate hostname mismatch error which is ugly. It's best to make it
> >>> work without users seeing ugly things.
> >>>
>  So if i just request new certificate with SAN it should work ? If
> yes, I
>  will request for it and follow your steps as below suggested.
> >>>
> >>> Yes, it should.
> >>>
>  Should i use CName record or DNS? Does it make difference?
> >>>
> >>> CNAME *is* DNS.
> >>>
> >>> Whenever possible, use hostnames and not IP addresses as SANs. It's
> more
> >>> flexible that way, and users get to see hostnames instead of IP
> addresses.
> >>>
> >>> -chris
> >>>
>  On Wednesday, April 24, 2024, Christopher Schultz <
>  ch...@christopherschultz.net> wrote:
> 
> > Lavanya,
> >
> > On 4/24/24 07:37, lavanya tech wrote:
> >
> >> Sorry I understood wrongly here with regards to my environment, Let
> me
> >> start from the beginning. I donot want to use redirect at all. I
> >>> simply
> >> wanted to force apache tomcat to use both localhost and dns name of
> >>> the
> >> localhost via url.
> >>
> >
> > When you say "force" what do you mean?
> >
> > When you say "use both localhost and DNS name" what do you mean?
> >
> > When you say "localhost" do you mean 127.0.0.1 or "the machine I'm
> > logged-into right now"?
> >
> > I have DNS resollution as below.
> >>
> >> server.lbg.com --> localhost
> >>
> >
> > Is that a CNAME record?
> >
> > nslookup server.lbg.com (localhost)
> >> Name:server.lbg.com
> >> Address:  

Re: Regarding Tomcat url redirection

[Christopher Schultz]

Lavanya,

On 4/25/24 09:36, lavanya tech wrote:

I have updated the certificate now, but still I cannot access url
https://example.lbg.com/towl  either https://server.lbg.com/towl ?

I wonder why its working with port 8443 and not with out port


If Tomcat is listening to port 8443, then you need to use port 8443 to 
make a request. The cert doesn't cover port number, so you can still use it.


If you want to use port 443 (the default port for HTTPS) then you will 
need to change Tomcat to bind to port 443 (if that's allowed on your OS) 
or arrange to have port 443 routed to port 8443. You may need additional 
configuration in Tomcat (specifically: proxyPort) to avoid having Tomcat 
generate URLs with ":8443" in them.


-chris


On Thu, Apr 25, 2024 at 1:24 PM lavanya tech 
wrote:


Hi Chris,

One question / doubt:

As I mentioned earlier, the below URLS already working in the browser

https://server.lbg.com:8443/towl
https://example.lbg.com:8443/towl -> redirect ( which means when I hit

in browser) it points to https://server.lbg.com:8443/towl ---> To be
frank, even I donot need redirect here, not sure why it redirects.

My question is why its working even though SAN is not registered with the
certificate ? It doesnot even throw warning in the browser.

Why https://server.lbg.com/towl or https://example.lbg.com/towl --> How
it should work with New SAN certificate ?

Thanks,
Lavanya



On Thu, Apr 25, 2024 at 10:16 AM lavanya tech 
wrote:


Hi Chris,


Thanks I will request new certificate with SANs and I will try to fix the
things from our end.

Best Regards,
Lavanya

On Wed, Apr 24, 2024 at 11:12 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:


Lavanya,

On 4/24/24 15:39, lavanya tech wrote:

Local host means the machine i am logged in to server.lbg.com

You are right, example.lbg.com is CNAME record.


Okay, thanks for clearing that up.


I dont have any SAN configured for the certificate. The certificate is
requested for only server.lbg.com


You will never be able to make a secure request to anything other than
server.lbg.com without seeing an error. I highly recommend adding the
other hostname as a SAN to your certificate if you really want to
support this.

Even if you wanted https://example.lbg.com/whatever to return an HTTP
302 redirect to https://server.lbg.com/whatever, the user would see a
certificate hostname mismatch error which is ugly. It's best to make it
work without users seeing ugly things.


So if i just request new certificate with SAN it should work ? If yes,

I

will request for it and follow your steps as below suggested.


Yes, it should.


Should i use CName record or DNS? Does it make difference?


CNAME *is* DNS.

Whenever possible, use hostnames and not IP addresses as SANs. It's more
flexible that way, and users get to see hostnames instead of IP
addresses.

-chris


On Wednesday, April 24, 2024, Christopher Schultz <
ch...@christopherschultz.net> wrote:


Lavanya,

On 4/24/24 07:37, lavanya tech wrote:


Sorry I understood wrongly here with regards to my environment, Let

me

start from the beginning. I donot want to use redirect at all. I

simply

wanted to force apache tomcat to use both localhost and dns name of

the

localhost via url.



When you say "force" what do you mean?

When you say "use both localhost and DNS name" what do you mean?

When you say "localhost" do you mean 127.0.0.1 or "the machine I'm
logged-into right now"?

I have DNS resollution as below.


server.lbg.com --> localhost



Is that a CNAME record?

nslookup server.lbg.com (localhost)

Name:server.lbg.com
Address:  192.168.100.20
alias: example.lbg.com



That's a weird DNS response. The DNS name "localhost" should *always*
return 127.0.0.1 for IPv4 and ::1 for IPv6. It shouldn't return
191.168.100.20.

We have working the below urls working:

https://server.lbg.com:8443/towl
https://example.lbg.com:8443/towl --> redirects to



What do you mean "redirect"? Does it return a 30x response that

causes the

browser to make a new request to \/

https://server.lbg.com:8443/towl  --> still works --> we have SSL

configured for the same but this SSL certificate doesnot have

additional

DNS setup.



What SANs are in your certificate? How many certificates do you have?

But I would need to somehow  access https://example.lbg.com --> which

means
I would need to access via 443 here ?



I'm so confused. What needs to access what?

I tried to adding the below to  server.xml as below, but that doesnot

seems

to work.

   



This will only redirect (HTTP 302) requests to

http://yourhost/anything

to https://yourhost/anything *if the application specifically

requests

CONFIDENTIAL transport*. It doesn't just redirect everything by

default. If

you want it to redirect everything, you'll need to set that up e.g.

using

RewriteValve. There are other options, too.

Do i need additional SSL certificate for the https://example.lbg.com

to

make it work ?



If you don't want your 

Re: Regarding Tomcat url redirection

[Christopher Schultz]

Lavanya,

On 4/25/24 07:24, lavanya tech wrote:

Hi Chris,

One question / doubt:

As I mentioned earlier, the below URLS already working in the browser

https://server.lbg.com:8443/towl
https://example.lbg.com:8443/towl -> redirect ( which means when I hit in

browser) it points to https://server.lbg.com:8443/towl ---> To be frank,
even I donot need redirect here, not sure why it redirects.

My question is why its working even though SAN is not registered with the
certificate ? It doesnot even throw warning in the browser.


I'm not sure. Is it possible you have dismissed this error in the past 
and the browser is remembering that? Try this with a different web 
browser or maybe with curl from the command-line to see what happens.



Why https://server.lbg.com/towl or https://example.lbg.com/towl --> How it
should work with New SAN certificate ?


You don't need to worry about the port number or application name, only 
the hostname is a part of the SAN.


-chris


On Thu, Apr 25, 2024 at 10:16 AM lavanya tech 
wrote:


Hi Chris,


Thanks I will request new certificate with SANs and I will try to fix the
things from our end.

Best Regards,
Lavanya

On Wed, Apr 24, 2024 at 11:12 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:


Lavanya,

On 4/24/24 15:39, lavanya tech wrote:

Local host means the machine i am logged in to server.lbg.com

You are right, example.lbg.com is CNAME record.


Okay, thanks for clearing that up.


I dont have any SAN configured for the certificate. The certificate is
requested for only server.lbg.com


You will never be able to make a secure request to anything other than
server.lbg.com without seeing an error. I highly recommend adding the
other hostname as a SAN to your certificate if you really want to
support this.

Even if you wanted https://example.lbg.com/whatever to return an HTTP
302 redirect to https://server.lbg.com/whatever, the user would see a
certificate hostname mismatch error which is ugly. It's best to make it
work without users seeing ugly things.


So if i just request new certificate with SAN it should work ? If yes, I
will request for it and follow your steps as below suggested.


Yes, it should.


Should i use CName record or DNS? Does it make difference?


CNAME *is* DNS.

Whenever possible, use hostnames and not IP addresses as SANs. It's more
flexible that way, and users get to see hostnames instead of IP addresses.

-chris


On Wednesday, April 24, 2024, Christopher Schultz <
ch...@christopherschultz.net> wrote:


Lavanya,

On 4/24/24 07:37, lavanya tech wrote:


Sorry I understood wrongly here with regards to my environment, Let me
start from the beginning. I donot want to use redirect at all. I

simply

wanted to force apache tomcat to use both localhost and dns name of

the

localhost via url.



When you say "force" what do you mean?

When you say "use both localhost and DNS name" what do you mean?

When you say "localhost" do you mean 127.0.0.1 or "the machine I'm
logged-into right now"?

I have DNS resollution as below.


server.lbg.com --> localhost



Is that a CNAME record?

nslookup server.lbg.com (localhost)

Name:server.lbg.com
Address:  192.168.100.20
alias: example.lbg.com



That's a weird DNS response. The DNS name "localhost" should *always*
return 127.0.0.1 for IPv4 and ::1 for IPv6. It shouldn't return
191.168.100.20.

We have working the below urls working:

https://server.lbg.com:8443/towl
https://example.lbg.com:8443/towl --> redirects to



What do you mean "redirect"? Does it return a 30x response that causes

the

browser to make a new request to \/

https://server.lbg.com:8443/towl  --> still works --> we have SSL

configured for the same but this SSL certificate doesnot have

additional

DNS setup.



What SANs are in your certificate? How many certificates do you have?

But I would need to somehow  access https://example.lbg.com --> which

means
I would need to access via 443 here ?



I'm so confused. What needs to access what?

I tried to adding the below to  server.xml as below, but that doesnot

seems

to work.

   



This will only redirect (HTTP 302) requests to

http://yourhost/anything

to https://yourhost/anything *if the application specifically requests
CONFIDENTIAL transport*. It doesn't just redirect everything by

default. If

you want it to redirect everything, you'll need to set that up e.g.

using

RewriteValve. There are other options, too.

Do i need additional SSL certificate for the https://example.lbg.com

to

make it work ?



If you don't want your browser to complain, you will need at least one

TLS

certificate that contains every Subject Alternative Name (SAN) for

every

possible hostname you expect to use with this service. You ca do it

with

multiple certificates as well, but a single cert with multiple SANs is

less

work.

Do i need to set up an additional web server for this like apache or

nginx

for redirecting requests?



No.

Please stop saying "redirect" because 

Re: Regarding Tomcat url redirection

[lavanya tech]

Hi

I have updated the certificate now, but still I cannot access url
https://example.lbg.com/towl  either https://server.lbg.com/towl ?

I wonder why its working with port 8443 and not with out port



On Thu, Apr 25, 2024 at 1:24 PM lavanya tech 
wrote:

> Hi Chris,
>
> One question / doubt:
>
> As I mentioned earlier, the below URLS already working in the browser
> > https://server.lbg.com:8443/towl
> > https://example.lbg.com:8443/towl -> redirect ( which means when I hit
> in browser) it points to https://server.lbg.com:8443/towl ---> To be
> frank, even I donot need redirect here, not sure why it redirects.
>
> My question is why its working even though SAN is not registered with the
> certificate ? It doesnot even throw warning in the browser.
>
> Why https://server.lbg.com/towl or https://example.lbg.com/towl --> How
> it should work with New SAN certificate ?
>
> Thanks,
> Lavanya
>
>
>
> On Thu, Apr 25, 2024 at 10:16 AM lavanya tech 
> wrote:
>
>> Hi Chris,
>>
>>
>> Thanks I will request new certificate with SANs and I will try to fix the
>> things from our end.
>>
>> Best Regards,
>> Lavanya
>>
>> On Wed, Apr 24, 2024 at 11:12 PM Christopher Schultz <
>> ch...@christopherschultz.net> wrote:
>>
>>> Lavanya,
>>>
>>> On 4/24/24 15:39, lavanya tech wrote:
>>> > Local host means the machine i am logged in to server.lbg.com
>>> >
>>> > You are right, example.lbg.com is CNAME record.
>>>
>>> Okay, thanks for clearing that up.
>>>
>>> > I dont have any SAN configured for the certificate. The certificate is
>>> > requested for only server.lbg.com
>>>
>>> You will never be able to make a secure request to anything other than
>>> server.lbg.com without seeing an error. I highly recommend adding the
>>> other hostname as a SAN to your certificate if you really want to
>>> support this.
>>>
>>> Even if you wanted https://example.lbg.com/whatever to return an HTTP
>>> 302 redirect to https://server.lbg.com/whatever, the user would see a
>>> certificate hostname mismatch error which is ugly. It's best to make it
>>> work without users seeing ugly things.
>>>
>>> > So if i just request new certificate with SAN it should work ? If yes,
>>> I
>>> > will request for it and follow your steps as below suggested.
>>>
>>> Yes, it should.
>>>
>>> > Should i use CName record or DNS? Does it make difference?
>>>
>>> CNAME *is* DNS.
>>>
>>> Whenever possible, use hostnames and not IP addresses as SANs. It's more
>>> flexible that way, and users get to see hostnames instead of IP
>>> addresses.
>>>
>>> -chris
>>>
>>> > On Wednesday, April 24, 2024, Christopher Schultz <
>>> > ch...@christopherschultz.net> wrote:
>>> >
>>> >> Lavanya,
>>> >>
>>> >> On 4/24/24 07:37, lavanya tech wrote:
>>> >>
>>> >>> Sorry I understood wrongly here with regards to my environment, Let
>>> me
>>> >>> start from the beginning. I donot want to use redirect at all. I
>>> simply
>>> >>> wanted to force apache tomcat to use both localhost and dns name of
>>> the
>>> >>> localhost via url.
>>> >>>
>>> >>
>>> >> When you say "force" what do you mean?
>>> >>
>>> >> When you say "use both localhost and DNS name" what do you mean?
>>> >>
>>> >> When you say "localhost" do you mean 127.0.0.1 or "the machine I'm
>>> >> logged-into right now"?
>>> >>
>>> >> I have DNS resollution as below.
>>> >>>
>>> >>> server.lbg.com --> localhost
>>> >>>
>>> >>
>>> >> Is that a CNAME record?
>>> >>
>>> >> nslookup server.lbg.com (localhost)
>>> >>> Name:server.lbg.com
>>> >>> Address:  192.168.100.20
>>> >>> alias: example.lbg.com
>>> >>>
>>> >>
>>> >> That's a weird DNS response. The DNS name "localhost" should *always*
>>> >> return 127.0.0.1 for IPv4 and ::1 for IPv6. It shouldn't return
>>> >> 191.168.100.20.
>>> >>
>>> >> We have working the below urls working:
>>> >>> https://server.lbg.com:8443/towl
>>> >>> https://example.lbg.com:8443/towl --> redirects to
>>> >>>
>>> >>
>>> >> What do you mean "redirect"? Does it return a 30x response that
>>> causes the
>>> >> browser to make a new request to \/
>>> >>
>>> >> https://server.lbg.com:8443/towl  --> still works --> we have SSL
>>> >>> configured for the same but this SSL certificate doesnot have
>>> additional
>>> >>> DNS setup.
>>> >>>
>>> >>
>>> >> What SANs are in your certificate? How many certificates do you have?
>>> >>
>>> >> But I would need to somehow  access https://example.lbg.com --> which
>>> >>> means
>>> >>> I would need to access via 443 here ?
>>> >>>
>>> >>
>>> >> I'm so confused. What needs to access what?
>>> >>
>>> >> I tried to adding the below to  server.xml as below, but that doesnot
>>> seems
>>> >>> to work.
>>> >>>
>>> >>>   >> >>> protocol="org.apache.coyote.http11.Http11NioProtocol"
>>> >>>  connectionTimeout="2"
>>> >>>  redirectPort="443" />
>>> >>>
>>> >>
>>> >> This will only redirect (HTTP 302) requests to
>>> http://yourhost/anything
>>> >> to https://yourhost/anything *if the application specifically
>>> requests
>>> >> CONFIDENTIAL 

Re: Regarding Tomcat url redirection

[lavanya tech]

Hi Chris,

One question / doubt:

As I mentioned earlier, the below URLS already working in the browser
> https://server.lbg.com:8443/towl
> https://example.lbg.com:8443/towl -> redirect ( which means when I hit in
browser) it points to https://server.lbg.com:8443/towl ---> To be frank,
even I donot need redirect here, not sure why it redirects.

My question is why its working even though SAN is not registered with the
certificate ? It doesnot even throw warning in the browser.

Why https://server.lbg.com/towl or https://example.lbg.com/towl --> How it
should work with New SAN certificate ?

Thanks,
Lavanya



On Thu, Apr 25, 2024 at 10:16 AM lavanya tech 
wrote:

> Hi Chris,
>
>
> Thanks I will request new certificate with SANs and I will try to fix the
> things from our end.
>
> Best Regards,
> Lavanya
>
> On Wed, Apr 24, 2024 at 11:12 PM Christopher Schultz <
> ch...@christopherschultz.net> wrote:
>
>> Lavanya,
>>
>> On 4/24/24 15:39, lavanya tech wrote:
>> > Local host means the machine i am logged in to server.lbg.com
>> >
>> > You are right, example.lbg.com is CNAME record.
>>
>> Okay, thanks for clearing that up.
>>
>> > I dont have any SAN configured for the certificate. The certificate is
>> > requested for only server.lbg.com
>>
>> You will never be able to make a secure request to anything other than
>> server.lbg.com without seeing an error. I highly recommend adding the
>> other hostname as a SAN to your certificate if you really want to
>> support this.
>>
>> Even if you wanted https://example.lbg.com/whatever to return an HTTP
>> 302 redirect to https://server.lbg.com/whatever, the user would see a
>> certificate hostname mismatch error which is ugly. It's best to make it
>> work without users seeing ugly things.
>>
>> > So if i just request new certificate with SAN it should work ? If yes, I
>> > will request for it and follow your steps as below suggested.
>>
>> Yes, it should.
>>
>> > Should i use CName record or DNS? Does it make difference?
>>
>> CNAME *is* DNS.
>>
>> Whenever possible, use hostnames and not IP addresses as SANs. It's more
>> flexible that way, and users get to see hostnames instead of IP addresses.
>>
>> -chris
>>
>> > On Wednesday, April 24, 2024, Christopher Schultz <
>> > ch...@christopherschultz.net> wrote:
>> >
>> >> Lavanya,
>> >>
>> >> On 4/24/24 07:37, lavanya tech wrote:
>> >>
>> >>> Sorry I understood wrongly here with regards to my environment, Let me
>> >>> start from the beginning. I donot want to use redirect at all. I
>> simply
>> >>> wanted to force apache tomcat to use both localhost and dns name of
>> the
>> >>> localhost via url.
>> >>>
>> >>
>> >> When you say "force" what do you mean?
>> >>
>> >> When you say "use both localhost and DNS name" what do you mean?
>> >>
>> >> When you say "localhost" do you mean 127.0.0.1 or "the machine I'm
>> >> logged-into right now"?
>> >>
>> >> I have DNS resollution as below.
>> >>>
>> >>> server.lbg.com --> localhost
>> >>>
>> >>
>> >> Is that a CNAME record?
>> >>
>> >> nslookup server.lbg.com (localhost)
>> >>> Name:server.lbg.com
>> >>> Address:  192.168.100.20
>> >>> alias: example.lbg.com
>> >>>
>> >>
>> >> That's a weird DNS response. The DNS name "localhost" should *always*
>> >> return 127.0.0.1 for IPv4 and ::1 for IPv6. It shouldn't return
>> >> 191.168.100.20.
>> >>
>> >> We have working the below urls working:
>> >>> https://server.lbg.com:8443/towl
>> >>> https://example.lbg.com:8443/towl --> redirects to
>> >>>
>> >>
>> >> What do you mean "redirect"? Does it return a 30x response that causes
>> the
>> >> browser to make a new request to \/
>> >>
>> >> https://server.lbg.com:8443/towl  --> still works --> we have SSL
>> >>> configured for the same but this SSL certificate doesnot have
>> additional
>> >>> DNS setup.
>> >>>
>> >>
>> >> What SANs are in your certificate? How many certificates do you have?
>> >>
>> >> But I would need to somehow  access https://example.lbg.com --> which
>> >>> means
>> >>> I would need to access via 443 here ?
>> >>>
>> >>
>> >> I'm so confused. What needs to access what?
>> >>
>> >> I tried to adding the below to  server.xml as below, but that doesnot
>> seems
>> >>> to work.
>> >>>
>> >>>   > >>> protocol="org.apache.coyote.http11.Http11NioProtocol"
>> >>>  connectionTimeout="2"
>> >>>  redirectPort="443" />
>> >>>
>> >>
>> >> This will only redirect (HTTP 302) requests to
>> http://yourhost/anything
>> >> to https://yourhost/anything *if the application specifically requests
>> >> CONFIDENTIAL transport*. It doesn't just redirect everything by
>> default. If
>> >> you want it to redirect everything, you'll need to set that up e.g.
>> using
>> >> RewriteValve. There are other options, too.
>> >>
>> >> Do i need additional SSL certificate for the https://example.lbg.com
>> to
>> >>> make it work ?
>> >>>
>> >>
>> >> If you don't want your browser to complain, you will need at least one
>> TLS
>> >> certificate that contains every 

Re: Regarding Tomcat url redirection

[lavanya tech]

Hi Chris,


Thanks I will request new certificate with SANs and I will try to fix the
things from our end.

Best Regards,
Lavanya

On Wed, Apr 24, 2024 at 11:12 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> Lavanya,
>
> On 4/24/24 15:39, lavanya tech wrote:
> > Local host means the machine i am logged in to server.lbg.com
> >
> > You are right, example.lbg.com is CNAME record.
>
> Okay, thanks for clearing that up.
>
> > I dont have any SAN configured for the certificate. The certificate is
> > requested for only server.lbg.com
>
> You will never be able to make a secure request to anything other than
> server.lbg.com without seeing an error. I highly recommend adding the
> other hostname as a SAN to your certificate if you really want to
> support this.
>
> Even if you wanted https://example.lbg.com/whatever to return an HTTP
> 302 redirect to https://server.lbg.com/whatever, the user would see a
> certificate hostname mismatch error which is ugly. It's best to make it
> work without users seeing ugly things.
>
> > So if i just request new certificate with SAN it should work ? If yes, I
> > will request for it and follow your steps as below suggested.
>
> Yes, it should.
>
> > Should i use CName record or DNS? Does it make difference?
>
> CNAME *is* DNS.
>
> Whenever possible, use hostnames and not IP addresses as SANs. It's more
> flexible that way, and users get to see hostnames instead of IP addresses.
>
> -chris
>
> > On Wednesday, April 24, 2024, Christopher Schultz <
> > ch...@christopherschultz.net> wrote:
> >
> >> Lavanya,
> >>
> >> On 4/24/24 07:37, lavanya tech wrote:
> >>
> >>> Sorry I understood wrongly here with regards to my environment, Let me
> >>> start from the beginning. I donot want to use redirect at all. I simply
> >>> wanted to force apache tomcat to use both localhost and dns name of the
> >>> localhost via url.
> >>>
> >>
> >> When you say "force" what do you mean?
> >>
> >> When you say "use both localhost and DNS name" what do you mean?
> >>
> >> When you say "localhost" do you mean 127.0.0.1 or "the machine I'm
> >> logged-into right now"?
> >>
> >> I have DNS resollution as below.
> >>>
> >>> server.lbg.com --> localhost
> >>>
> >>
> >> Is that a CNAME record?
> >>
> >> nslookup server.lbg.com (localhost)
> >>> Name:server.lbg.com
> >>> Address:  192.168.100.20
> >>> alias: example.lbg.com
> >>>
> >>
> >> That's a weird DNS response. The DNS name "localhost" should *always*
> >> return 127.0.0.1 for IPv4 and ::1 for IPv6. It shouldn't return
> >> 191.168.100.20.
> >>
> >> We have working the below urls working:
> >>> https://server.lbg.com:8443/towl
> >>> https://example.lbg.com:8443/towl --> redirects to
> >>>
> >>
> >> What do you mean "redirect"? Does it return a 30x response that causes
> the
> >> browser to make a new request to \/
> >>
> >> https://server.lbg.com:8443/towl  --> still works --> we have SSL
> >>> configured for the same but this SSL certificate doesnot have
> additional
> >>> DNS setup.
> >>>
> >>
> >> What SANs are in your certificate? How many certificates do you have?
> >>
> >> But I would need to somehow  access https://example.lbg.com --> which
> >>> means
> >>> I would need to access via 443 here ?
> >>>
> >>
> >> I'm so confused. What needs to access what?
> >>
> >> I tried to adding the below to  server.xml as below, but that doesnot
> seems
> >>> to work.
> >>>
> >>>>>> protocol="org.apache.coyote.http11.Http11NioProtocol"
> >>>  connectionTimeout="2"
> >>>  redirectPort="443" />
> >>>
> >>
> >> This will only redirect (HTTP 302) requests to http://yourhost/anything
> >> to https://yourhost/anything *if the application specifically requests
> >> CONFIDENTIAL transport*. It doesn't just redirect everything by
> default. If
> >> you want it to redirect everything, you'll need to set that up e.g.
> using
> >> RewriteValve. There are other options, too.
> >>
> >> Do i need additional SSL certificate for the https://example.lbg.com
> to
> >>> make it work ?
> >>>
> >>
> >> If you don't want your browser to complain, you will need at least one
> TLS
> >> certificate that contains every Subject Alternative Name (SAN) for every
> >> possible hostname you expect to use with this service. You ca do it with
> >> multiple certificates as well, but a single cert with multiple SANs is
> less
> >> work.
> >>
> >> Do i need to set up an additional web server for this like apache or
> nginx
> >>> for redirecting requests?
> >>>
> >>
> >> No.
> >>
> >> Please stop saying "redirect" because it sounds like you almost never
> mean
> >> "HTTP 30x redirect" and that's confusing everything.
> >>
> >> I *think* you only need the following:
> >>
> >> 1. A TLS certificate with the following SANs:
> >>
> >>* server.lbg.com
> >>* example.lbg.com
> >>* localhost (you shouldn't do this)
> >>
> >> 2. DNS configured for all hostnames:
> >>
> >>* server.lbg.com -> A 192.168.100.20
> >>* example.lgb.com 

Re: Regarding Tomcat url redirection

[Christopher Schultz]

Lavanya,

On 4/24/24 15:39, lavanya tech wrote:

Local host means the machine i am logged in to server.lbg.com

You are right, example.lbg.com is CNAME record.


Okay, thanks for clearing that up.


I dont have any SAN configured for the certificate. The certificate is
requested for only server.lbg.com


You will never be able to make a secure request to anything other than 
server.lbg.com without seeing an error. I highly recommend adding the 
other hostname as a SAN to your certificate if you really want to 
support this.


Even if you wanted https://example.lbg.com/whatever to return an HTTP 
302 redirect to https://server.lbg.com/whatever, the user would see a 
certificate hostname mismatch error which is ugly. It's best to make it 
work without users seeing ugly things.



So if i just request new certificate with SAN it should work ? If yes, I
will request for it and follow your steps as below suggested.


Yes, it should.


Should i use CName record or DNS? Does it make difference?


CNAME *is* DNS.

Whenever possible, use hostnames and not IP addresses as SANs. It's more 
flexible that way, and users get to see hostnames instead of IP addresses.


-chris


On Wednesday, April 24, 2024, Christopher Schultz <
ch...@christopherschultz.net> wrote:


Lavanya,

On 4/24/24 07:37, lavanya tech wrote:


Sorry I understood wrongly here with regards to my environment, Let me
start from the beginning. I donot want to use redirect at all. I simply
wanted to force apache tomcat to use both localhost and dns name of the
localhost via url.



When you say "force" what do you mean?

When you say "use both localhost and DNS name" what do you mean?

When you say "localhost" do you mean 127.0.0.1 or "the machine I'm
logged-into right now"?

I have DNS resollution as below.


server.lbg.com --> localhost



Is that a CNAME record?

nslookup server.lbg.com (localhost)

Name:server.lbg.com
Address:  192.168.100.20
alias: example.lbg.com



That's a weird DNS response. The DNS name "localhost" should *always*
return 127.0.0.1 for IPv4 and ::1 for IPv6. It shouldn't return
191.168.100.20.

We have working the below urls working:

https://server.lbg.com:8443/towl
https://example.lbg.com:8443/towl --> redirects to



What do you mean "redirect"? Does it return a 30x response that causes the
browser to make a new request to \/

https://server.lbg.com:8443/towl  --> still works --> we have SSL

configured for the same but this SSL certificate doesnot have additional
DNS setup.



What SANs are in your certificate? How many certificates do you have?

But I would need to somehow  access https://example.lbg.com --> which

means
I would need to access via 443 here ?



I'm so confused. What needs to access what?

I tried to adding the below to  server.xml as below, but that doesnot seems

to work.

  



This will only redirect (HTTP 302) requests to http://yourhost/anything
to https://yourhost/anything *if the application specifically requests
CONFIDENTIAL transport*. It doesn't just redirect everything by default. If
you want it to redirect everything, you'll need to set that up e.g. using
RewriteValve. There are other options, too.

Do i need additional SSL certificate for the https://example.lbg.com  to

make it work ?



If you don't want your browser to complain, you will need at least one TLS
certificate that contains every Subject Alternative Name (SAN) for every
possible hostname you expect to use with this service. You ca do it with
multiple certificates as well, but a single cert with multiple SANs is less
work.

Do i need to set up an additional web server for this like apache or nginx

for redirecting requests?



No.

Please stop saying "redirect" because it sounds like you almost never mean
"HTTP 30x redirect" and that's confusing everything.

I *think* you only need the following:

1. A TLS certificate with the following SANs:

   * server.lbg.com
   * example.lbg.com
   * localhost (you shouldn't do this)

2. DNS configured for all hostnames:

   * server.lbg.com -> A 192.168.100.20
   * example.lgb.com -> A 192.168.100.20

3. Tomcat configured with a single  which is the default virtual
host. Note that this is the *default Tomcat configuration* and doesn't need
to be changed from the default.

4. Tomcat configured with your certificate like this:


  


  


If your SANs are configured properly, this should allow you to connect
using any of these URLs:

$ curl https://server.lbg.com/towl/login.jsp

   (returns login page)

$ curl https://example.lbg.com/towl/login.jsp

   (returns login page)

If your application's web.xml contains something like this:

   
 
   theapp
   /*
 
 
   CONFIDENTIAL
 
   

... then these URLs insecure HTTP URLs should redirect your clients:

$ curl http://server.lbg.com/towl/login.jsp

   (returns HTTP 302 redirect to https://server.lbg.com/towl/login.jsp)

$ curl https://server.lbg.com/towl/login.jsp

   (returns 

Re: Tomcat closes connections on unexpected status codes

[Adwait Kumar Singh]

> Assuming it's easy for Tomcat to differentiate between errors generated

My PR was based on the assumption that it is easy, since Tomcat always
invokes this method[1] if it's a badRequest.


[1]
https://github.com/apache/tomcat/blob/main/java/org/apache/coyote/http11/Http11Processor.java#L849-L850

On Wed, Apr 24, 2024 at 11:51 AM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> Stefan,
>
> On 4/24/24 13:58, Stefan Ansing wrote:
> > Op do 18 apr 2024 om 17:42 schreef Mark Thomas :
> >
> >> On 18/04/2024 15:18, Stefan Ansing wrote:
> >>> Hi Rémy, Mark,
> >>>
> >>>
> >>>
> >>> I just want to make sure that we’re understanding each other. I can see
> >>> that the connection needs to be closed in certain conditions to prevent
> >>> request smuggling attacks. I certainly don’t want to change that
> >> behaviour.
> >>>
> >>> However, I’m facing a scenario where an application is responding to a
> >>> valid request (from HTTP perspective), with a valid response using
> these
> >>> status codes (more specifically status codes 400 and 500).
> >>
> >> If the request is a valid HTTP request then a 400 status doesn't seem
> >> appropriate to me.
> >>
> >> If the server is correctly handling that request to generate the
> >> response, a 500 status doesn't seem right either.
> >>
> >>>
> >>> I don’t think that in this scenario a request smuggling attack could be
> >>> executed, or am I missing something?
> >>
> >> The main issue is if the original request is invalid HTTP there is no
> >> way to determine where the next HTTP request starts.
> >>
> >> If there is a proxy in the mix then the risks of something going wrong
> >> tend to go up.
> >>
> >> Mark
> >>
> >> -
> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>
> >>
> > Hi Mark,
> >
> > I can see your point of view regarding the use of the status codes for
> > application errors. Unfortunately the HTTP spec doesn't clearly
> > differentiate the use of status codes for protocol or application errors.
> > Which is probably why these status codes are now also commonly used for
> > application errors.
> >
> > Tomcat (and other servlet containers) currently allow applications to set
> > any status code, but with the current behaviour of Tomcat this leads to
> > unexpected side effects for some status codes.
> >
> > This behaviour makes it so that Tomcat might not be fit for our purpose
> > (Spring Boot services to services communications). I think the way to
> > resolve that is to alter the behaviour in Tomcat to differentiate between
> > protocol and application errors when using these status codes (and to
> make
> > this behaviour potentially configurable). I also think that this change
> > would benefit most users of Tomcat since the behaviour in this scenario
> is
> > unnecessary. Would the Tomcat developers be willing to do that?
>
> Assuming it's easy for Tomcat to differentiate between errors generated
> by Tomcat (e.g. "real" 400 responses) and those generated by the
> application, I think this is a good idea. HTTP 400 indicates a protocol
> error, but if the application is generating it, then Tomcat need not
> close the connection.
>
> Theoretically this could also be true for other status codes as well. I
> chose 400 because it means the connection MUST be closed for security if
> Tomcat is the one detecting that there is actually an HTTP protocol
> violation.
>
> -chris
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Regarding Tomcat url redirection

[lavanya tech]

Hi Chris,

Thanks for the reply.

Local host means the machine i am logged in to server.lbg.com

You are right, example.lbg.com is CNAME record.

I dont have any SAN configured for the certificate. The certificate is
requested for only server.lbg.com

So if i just request new certificate with SAN it should work ? If yes, I
will request for it and follow your steps as below suggested.

Should i use CName record or DNS? Does it make difference?

Thanks,
Lavanya






On Wednesday, April 24, 2024, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> Lavanya,
>
> On 4/24/24 07:37, lavanya tech wrote:
>
>> Sorry I understood wrongly here with regards to my environment, Let me
>> start from the beginning. I donot want to use redirect at all. I simply
>> wanted to force apache tomcat to use both localhost and dns name of the
>> localhost via url.
>>
>
> When you say "force" what do you mean?
>
> When you say "use both localhost and DNS name" what do you mean?
>
> When you say "localhost" do you mean 127.0.0.1 or "the machine I'm
> logged-into right now"?
>
> I have DNS resollution as below.
>>
>> server.lbg.com --> localhost
>>
>
> Is that a CNAME record?
>
> nslookup server.lbg.com (localhost)
>> Name:server.lbg.com
>> Address:  192.168.100.20
>> alias: example.lbg.com
>>
>
> That's a weird DNS response. The DNS name "localhost" should *always*
> return 127.0.0.1 for IPv4 and ::1 for IPv6. It shouldn't return
> 191.168.100.20.
>
> We have working the below urls working:
>> https://server.lbg.com:8443/towl
>> https://example.lbg.com:8443/towl --> redirects to
>>
>
> What do you mean "redirect"? Does it return a 30x response that causes the
> browser to make a new request to \/
>
> https://server.lbg.com:8443/towl  --> still works --> we have SSL
>> configured for the same but this SSL certificate doesnot have additional
>> DNS setup.
>>
>
> What SANs are in your certificate? How many certificates do you have?
>
> But I would need to somehow  access https://example.lbg.com --> which
>> means
>> I would need to access via 443 here ?
>>
>
> I'm so confused. What needs to access what?
>
> I tried to adding the below to  server.xml as below, but that doesnot seems
>> to work.
>>
>>  > protocol="org.apache.coyote.http11.Http11NioProtocol"
>> connectionTimeout="2"
>> redirectPort="443" />
>>
>
> This will only redirect (HTTP 302) requests to http://yourhost/anything
> to https://yourhost/anything *if the application specifically requests
> CONFIDENTIAL transport*. It doesn't just redirect everything by default. If
> you want it to redirect everything, you'll need to set that up e.g. using
> RewriteValve. There are other options, too.
>
> Do i need additional SSL certificate for the https://example.lbg.com  to
>> make it work ?
>>
>
> If you don't want your browser to complain, you will need at least one TLS
> certificate that contains every Subject Alternative Name (SAN) for every
> possible hostname you expect to use with this service. You ca do it with
> multiple certificates as well, but a single cert with multiple SANs is less
> work.
>
> Do i need to set up an additional web server for this like apache or nginx
>> for redirecting requests?
>>
>
> No.
>
> Please stop saying "redirect" because it sounds like you almost never mean
> "HTTP 30x redirect" and that's confusing everything.
>
> I *think* you only need the following:
>
> 1. A TLS certificate with the following SANs:
>
>   * server.lbg.com
>   * example.lbg.com
>   * localhost (you shouldn't do this)
>
> 2. DNS configured for all hostnames:
>
>   * server.lbg.com -> A 192.168.100.20
>   * example.lgb.com -> A 192.168.100.20
>
> 3. Tomcat configured with a single  which is the default virtual
> host. Note that this is the *default Tomcat configuration* and doesn't need
> to be changed from the default.
>
> 4. Tomcat configured with your certificate like this:
>
>   SSLEnabled="true">
>  
>certificateFile="/path/to/your/cert.crt"
>certificateKeyFile="/path/to/your/key.pem" />
>
>  
>
>
> If your SANs are configured properly, this should allow you to connect
> using any of these URLs:
>
> $ curl https://server.lbg.com/towl/login.jsp
>
>   (returns login page)
>
> $ curl https://example.lbg.com/towl/login.jsp
>
>   (returns login page)
>
> If your application's web.xml contains something like this:
>
>   
> 
>   theapp
>   /*
> 
> 
>   CONFIDENTIAL
> 
>   
>
> ... then these URLs insecure HTTP URLs should redirect your clients:
>
> $ curl http://server.lbg.com/towl/login.jsp
>
>   (returns HTTP 302 redirect to https://server.lbg.com/towl/login.jsp)
>
> $ curl https://server.lbg.com/towl/login.jsp
>
>   (returns HTTP 302 redirect to https://example.lbg.com/towl/login.jsp)
>
> I don't think you need any use of the RewriteValve unless you want to
> handle sending HTTP 302 redirect responses to insecure requests without
> specifying 

Re: Tomcat closes connections on unexpected status codes

[Christopher Schultz]

Stefan,

On 4/24/24 13:58, Stefan Ansing wrote:

Op do 18 apr 2024 om 17:42 schreef Mark Thomas :


On 18/04/2024 15:18, Stefan Ansing wrote:

Hi Rémy, Mark,



I just want to make sure that we’re understanding each other. I can see
that the connection needs to be closed in certain conditions to prevent
request smuggling attacks. I certainly don’t want to change that

behaviour.


However, I’m facing a scenario where an application is responding to a
valid request (from HTTP perspective), with a valid response using these
status codes (more specifically status codes 400 and 500).


If the request is a valid HTTP request then a 400 status doesn't seem
appropriate to me.

If the server is correctly handling that request to generate the
response, a 500 status doesn't seem right either.



I don’t think that in this scenario a request smuggling attack could be
executed, or am I missing something?


The main issue is if the original request is invalid HTTP there is no
way to determine where the next HTTP request starts.

If there is a proxy in the mix then the risks of something going wrong
tend to go up.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Hi Mark,

I can see your point of view regarding the use of the status codes for
application errors. Unfortunately the HTTP spec doesn't clearly
differentiate the use of status codes for protocol or application errors.
Which is probably why these status codes are now also commonly used for
application errors.

Tomcat (and other servlet containers) currently allow applications to set
any status code, but with the current behaviour of Tomcat this leads to
unexpected side effects for some status codes.

This behaviour makes it so that Tomcat might not be fit for our purpose
(Spring Boot services to services communications). I think the way to
resolve that is to alter the behaviour in Tomcat to differentiate between
protocol and application errors when using these status codes (and to make
this behaviour potentially configurable). I also think that this change
would benefit most users of Tomcat since the behaviour in this scenario is
unnecessary. Would the Tomcat developers be willing to do that?


Assuming it's easy for Tomcat to differentiate between errors generated 
by Tomcat (e.g. "real" 400 responses) and those generated by the 
application, I think this is a good idea. HTTP 400 indicates a protocol 
error, but if the application is generating it, then Tomcat need not 
close the connection.


Theoretically this could also be true for other status codes as well. I 
chose 400 because it means the connection MUST be closed for security if 
Tomcat is the one detecting that there is actually an HTTP protocol 
violation.


-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat closes connections on unexpected status codes

[Stefan Ansing]

Op do 18 apr 2024 om 17:42 schreef Mark Thomas :

> On 18/04/2024 15:18, Stefan Ansing wrote:
> > Hi Rémy, Mark,
> >
> >
> >
> > I just want to make sure that we’re understanding each other. I can see
> > that the connection needs to be closed in certain conditions to prevent
> > request smuggling attacks. I certainly don’t want to change that
> behaviour.
> >
> > However, I’m facing a scenario where an application is responding to a
> > valid request (from HTTP perspective), with a valid response using these
> > status codes (more specifically status codes 400 and 500).
>
> If the request is a valid HTTP request then a 400 status doesn't seem
> appropriate to me.
>
> If the server is correctly handling that request to generate the
> response, a 500 status doesn't seem right either.
>
> >
> > I don’t think that in this scenario a request smuggling attack could be
> > executed, or am I missing something?
>
> The main issue is if the original request is invalid HTTP there is no
> way to determine where the next HTTP request starts.
>
> If there is a proxy in the mix then the risks of something going wrong
> tend to go up.
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
Hi Mark,

I can see your point of view regarding the use of the status codes for
application errors. Unfortunately the HTTP spec doesn't clearly
differentiate the use of status codes for protocol or application errors.
Which is probably why these status codes are now also commonly used for
application errors.

Tomcat (and other servlet containers) currently allow applications to set
any status code, but with the current behaviour of Tomcat this leads to
unexpected side effects for some status codes.

This behaviour makes it so that Tomcat might not be fit for our purpose
(Spring Boot services to services communications). I think the way to
resolve that is to alter the behaviour in Tomcat to differentiate between
protocol and application errors when using these status codes (and to make
this behaviour potentially configurable). I also think that this change
would benefit most users of Tomcat since the behaviour in this scenario is
unnecessary. Would the Tomcat developers be willing to do that?

Stefan

Re: Regarding Tomcat url redirection

[Christopher Schultz]

Lavanya,

On 4/24/24 07:37, lavanya tech wrote:

Sorry I understood wrongly here with regards to my environment, Let me
start from the beginning. I donot want to use redirect at all. I simply
wanted to force apache tomcat to use both localhost and dns name of the
localhost via url.


When you say "force" what do you mean?

When you say "use both localhost and DNS name" what do you mean?

When you say "localhost" do you mean 127.0.0.1 or "the machine I'm 
logged-into right now"?



I have DNS resollution as below.

server.lbg.com --> localhost


Is that a CNAME record?


nslookup server.lbg.com (localhost)
Name:server.lbg.com
Address:  192.168.100.20
alias: example.lbg.com


That's a weird DNS response. The DNS name "localhost" should *always* 
return 127.0.0.1 for IPv4 and ::1 for IPv6. It shouldn't return 
191.168.100.20.



We have working the below urls working:
https://server.lbg.com:8443/towl
https://example.lbg.com:8443/towl --> redirects to


What do you mean "redirect"? Does it return a 30x response that causes 
the browser to make a new request to \/



https://server.lbg.com:8443/towl  --> still works --> we have SSL
configured for the same but this SSL certificate doesnot have additional
DNS setup.


What SANs are in your certificate? How many certificates do you have?


But I would need to somehow  access https://example.lbg.com --> which means
I would need to access via 443 here ?


I'm so confused. What needs to access what?


I tried to adding the below to  server.xml as below, but that doesnot seems
to work.

 


This will only redirect (HTTP 302) requests to http://yourhost/anything 
to https://yourhost/anything *if the application specifically requests 
CONFIDENTIAL transport*. It doesn't just redirect everything by default. 
If you want it to redirect everything, you'll need to set that up e.g. 
using RewriteValve. There are other options, too.



Do i need additional SSL certificate for the https://example.lbg.com  to
make it work ?


If you don't want your browser to complain, you will need at least one 
TLS certificate that contains every Subject Alternative Name (SAN) for 
every possible hostname you expect to use with this service. You ca do 
it with multiple certificates as well, but a single cert with multiple 
SANs is less work.



Do i need to set up an additional web server for this like apache or nginx
for redirecting requests?


No.

Please stop saying "redirect" because it sounds like you almost never 
mean "HTTP 30x redirect" and that's confusing everything.


I *think* you only need the following:

1. A TLS certificate with the following SANs:

  * server.lbg.com
  * example.lbg.com
  * localhost (you shouldn't do this)

2. DNS configured for all hostnames:

  * server.lbg.com -> A 192.168.100.20
  * example.lgb.com -> A 192.168.100.20

3. Tomcat configured with a single  which is the default virtual 
host. Note that this is the *default Tomcat configuration* and doesn't 
need to be changed from the default.


4. Tomcat configured with your certificate like this:

   
 
   
   
 
   

If your SANs are configured properly, this should allow you to connect 
using any of these URLs:


$ curl https://server.lbg.com/towl/login.jsp

  (returns login page)

$ curl https://example.lbg.com/towl/login.jsp

  (returns login page)

If your application's web.xml contains something like this:

  

  theapp
  /*


  CONFIDENTIAL

  

... then these URLs insecure HTTP URLs should redirect your clients:

$ curl http://server.lbg.com/towl/login.jsp

  (returns HTTP 302 redirect to https://server.lbg.com/towl/login.jsp)

$ curl https://server.lbg.com/towl/login.jsp

  (returns HTTP 302 redirect to https://example.lbg.com/towl/login.jsp)

I don't think you need any use of the RewriteValve unless you want to 
handle sending HTTP 302 redirect responses to insecure requests without 
specifying the CONFIDENTIAL transport-guarantee in your application's 
web.xml file. But I don't see any reason NOT to have that in there.


-chris


On Tue, Apr 23, 2024 at 10:52 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:


Lavanya,

On 4/22/24 05:21, lavanya tech wrote:

Could you please explain, what you exactly mean ? So here redirect is

not a

solution right ?


Redirecting is fine.

Perhaps you should take a step back and decide: what do you actually
want, here? You might be trying to solve problem X by applying solution
Y, and you've already decided that solution Y is correct so you are
trying to get help with that.

Perhaps ask for help with Problem X?

For example, "I don't want users to have to type the name of my
application to reach it so I want example.com/ to go to my application
instead of example.com/myapp/".

Or, "I have multiple domains and I want all of them to redirect to the
canonical domain example.com and to go to me web application /myapp so
everything goes to example.com/myapp/".


"You'd have to use a glob/regex if
you 

Re: allow symlink tomcat 9

[Giacomo Morri]

Thanks. it works fine.

G



On 24/04/24 12:27, Holger Klawitter wrote:

A plain

   

should suffice.

Giacomo Morri wrote (at 2024-04-24 12:03 +0200):

Hi Holger, thanks for your reply.

consider that the symlink is /MTF/Content -> /realt/path/, how can i set the
Resource element for that path?

Regards,

Giacomo



On 24/04/24 11:55, Holger Klawitter wrote:

Hi,

allowLinking goes into a Resource Element inside Context,
not into Context itself. This changed in Tomcat 8.0 IIRC.

Giacomo Morri wrote (at 2024-04-24 11:42 +0200):

Hi, i have a servlet for uploading files inside a path that contains a
symbolic link, the upload works fine with tomcat 7 but after upgrading it to
tomcat 9 the servlet give me a java.lang.NullPointerException at
java.io.File..

I tried setting the allowLinking param to true for the context in this way:



But it doesn't work.

Can you please help me?

Regards,

Giacomo


-
To unsubscribe, e-mail:users-unsubscr...@tomcat.apache.org
For additional commands, e-mail:users-h...@tomcat.apache.org



--
Mit freundlichem Gruß / With kind regards
Holger Klawitter
--
listen  klawitter  de

-
To unsubscribe, e-mail:users-unsubscr...@tomcat.apache.org
For additional commands, e-mail:users-h...@tomcat.apache.org


--

*Cone *
*Essentially digital*
Via Sandro Totti 7A - 60131 Ancona
Tel 071 42 974
Cell 3273458156
emailgiacomo.mo...@cone.it  
Webwww.cone.it  


-
To unsubscribe, e-mail:users-unsubscr...@tomcat.apache.org
For additional commands, e-mail:users-h...@tomcat.apache.org



--
Mit freundlichem Gruß / With kind regards
   Holger Klawitter
--
listen  klawitter  de

-
To unsubscribe, e-mail:users-unsubscr...@tomcat.apache.org
For additional commands, e-mail:users-h...@tomcat.apache.org


--

*Cone *
*Essentially digital*
Via Sandro Totti 7A - 60131 Ancona
Tel 071 42 974
Cell 3273458156
eMail giacomo.mo...@cone.it 
Web www.cone.it 

Re: Regarding Tomcat url redirection

[lavanya tech]

Hi  Chris,

Sorry I understood wrongly here with regards to my environment, Let me
start from the beginning. I donot want to use redirect at all. I simply
wanted to force apache tomcat to use both localhost and dns name of the
localhost via url.
I have DNS resollution as below.

server.lbg.com --> localhost

nslookup server.lbg.com (localhost)
Name:server.lbg.com
Address:  192.168.100.20
alias: example.lbg.com

We have working the below urls working:
https://server.lbg.com:8443/towl
https://example.lbg.com:8443/towl --> redirects to
https://server.lbg.com:8443/towl  --> still works --> we have SSL
configured for the same but this SSL certificate doesnot have additional
DNS setup.
But I would need to somehow  access https://example.lbg.com --> which means
I would need to access via 443 here ?

I tried to adding the below to  server.xml as below, but that doesnot seems
to work.


-->

Do i need additional SSL certificate for the https://example.lbg.com  to
make it work ?

Do i need to set up an additional web server for this like apache or nginx
for redirecting requests?

I look forward to your feedback.

Thanks and Best Regards,
Lavanya






On Tue, Apr 23, 2024 at 10:52 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> Lavanya,
>
> On 4/22/24 05:21, lavanya tech wrote:
> > Could you please explain, what you exactly mean ? So here redirect is
> not a
> > solution right ?
>
> Redirecting is fine.
>
> Perhaps you should take a step back and decide: what do you actually
> want, here? You might be trying to solve problem X by applying solution
> Y, and you've already decided that solution Y is correct so you are
> trying to get help with that.
>
> Perhaps ask for help with Problem X?
>
> For example, "I don't want users to have to type the name of my
> application to reach it so I want example.com/ to go to my application
> instead of example.com/myapp/".
>
> Or, "I have multiple domains and I want all of them to redirect to the
> canonical domain example.com and to go to me web application /myapp so
> everything goes to example.com/myapp/".
>
> > "You'd have to use a glob/regex if
> > you wanted to check for [anything and maybe nothing.]example.com."
>
> There is nothing in your configuration or question that suggests that
> the hostname in the request is relevant, but you are making it a
> *requirement* that the request contains a specific Host header. IF you
> don't actually need that, why do you have it?
>
> -chris
>
> > On Fri, Apr 19, 2024 at 3:03 PM Christopher Schultz <
> > ch...@christopherschultz.net> wrote:
> >
> >> Ammu,
> >>
> >> On 4/19/24 08:32, lavanya tech wrote:
> >>> Thank you very much. I removed  for example.com as well as
> adding
> >> an
> >>>  in server.xml
> >>> I copied context.xml file
> >>> /git/app/apache-tomcat-10.1.11/webapps/towl/META-INF/context.xml
> >>> Removed < in rewrite.config files.
> >>>
> >>> But still I dont redirect the URL.
> >>
> >> If you have  in server.xml and also your application in the
> >> webapps/ directory, then you will be double-deploying your application.
> >>
> >> Re-name /git/app/apache-tomcat-10.1.11/webapps/towl/ to be
> >> /git/app/apache-tomcat-10.1.11/webapps/ROOT (the capitals are important)
> >> and remove the  element from your server.xml.
> >>
> >> Then start your server and read the logs.
> >>
> >>> *nslookup alias.example.com 
> >>> gives-->Non-authoritative answer:Name: www.example.com
> >>> Address:  192.168.200.10Aliases:
> >> alias.example.com
> >>> *
> >>>
> >>>
> >>> Just to give some information here, *www.example.com
> >>> * has alias* "alias.example.com
> >>> "*
> >>> But https://www.example.com:/example --> works fine with out
> issues
> >> but
> >>> the alias doesnot works (https://alias.example.com)
> >>> So i am not sure if the redirect url helps or if its correct
> >>
> >> Your rewrite configuration says that you have to be using host
> >> "example.com" but your request goes to www.example.com. Your
> >> configuration should only redirect a request such as:
> >>
> >> $ curl -v http://example.com:/something
> >>
> >> HTTP/1.1 301 Moved Permanently
> >> ...
> >> Location: https://www.example.com:/example
> >>
> >> If you make a request like:
> >>
> >> $ curl -v http://www.example.com:/something
> >>
> >> I wouldn't expect a redirect because of your "host" condition. The
> >> "%{HTTP_HOST} example.com" looks at the entire Host header and not just
> >> anything that ends in "example.com". You'd have to use a glob/regex if
> >> you wanted to check for [anything and maybe nothing.]example.com.
> >>
> >> You'd also have to make sure that your application is serving responses
> >> to requests to / which is why I'm recommending you use the ROOT web
> >> application name instead of "towl".
> >>
> >> -chris
> >>
> >>> On Fri, Apr 19, 2024 at 1:21 PM Christopher 

Re: allow symlink tomcat 9

[Holger Klawitter]

A plain

  

should suffice.

Giacomo Morri wrote (at 2024-04-24 12:03 +0200):
> Hi Holger, thanks for your reply.
>
> consider that the symlink is /MTF/Content -> /realt/path/, how can i set the
> Resource element for that path?
>
> Regards,
>
> Giacomo
>
>
>
> On 24/04/24 11:55, Holger Klawitter wrote:
> > Hi,
> >
> > allowLinking goes into a Resource Element inside Context,
> > not into Context itself. This changed in Tomcat 8.0 IIRC.
> >
> > Giacomo Morri wrote (at 2024-04-24 11:42 +0200):
> > > Hi, i have a servlet for uploading files inside a path that contains a
> > > symbolic link, the upload works fine with tomcat 7 but after upgrading it 
> > > to
> > > tomcat 9 the servlet give me a java.lang.NullPointerException at
> > > java.io.File..
> > >
> > > I tried setting the allowLinking param to true for the context in this 
> > > way:
> > >
> > >  > > />
> > >
> > > But it doesn't work.
> > >
> > > Can you please help me?
> > >
> > > Regards,
> > >
> > > Giacomo
> > >
> > >
> > > -
> > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > > For additional commands, e-mail: users-h...@tomcat.apache.org
> > >
> > >
> > --
> > Mit freundlichem Gruß / With kind regards
> >Holger Klawitter
> > --
> > listen  klawitter  de
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> --
>
> *Cone *
> *Essentially digital*
> Via Sandro Totti 7A - 60131 Ancona
> Tel 071 42 974
> Cell 3273458156
> eMail giacomo.mo...@cone.it 
> Web www.cone.it 
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

--
Mit freundlichem Gruß / With kind regards
  Holger Klawitter
--
listen  klawitter  de

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: allow symlink tomcat 9

[Giacomo Morri]

Hi Holger, thanks for your reply.

consider that the symlink is /MTF/Content -> /realt/path/, how can i set 
the Resource element for that path?


Regards,

Giacomo



On 24/04/24 11:55, Holger Klawitter wrote:

Hi,

allowLinking goes into a Resource Element inside Context,
not into Context itself. This changed in Tomcat 8.0 IIRC.

Giacomo Morri wrote (at 2024-04-24 11:42 +0200):

Hi, i have a servlet for uploading files inside a path that contains a
symbolic link, the upload works fine with tomcat 7 but after upgrading it to
tomcat 9 the servlet give me a java.lang.NullPointerException at
java.io.File..

I tried setting the allowLinking param to true for the context in this way:



But it doesn't work.

Can you please help me?

Regards,

Giacomo


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



--
Mit freundlichem Gruß / With kind regards
   Holger Klawitter
--
listen  klawitter  de

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


--

*Cone *
*Essentially digital*
Via Sandro Totti 7A - 60131 Ancona
Tel 071 42 974
Cell 3273458156
eMail giacomo.mo...@cone.it 
Web www.cone.it 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org