Re: Microsoft Edge (Chromium based) not prompting for logons

[Dave Ford]

On Mon, 2020-09-14 at 09:12 -0400, Christopher Schultz wrote:
> Are you using HTTP or HTTPS?

HTTPS.


> TLDR: visit edge://policy in Edge and look for AuthSchemes. If the
> value doesn't include "basic", add it and re-try.

Yeah, that was it - I wasn't able to change our edge settings - that's
locked down by others.  Finding out where to change the authentication
methods at the tomcat end was a bit harder than I hoped - I'd assumed
it was in the tomcat server area, rather than th eapplication itself,
which explains why I wasn't able to find much in the documentation - I
was looking at the wrong place.

Thanks very much - got a route forward throug this now 
Thanks
Dave

Microsoft Edge (Chromium based) not prompting for logons

[Dave Ford]

We've set up out Tomcat Manager to use LDAP for authentication - (note,
this is not MS AD, but linux-based LDAP server). The OS our tomcat
servers are running on is Linux and they're not intergrated with our AD
domain in any way at all.

Our users have been happily logging into the Tomcat manager app using
various web browsers for some time - they get prompted for a username
and password, they provide their credentials (which is the same user
name and password as they're currently logged onto windows with, but
with no domain\ or @domain info in the username), they're checked
against LDAP servers, and are let into the app assuming they're
allowed.

However, we've recently received reports that some of our users who
have had their Windows machines copies of Edge upgraded to the latest
version are no longer being prompted for credentials.  Instead, they're
directly immediately to a 401 unauthorised message. Other browsers,
including Chrome, still prompt.

We've changed nothing at the tomcat end, so this is clearly a problem
with the behaviour of Edge - but I'm keep to try and understand it. 

I can't find any useful information in the tomcat logs - is it possible
to turn up the logging for the manager app to see exactly what
credentials (well, username) is being passed by Edge to it?

Thanks
Dave

Re: Fix for the Ghostcat vulnerability

[Dave Ford]

On Wed, 2020-03-04 at 13:19 -0500, Christopher Schultz wrote:
> 
> > We're in the same position as you.  External web servers talking
> > to Tomcat servers on other boxes via AJP.
> 
> Are those connections properly secured?

That's not a tremendously helpful question.  Which connections are you
talking about?  How do you propose 'securing' an AJP connection?

> If your connections are properly-secured, simply set
> secretRequired="false" and move on. If they aren't properly-secured,
> then you need to fix that (and you had to fix that before this recent
> announcement).

Can you point the ill-informed amongst us to any helpful resources you
may have that describe what you mean by 'properly secured'?

Regards
Dave

Re: issue faced in tomcat 8.5.51

[Dave Ford]

On Fri, 2020-02-28 at 13:39 +, Rathore, Rajendra wrote:
> Caused by: java.lang.IllegalArgumentException: The AJP Connector is
> configured with secretRequired="true" but the secret attribute is
> either null or "". This combination is not valid.

Are you talking to this via an apache webserver using mod_proxy_ajp?
Only, the current stable release of apache (2.4.41) doesn't support
'secret' AFAIK. 

See 

https://httpd.apache.org/docs/2.4/mod/mod_proxy_ajp.html

and

https://bz-he-de.apache.org/bugzilla/show_bug.cgi?id=53098

Note the above 'bug' in Apache is only 12 years old :-(

Dave

Re: Fix for the Ghostcat vulnerability

[Dave Ford]

On Wed, 2020-03-04 at 10:24 +0100, Jürgen Göres wrote:
> 
> If it is, what is the recommended mitigation? We consider using the
> "secret" feature (the filtering by request attributes is infeasible
> for us), but that would be a bit of effort and we are in a hurry.
> 

We're in the same position as you.  External web servers talking to
Tomcat servers on other boxes via AJP.

We've looked at a few options, none of which seemed great:

* The current stable version of Apache doesn't support the 'secret'
attribute for AJP connectors in mod_proxy.

* Valves can be used to secure Tomcat from listening to certain IPs
Hostnames or subnets/vlans.  But 

* The RemoteCIDRValve affects every protocol/port. 
* The RemoteHostValve and RemoteAddrValve only allow a single allow or
deny rule, which needs a regexp to match every required combinations of
port and address/names for the whole of the desired context.  

In ours case, we'd want to permit a different set of hosts on AJP to
those who can read the manager app, for instance.  As this is being
managed by puppet at our end, we decided the required regexp would be
too complex and breakable and are probably going to isolate the AJP
traffic using a firewall rule via iptables instead of relying on any
intrinsic Tomcat feature.

Dave

Minor version upgrades

[Dave Ford]

Hello,

We've running many instances of Tomcat 8.5 on some dozens of linux
servers.  All of this is being managed by Puppet using the puppetforge
tomcat module.

The Puppet module that deploys tomcat simple checks to see if the
NOTICE file is the correct place to determine whether or not it should
unpack a provided tarball into Catalina_home. 

My question is this - as we've gone and placed our catalina_base folder
within a subfolder of catalina_home, we're not going to want to simply
delete the C_H folder to reinstall a newer version.

Is it safe/sane to unpack a new minor release (say 8.5.40) over the
existing installation of (8.4.32) over an existing Catalina_Home?

Or should I simply bite the bullet, rework my puppet code to deploy the
instances outside of Catalina_Home and wipe C_H before redeploying it
with a  newer version?

Regards,
Dave
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Minor version upgrading

[Dave Ford]

Hello,

We've running many instances of Tomcat 8.5 on some dozens of linux
servers.  All of this is being managed by Puppet using the puppetforge
tomcat module.

The Puppet module that deploys tomcat simple checks to see if the
NOTICE file is the correct place to determine whether or not it should
unpack a provided tarball into Catalina_home. 

My question is this - as we've gone and placed our catalina_base folder
within a subfolder of catalina_home, we're not going to want to simply
delete the C_H folder to reinstall a newer version.

Is it safe/sane to unpack a new minor release (say 8.5.40) over the
existing installation of (8.4.32) over an existing Catalina_Home?

Or should I simply bite the bullet, rework my puppet code to deploy the
instances outside of Catalina_Home and wipe C_H before redeploying it
with a  newer version?

Regards,
Dave

Re: Beginner help setting up test vertical cluster

[Dave Ford]

On Mon, 2017-10-30 at 09:15 -0400, Christopher Schultz wrote:
> Dave,
> 
> Can you please post your  and associated elements from
> conf/server.xml -- minus any secrets that may have crept in there?
> Also, what does your network look like? Any intermediates such as
> load
> balancers/firewalls? What about software firewalls?

Hi Chris - thanks for responding. 

This is all running withing a single machine with no firewall, so
nothing should be getting in the way network wise. 

Here's the my server.xml from one of the instances, with the comments
removed and IPs and Hostnames removed also. The IPs/Hostnames are the
same on the other server.xml, with just the Member and StaticMember
UniqueIDs and port number entries appropriately reversed. 

Dave

--


  
  
  
  
  
  

  
  



  

  
  

  
  


  





  
  



  
  
  
  
  


  

  

Beginner help setting up test vertical cluster

[Dave Ford]

Hello, 

I should apologise in advance as I'm very new to Tomcat and, I'm sure,
will be making some daft mistakes and silly errors. I hope this
question and any that follow it aren't too dumb.

I've recently started a new job and have inherited a half-finished
tomcat cluster on solaris.

While I'm not going to immediately try and finish that cluster, I would
like to try setting up some test instances to ensure I know what to
expect - but I'm having trouble doing even this. 

I've gotten my head round how to set up individual instances of Tomcat
8.5.23 running from different sub folders of a common CATALINA_HOME
folder, and now I'm trying to get the two instances to talk to each
other using StaticMember on specific ports rather than the automatic
multicasting.

But instances start up, and the logs at least suggest they're aware of
each other. But one server takes forever to start, and I'm not
convinced they're talking to each other properly.  For example, in the
catalina.out logs I'm seeing messages such as:


30-Oct-2017 09:28:29.632 INFO [MyHost-startStop-1]
org.apache.catalina.ha.session.DeltaManager.getAllClusterSessions
Manager [/sample], requesting session state from
[org.apache.catalina.tribes.membership.StaticMember[tcp://my.ip.addr:40
01,my.ip.addr,4001, alive=0, securePort=-1, UDP Port=-1, id={1 2 3 4 5
6 7 8 9 10 11 12 13 14 15 0 }, payload={}, command={}, domain={99 108
117 115 116 101 114 116 101 ...(11)}, ]]. This operation will timeout
if no session state has been received within [60] seconds.
30-Oct-2017 09:28:34.111 WARNING [Tribes-Task-Receiver[MyHost-Channel]-
2]
org.apache.catalina.tribes.group.interceptors.DomainFilterInterceptor.m
essageReceived Received message from
cluster[org.apache.catalina.tribes.membership.MemberImpl[tcp://{my, ip,
nn, nn}:4001,{my, ip, nn, nn},4001, alive=1509355714104, securePort=-
1, 
UDP Port=-1, id={1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 }, payload={},
command={}, domain={99 108 117 115 116 101 114 116 101 ...(11)}, ]] was
refused.

Which does not seem encouraging.  Yet on the other instance, I'm
seeing:

30-Oct-2017 09:28:34.105 INFO [GroupChannel-Heartbeat[MyHost-Channel]-
1] org.apache.catalina.ha.tcp.SimpleTcpCluster.memberAdded Replication
member
added:[org.apache.catalina.tribes.membership.StaticMember[tcp://my.ip.a
ddr:4000,my.ip.addr,4000, alive=0, securePort=-1, UDP Port=-1, id={0 1
2 3 4 5 6 7 8 9 10 11 12 13 14 15 }, payload={}, command={}, domain={99
108 117 115 116 101 114 116 101 ...(11)}, ]]
30-Oct-2017 09:28:34.105 INFO [GroupChannel-Heartbeat[MyHost-Channel]-
1]
org.apache.catalina.tribes.group.interceptors.TcpFailureDetector.perfor
mBasicCheck Suspect member, confirmed
alive.[org.apache.catalina.tribes.membership.StaticMember[tcp://my.ip.a
ddr:4000,my.ip.addr,4000, alive=0, securePort=-1, UDP Port=-1, id={0 1
2 3 4 5 6 7 8 9 10 11 12 13 14 15 }, payload={}, command={}, domain={99
108 117 115 116 101 114 116 101 ...(11)}, ]]

Which seems better... But then I see back on instance one, 

30-Oct-2017 09:32:30.178 INFO [main]
org.apache.catalina.startup.Catalina.start Server startup in 241109 ms

Which seems really bad. 

I've installed the 'examples' app on both instances, have added
'' to both's web.xml file. 

I can see on one instance a message such as 

30-Oct-2017 09:35:22.600 INFO [http-nio-8081-exec-7]
org.apache.catalina.core.ApplicationContext.log SessionListener:
sessionCreated('C2C3720879E72D558EEF4B0655188EBD.beta')
30-Oct-2017 09:35:26.912 INFO [http-nio-8081-exec-8]
org.apache.catalina.core.ApplicationContext.log SessionListener:
attributeAdded('C2C3720879E72D558EEF4B0655188EBD.beta', 'foo', 'bar')

When I play with the sessions example code. But nothing on the other
instance that would suggest this is being replicated. 

Before I make this post too long and post my server.xml code, could
someone advise me as to what I should be looking for, or what these
messages suggest?  Any pointers at this stage would be grateful as I'm
unsure even what a working cluster should look like.

Thanks 
Dave
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org