Re: [OT] Compatibility, 32 bit ..

[Felix Schumacher]

Am 02.11.22 um 17:41 schrieb John Dale (DB2DOM):

Chris enters the room, gazes upon seven orcs, draws his sword, and
opens the can of worms.

Ooooh .. Philosophy.

I love philosophy.

:)

Good philosophy starts with good questions.

I love some of the newer hardware, too, but even Raspberry Pi is not
yet 64 bit, is it?
Raspberry Pi is 64 Bit, (maybe not all of them), I am running an 64 Bit 
OS on an Raspberry Pi 4.

The dell computer that I'm working with at the moment is my case study
- it's not slow at all.


If it's fast enough and reliable enough for you, I think you can still 
go (for a long time) with an JDK 8 and Tomcat 9.x. If I remember right, 
we settled to support Tomcat 9.x for quite a while and Tomcat has no 
requirements of its own to use 64 Bit.


Felix



Am I alone in thinking that our technology is trying to leave humanity
behind before it is truly not useful anymore?

Unlike HAM radio operators, are you one of those crazy people who
think we're somehow safe from disaster on planet Earth?

I think this universe has much more in store for us.  I also like to
wring out every last bit of use from stuff.  I also grind old
screwdrivers that are "worn-out".

I'll feel more comfortable when our high school grads understand EcE
and computer manufacturing upon graduation.

If we need faster computers to replace humans, what's the point?

Video games?  Meta?  AI?

What about baseball, Frisbee, stage productions, and Human Intelligence?

Can an old 32 bit machine do modern encryption for telecommunications?

Why are we still paying so much for phone service?

Why aren't our high school grads capable of re-soldering components
from these old boards and assembling them into something better and
rewriting the software?

So, I think it's a worthwhile discussion that I know many thought was
settled as they gaze across fully stocked Wal Mart computer
departments and newegg query results.

If for no other reason, shouldn't we pry the specs out of the hands of
Dell and others to understand and reconfigure and reprogam their
machines?  Or, are they afraid of what we'll discover?

My working hypothesis is that if we remove what was put in there to do
things we don't know about, these machines will speed-up considerably.

:)

https://en.wikipedia.org/wiki/Clipper_chip




On 11/2/22, Christopher Schultz  wrote:

John,

On 10/27/22 11:03, John Dale (DB2DOM) wrote:

Does anyone know of a report detailing how much of this older hardware
is still out there and floating around?

You mean like a list of all pieced of hardware ever sold and never
scrapped?

I think that would be practically impossible.

I have a Palm 7 on a box in my office that has never been inventoried by
anybody and could possibly be plugged back in at any moment. There are
probably warehouses of stuff like what worldwide and you never know when
someone is going to plug-in any one of those devices and start playing
with it again.


Big picture:
It's a lot of computer power in the event manufacturing hits a hiccup,
I wouldn't want to be caught flat-footed until it could be
re-established.

Are you suggesting that Linux should not drop support for i486
architecture because if new machines aren't available due to
supply-chain issues, we might all have to re-rack 486s to keep our
services running? That sounds insane. We would simply do without. I'd
sooner put my old mobile phones into service supporting my applications
than an old i486. They are more powerful and reliable, and use less
electricity.

There's a reason Linus wants to kill i486 support:

"At some point, people have them as museum pieces. They might as well
run museum kernels." - Linus Torvalds


I like to build distilled portable stuff for that reason.  I think
DB2DOM could run on some really old versions of all of our favorite
software if needed.

Great. I'm sure the transactions will only take a couple of seconds to
commit. No problem ;)

-chris


On 10/26/22, Christopher Schultz  wrote:

Shawn,

On 10/26/22 00:14, Shawn Heisey wrote:

The Linux kernel dropped support for 386 and 486 CPUs some time ago.

I was reading about this today, actually. Linux is currently actively
advocating for dropping 486 support, so it must still be in there.

-chris

-
To unsubscribe, e-mail:users-unsubscr...@tomcat.apache.org
For additional commands, e-mail:users-h...@tomcat.apache.org



-
To unsubscribe, e-mail:users-unsubscr...@tomcat.apache.org
For additional commands, e-mail:users-h...@tomcat.apache.org


-
To unsubscribe, e-mail:users-unsubscr...@tomcat.apache.org
For additional commands, e-mail:users-h...@tomcat.apache.org



-
To unsubscribe, e-mail:users-unsubscr...@tomcat.apache.org
For additional commands, 

Re: [ANN] New committer: Han Li

[Felix Schumacher]

Am 6. September 2022 09:38:09 MESZ schrieb Mark Thomas :
>On behalf of the Tomcat committers I am delighted to announce that
>Han Li (lihan) has been voted in as a new Tomcat committer.
>
>Please join me in congratulating Han.

Congrats and welcome! 

Felix

>
>Kind regards,
>
>Mark
>
>-
>To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: dev-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Fwd: tomcat 9.50 - rewrite rule question

[Felix Schumacher]

Am 24.03.22 um 19:23 schrieb rupali singh:

hi,

yes context name is apex.

Good to know.


  https://xyz.ae/apex/f?p=1001  <https://xyz.com/apex/f?p=1001>to
https://xyz.ae/apex/myapp  <https://xyz.com/aorx/myapp>

we dont want to change xyz.ae that will name remain as it is , we want to
change f?p=1001<https://xyz.com/apex/f?p=1001>  to myapp


Sorry, I don't understand, what you meant by the above.

I suspect, that you wanted to show, what the user enters into the 
browser and where the application listens. But it doesn't really makes 
sense to me.


Reading your first mail again, I think, that you have a loadbalancer 
that listens on xyz.ae and that proxies to xyz.com (you mentioned port 
8080, which is left out in all your examples). Is that right?


Apart from that, I wanted to know, what you tried on a technical level. 
Have you tried the curl command that I gave as an example?


Felix




On Wed, 23 Mar 2022 at 19:23, Felix Schumacher <
felix.schumac...@internetallee.de> wrote:



Am 23. März 2022 12:14:25 MEZ schrieb rupali singh <
rupali.r.si...@gmail.com>:

Hi Chris,

I already tried with fully qualified name but its not working

Can you be more specific, what you tried?

Is Chris right and your context name is apex?

Felix

On Tue, Mar 22, 2022, 7:15 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:


All,

On 3/21/22 10:19, Felix Schumacher wrote:

Am 21.03.22 um 06:39 schrieb rupali singh:

Hi Felix,

location of context.xml file is

   cat context.xml| grep RewriteValve
  
className="org.apache.catalina.valves.rewrite.RewriteValve"

/>

   pwd
/opt/tomcat/apache-tomcat-9.0.54/instance/conf

That context.xml is thought to be a default template for all installed
webapps. It will work, but remember, that every installed webapp will
get its own copy of a rewrite valve.

+1

This is probably the problem.


more


/opt/tomcat/apache-tomcat-9.0.54/instance/webapps/ROOT/WEB-INF/rewrite.config

RewriteCond %{QUERY_STRING} p=10001
RewriteRule ^/apex/f$ /apex/myapp [R,L]


I think you want:

RewriteCond %{QUERY_STRING} p=10001
RewriteRule ^/f$ /myapp [R,L]

The prefix /apex is already a part of the context-path and should be
removed from the URL patterns being matched. If you want to redirect to
another web application, you need a fully-qualified redirect like this:

RewriteCond %{QUERY_STRING} p=10001
RewriteRule ^/f$https://www.google.com/  [R,L]

-chris

-
To unsubscribe, e-mail:users-unsubscr...@tomcat.apache.org
For additional commands, e-mail:users-h...@tomcat.apache.org



-
To unsubscribe, e-mail:users-unsubscr...@tomcat.apache.org
For additional commands, e-mail:users-h...@tomcat.apache.org




OpenPGP_0xEA6C3728EA91C4AF.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature

Re: Fwd: tomcat 9.50 - rewrite rule question

[Felix Schumacher]

Am 23. März 2022 12:14:25 MEZ schrieb rupali singh :
>Hi Chris,
>
>I already tried with fully qualified name but its not working

Can you be more specific, what you tried?

Is Chris right and your context name is apex? 

Felix
>
>On Tue, Mar 22, 2022, 7:15 PM Christopher Schultz <
>ch...@christopherschultz.net> wrote:
>
>> All,
>>
>> On 3/21/22 10:19, Felix Schumacher wrote:
>> >
>> > Am 21.03.22 um 06:39 schrieb rupali singh:
>> >> Hi Felix,
>> >>
>> >> location of context.xml file is
>> >>
>> >>   cat context.xml| grep RewriteValve
>> >>  > />
>> >>   pwd
>> >> /opt/tomcat/apache-tomcat-9.0.54/instance/conf
>> > That context.xml is thought to be a default template for all installed
>> > webapps. It will work, but remember, that every installed webapp will
>> > get its own copy of a rewrite valve.
>>
>> +1
>>
>> This is probably the problem.
>>
>> >> more
>> >>
>> /opt/tomcat/apache-tomcat-9.0.54/instance/webapps/ROOT/WEB-INF/rewrite.config
>> >> RewriteCond %{QUERY_STRING} p=10001
>> >> RewriteRule ^/apex/f$ /apex/myapp [R,L]
>>
>>
>> I think you want:
>>
>> RewriteCond %{QUERY_STRING} p=10001
>> RewriteRule ^/f$ /myapp [R,L]
>>
>> The prefix /apex is already a part of the context-path and should be
>> removed from the URL patterns being matched. If you want to redirect to
>> another web application, you need a fully-qualified redirect like this:
>>
>> RewriteCond %{QUERY_STRING} p=10001
>> RewriteRule ^/f$ https://www.google.com/ [R,L]
>>
>> -chris
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Fwd: tomcat 9.50 - rewrite rule question

[Felix Schumacher]

Am 21.03.22 um 06:39 schrieb rupali singh:

Hi Felix,

location of context.xml file is

  cat context.xml| grep RewriteValve
 
  pwd
/opt/tomcat/apache-tomcat-9.0.54/instance/conf
That context.xml is thought to be a default template for all installed 
webapps. It will work, but remember, that every installed webapp will 
get its own copy of a rewrite valve.




more
/opt/tomcat/apache-tomcat-9.0.54/instance/webapps/ROOT/WEB-INF/rewrite.config
RewriteCond %{QUERY_STRING} p=10001
RewriteRule ^/apex/f$ /apex/myapp [R,L]


What happens, when you call the apex URL with curl? Something like

> curl -D- 'localhost:8080/apex/f?p=10001'

It should display (assuming your tomcat listens on port 8080) something 
like:


HTTP/1.1 302
Location: /apex/myapp?p=10001
Content-Length: 0
Date: Mon, 21 Mar 2022 ...

Felix



its still not working


On Mon, 21 Mar 2022 at 00:57, Felix Schumacher <
felix.schumac...@internetallee.de> wrote:


Am 20.03.22 um 19:45 schrieb Thomas Hoffmann (Speed4Trade GmbH):

Hello,

url rewrite doesn't match against url parameters as far as I know.
RewriteRule ^/apex/f$  /apex/myapp [R,L]

You can match the query string by adding a RewriteCond, for example

RewriteCond %{QUERY_STRING} p=1001
RewriteRule ^/apex/f$ /apex/myapp [R,L]

(The lines have to be in that order and no other line in between)

Felix

Just a guess, maybe you can  give it a try.

Another option would be to use the source code of tomcat and set a breakpoint 
within the filter class
(just with a little dummy app deployed).

Greetings, Thomas


-Ursprüngliche Nachricht-
Von: rupali singh  
Gesendet: Sonntag, 20. März 2022 19:23
An: Tomcat Users List  
Betreff: Re: Fwd: tomcat 9.50 - rewrite rule question

Hi,

i have referred Around 
here:https://tomcat.apache.org/tomcat-9.0-doc/rewrite.html#RewriteRule
but still can't figure out how to write rules for my requirements..
can you please help

On Sat, 19 Mar 2022 at 21:57, Thomas Hoffmann (Speed4Trade 
GmbH)  
  wrote:


Hallo,

just scroll down the documentation.
Around here:https://tomcat.apache.org/tomcat-9.0-doc/rewrite.html#RewriteRule
If something is not clear there, just drop a line



-Ursprüngliche Nachricht-
Von: rupali singh  
Gesendet: Samstag, 19. März 2022 18:28
An: Tomcat Users List  
Betreff: Re: Fwd: tomcat 9.50 - rewrite rule question

Hi,

Thanks a lot for your quick response.then what options we have in
tomcat apache for rewrite rules.

Apologies im new to apache tomcat.


On Sat, Mar 19, 2022, 9:42 PM Terence M. Bandoian  

wrote:


On 3/19/2022 1:03 AM, rupali singh wrote:

Hi Team,

We are using tomcat 9.54 version.
Need help in rewriting rule.

background   : We have an Oracle apex server ( version 21.1)  and

tomcat

is

installed on the same server. We have F5 url which redirects to
apex installed on tomcat  
eghttps://xyz.ae/apex/f?p=1001<https://xyz.com/apex/f?p=1001>  
<https://xyz.com/apex/f?p=1001>so xyz.ae is published on our F5

which

redirects internally to tomcat server on port 8080.

we want to redirecthttps://xyz.ae/apex/f?p=1001<https://xyz.com/apex/f?p=1001>  
<https://xyz.com/apex/f?p=1001>to
   https://xyz.ae/apex/myapp  <https://xyz.com/aorx/myapp>  
<https://xyz.com/aorx/myapp>as it's

difficult

for business users to remember f?p=1001<https://xyz.com/apex/f?p=1001>  
<https://xyz.com/apex/f?p=1001>

i have prepared context.xml and rewrite.config rule but
redirection not working and there is no error in catalina.log

in access log we are getting 404.

i have tried steps mentioned in


https://stackoverflow.com/questions/38618473/tomcat-9-rewrite-with
-

ord

s-and-oracle-apex

rewrite.config content

RewriteCond %{REQUEST_URI} ^/myapp$ RewriteRule 
^/myapp$https://xyz.ae/apex/myapp  [R,L]


please advise how to resolve the issue

Those look like Apache HTTPD rewrite rules. How are they supported
in Apache Tomcat?

-Terence Bandoian


--
--- To unsubscribe, e-mail:users-unsubscr...@tomcat.apache.org
For additional commands, e-mail:users-h...@tomcat.apache.org

  --
Thanks and Regards,
Rupali

-
To unsubscribe, e-mail:users-unsubscr...@tomcat.apache.org
For additional commands, e-mail:users-h...@tomcat.apache.org




OpenPGP_0xEA6C3728EA91C4AF.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature

Re: Fwd: tomcat 9.50 - rewrite rule question

[Felix Schumacher]

Am 20.03.22 um 19:45 schrieb Thomas Hoffmann (Speed4Trade GmbH):

Hello,

url rewrite doesn't match against url parameters as far as I know.
RewriteRule ^/apex/f$  /apex/myapp [R,L]


You can match the query string by adding a RewriteCond, for example

RewriteCond %{QUERY_STRING} p=1001
RewriteRule ^/apex/f$ /apex/myapp [R,L]

(The lines have to be in that order and no other line in between)

Felix



Just a guess, maybe you can  give it a try.

Another option would be to use the source code of tomcat and set a breakpoint 
within the filter class
(just with a little dummy app deployed).

Greetings, Thomas


-Ursprüngliche Nachricht-
Von: rupali singh
Gesendet: Sonntag, 20. März 2022 19:23
An: Tomcat Users List
Betreff: Re: Fwd: tomcat 9.50 - rewrite rule question

Hi,

i have referred Around here:
https://tomcat.apache.org/tomcat-9.0-doc/rewrite.html#RewriteRule
but still can't figure out how to write rules for my requirements..
can you please help

On Sat, 19 Mar 2022 at 21:57, Thomas Hoffmann (Speed4Trade GmbH)
  wrote:


Hallo,

just scroll down the documentation.
Around here:
https://tomcat.apache.org/tomcat-9.0-doc/rewrite.html#RewriteRule
If something is not clear there, just drop a line



-Ursprüngliche Nachricht-
Von: rupali singh
Gesendet: Samstag, 19. März 2022 18:28
An: Tomcat Users List
Betreff: Re: Fwd: tomcat 9.50 - rewrite rule question

Hi,

Thanks a lot for your quick response.then what options we have in
tomcat apache for rewrite rules.

Apologies im new to apache tomcat.


On Sat, Mar 19, 2022, 9:42 PM Terence M. Bandoian

wrote:


On 3/19/2022 1:03 AM, rupali singh wrote:

Hi Team,

We are using tomcat 9.54 version.
Need help in rewriting rule.

background   : We have an Oracle apex server ( version 21.1)  and

tomcat

is

installed on the same server. We have F5 url which redirects to
apex installed on tomcat  eghttps://xyz.ae/apex/f?p=1001
so xyz.ae is published on our F5

which

redirects internally to tomcat server on port 8080.

we want to redirecthttps://xyz.ae/apex/f?p=1001
to
   https://xyz.ae/apex/myapp  as it's

difficult

for business users to remember f?p=1001


i have prepared context.xml and rewrite.config rule but
redirection not working and there is no error in catalina.log

in access log we are getting 404.

i have tried steps mentioned in


https://stackoverflow.com/questions/38618473/tomcat-9-rewrite-with
-

ord

s-and-oracle-apex

rewrite.config content

RewriteCond %{REQUEST_URI} ^/myapp$ RewriteRule ^/myapp$
https://xyz.ae/apex/myapp  [R,L]


please advise how to resolve the issue

Those look like Apache HTTPD rewrite rules. How are they supported
in Apache Tomcat?

-Terence Bandoian


--
--- To unsubscribe, e-mail:users-unsubscr...@tomcat.apache.org
For additional commands, e-mail:users-h...@tomcat.apache.org




--
Thanks and Regards,
Rupali

-
To unsubscribe, e-mail:users-unsubscr...@tomcat.apache.org
For additional commands, e-mail:users-h...@tomcat.apache.org



OpenPGP_0xEA6C3728EA91C4AF.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature

Re: Fwd: tomcat 9.50 - rewrite rule question

[Felix Schumacher]

Am 20.03.22 um 20:17 schrieb rupali singh:

Hi Thomas,
thanks for the quick reply.
I have tried below but it's still not working.

RewriteRule ^/apex/f$  /apex/myapp [R,L]

I have placed rewrite.config on below locations and fileis same in both
locations , after changing rewrite.config i'm restarting tomcat as well.
/opt/tomcat/apache-tomcat-9.0.54/instance/webapps/ROOT/WEB-INF/rewrite.config
and
/opt/tomcat/apache-tomcat-9.0.54/instance/webapps/apex/WEB-INF/rewrite.config


Have you added the RewriteValve to your context.xml? And if so, are you 
sure, that it is the one, that tomcat uses?


Where did you place context.xml and have you checked 
Catalina/localhost/apex.xml has not been copied earlier?


Felix




i'm new to apache tomcat and now aware of how to achieve below.


Another option would be to use the source code of tomcat and set a
breakpoint within the filter class
(just with a little dummy app deployed).

On Sun, 20 Mar 2022 at 22:46, Thomas Hoffmann (Speed4Trade GmbH)
  wrote:


Hello,

url rewrite doesn't match against url parameters as far as I know.
RewriteRule ^/apex/f$  /apex/myapp [R,L]

Just a guess, maybe you can  give it a try.

Another option would be to use the source code of tomcat and set a
breakpoint within the filter class
(just with a little dummy app deployed).

Greetings, Thomas


-Ursprüngliche Nachricht-
Von: rupali singh
Gesendet: Sonntag, 20. März 2022 19:23
An: Tomcat Users List
Betreff: Re: Fwd: tomcat 9.50 - rewrite rule question

Hi,

i have referred Around here:
https://tomcat.apache.org/tomcat-9.0-doc/rewrite.html#RewriteRule
but still can't figure out how to write rules for my requirements..
can you please help

On Sat, 19 Mar 2022 at 21:57, Thomas Hoffmann (Speed4Trade GmbH)
  wrote:


Hallo,

just scroll down the documentation.
Around here:
https://tomcat.apache.org/tomcat-9.0-doc/rewrite.html#RewriteRule
If something is not clear there, just drop a line



-Ursprüngliche Nachricht-
Von: rupali singh
Gesendet: Samstag, 19. März 2022 18:28
An: Tomcat Users List
Betreff: Re: Fwd: tomcat 9.50 - rewrite rule question

Hi,

Thanks a lot for your quick response.then what options we have in
tomcat apache for rewrite rules.

Apologies im new to apache tomcat.


On Sat, Mar 19, 2022, 9:42 PM Terence M. Bandoian

wrote:


On 3/19/2022 1:03 AM, rupali singh wrote:

Hi Team,

We are using tomcat 9.54 version.
Need help in rewriting rule.

background   : We have an Oracle apex server ( version 21.1)  and

tomcat

is

installed on the same server. We have F5 url which redirects to
apex installed on tomcat  eghttps://xyz.ae/apex/f?p=1001
so xyz.ae is published on our

F5

which

redirects internally to tomcat server on port 8080.

we want to redirecthttps://xyz.ae/apex/f?p=1001
to
   https://xyz.ae/apex/myapp  as

it's

difficult

for business users to remember f?p=1001


i have prepared context.xml and rewrite.config rule but
redirection not working and there is no error in catalina.log

in access log we are getting 404.

i have tried steps mentioned in


https://stackoverflow.com/questions/38618473/tomcat-9-rewrite-with
-

ord

s-and-oracle-apex

rewrite.config content

RewriteCond %{REQUEST_URI} ^/myapp$ RewriteRule ^/myapp$
https://xyz.ae/apex/myapp  [R,L]


please advise how to resolve the issue

Those look like Apache HTTPD rewrite rules. How are they supported
in Apache Tomcat?

-Terence Bandoian


--
--- To unsubscribe, e-mail:users-unsubscr...@tomcat.apache.org
For additional commands, e-mail:users-h...@tomcat.apache.org




--
Thanks and Regards,
Rupali




OpenPGP_0xEA6C3728EA91C4AF.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature

Re: Fwd: tomcat 9.50 - rewrite rule question

[Felix Schumacher]

Am 19.03.22 um 07:03 schrieb rupali singh:

Hi Team,

We are using tomcat 9.54 version.
Need help in rewriting rule.

background   : We have an Oracle apex server ( version 21.1)  and tomcat is
installed on the same server. We have F5 url which redirects to apex
installed on tomcat  eghttps://xyz.ae/apex/f?p=1001
so xyz.ae is published on our F5 which
redirects internally to tomcat server on port 8080.

we want to redirecthttps://xyz.ae/apex/f?p=1001
to
  https://xyz.ae/apex/myapp  as it's difficult
for business users to remember f?p=1001


Are you sure, that you want to redirect the obscure URL - that is hard 
to remember - to redirect to a "sane" URL - that is easy to remember? I 
would do it the other way round. Tell the people to enter 
https://apex.ae/myapp (or apex.com/myapp) and let the app rewrite it to 
something hard to remember.


Felix



i have prepared context.xml and rewrite.config rule but redirection not
working and there is no error in catalina.log

in access log we are getting 404.

i have tried steps mentioned in
https://stackoverflow.com/questions/38618473/tomcat-9-rewrite-with-ords-and-oracle-apex

rewrite.config content

RewriteCond %{REQUEST_URI} ^/myapp$
RewriteRule ^/myapp$https://xyz.ae/apex/myapp  [R,L]


please advise how to resolve the issue


OpenPGP_0xEA6C3728EA91C4AF.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature

Re: apache-tomcat-8.5.59 too many open files on Linux 8

[Felix Schumacher]

Sorry for the noise, you gave the numbers of open files (8028) and the
limits (262144) in your first mail.

Felix

Am 23.05.21 um 12:18 schrieb Felix Schumacher:
> Am 22.05.21 um 18:03 schrieb Yeggy Javadi:
>> Here it is:
>>
>> # netstat -p -a  --tcp | grep 130244
>> tcp6   0  0 [::]:pcsync-https   [::]:*  LISTEN   
>>130244/java
>> tcp6   0  0 [::]:https  [::]:*  LISTEN   
>>130244/java
>> tcp6   0  0 [::]:37537  [::]:*  LISTEN   
>>130244/java
>> tcp6   0  0 localhost.localdoma:mxi [::]:*  LISTEN   
>>130244/java
>> tcp6   0  0 [::]:8009   [::]:*  LISTEN   
>>130244/java
>> tcp6   0  0 [::]:rmiregistry[::]:*  LISTEN   
>>130244/java
>> tcp6   0  0 [::]:http   [::]:*  LISTEN   
>>130244/java
>> tcp6  86  0 Yeggy-F8-FMSVA:39680172.22.22.192:https 
>> CLOSE_WAIT  130244/java
>> tcp6   0  1 Yeggy-F8-FMSVA:5361810.12.3.78:httpsSYN_SENT 
>>130244/java
>> tcp6   0  0 Yeggy-F8-FMSVA:54772Yeggy-F8-FMSVA:vrace
>> ESTABLISHED 130244/java
>> tcp6   0  0 localhost.localdo:42664 localhost.loca:postgres 
>> ESTABLISHED 130244/java
>> tcp6   0  0 Yeggy-F8-FMSVA:54782Yeggy-F8-FMSVA:vrace
>> ESTABLISHED 130244/java
>> tcp6   0  0 Yeggy-F8-FMSVA:54766Yeggy-F8-FMSVA:vrace
>> ESTABLISHED 130244/java
>> tcp6   0  0 localhost.localdo:42662 localhost.loca:postgres 
>> ESTABLISHED 130244/java
>> tcp6   0  0 Yeggy-F8-FMSVA:54778Yeggy-F8-FMSVA:vrace
>> ESTABLISHED 130244/java
>> tcp6   0  0 Yeggy-F8-FMSVA:54788Yeggy-F8-FMSVA:vrace
>> ESTABLISHED 130244/java
>> tcp6   0  0 Yeggy-F8-FMSVA:54770Yeggy-F8-FMSVA:vrace
>> ESTABLISHED 130244/java
>> tcp6   0  0 Yeggy-F8-FMSVA:54790Yeggy-F8-FMSVA:vrace
>> ESTABLISHED 130244/java
>> tcp6   0  0 Yeggy-F8-FMSVA:54776Yeggy-F8-FMSVA:vrace
>> ESTABLISHED 130244/java
>> tcp6   0  0 Yeggy-F8-FMSVA:54786Yeggy-F8-FMSVA:vrace
>> ESTABLISHED 130244/java
>> tcp6   0  0 Yeggy-F8-FMSVA:54780Yeggy-F8-FMSVA:vrace
>> ESTABLISHED 130244/java
>> tcp6   0  0 localhost.localdo:45736 localhost.loca:postgres 
>> ESTABLISHED 130244/java
>> tcp6   0  0 Yeggy-F8-FMSVA:54768Yeggy-F8-FMSVA:vrace
>> ESTABLISHED 130244/java
>> tcp6   0  0 Yeggy-F8-FMSVA:54784Yeggy-F8-FMSVA:vrace
>> ESTABLISHED 130244/java
>> tcp6   0  0 localhost.localdo:42660 localhost.loca:postgres 
>> ESTABLISHED 130244/java
>> tcp6   0  1 Yeggy-F8-FMSVA:4292210.12.3.77:httpsSYN_SENT 
>>130244/java
>> tcp6   0  0 Yeggy-F8-FMSVA:35794172.22.22.192:https 
>> ESTABLISHED 130244/java
>> tcp6   0  0 Yeggy-F8-FMSVA:54774Yeggy-F8-FMSVA:vrace
>> ESTABLISHED 130244/java
>> tcp6   0  0 localhost.localdo:45734 localhost.loca:postgres 
>> ESTABLISHED 130244/java
>> tcp6   0  0 localhost.localdo:41016 localhost.localdo:vrace 
>> ESTABLISHED 130244/java
>>
>>
>> # lsof -p 130244
>> COMMANDPID USER   FD  TYPE DEVICE SIZE/OFF NODE NAME
>> java130244 root  cwd   DIR8,2 4096   157664 
>> /usr/local/freestor/bin
>> java130244 root  rtd   DIR8,3 40962 /
>> java130244 root  txt   REG8,2 8712 8913 
>> /usr/local/jdk/jre1.8.0_271/bin/java
>> java130244 root  mem   REG8,2   498864 9007 
>> /usr/local/jdk/jre1.8.0_271/lib/amd64/libfontmanager.so
>> java130244 root  mem   REG8,239176 9006 
>> /usr/local/jdk/jre1.8.0_271/lib/amd64/libawt_headless.so
>> java130244 root  mem   REG8,2   759184 8996 
>> /usr/local/jdk/jre1.8.0_271/lib/amd64/libawt.so
>> java130244 root  mem   REG8,2  3559360 9139 
>> /usr/local/jdk/jre1.8.0_271/lib/resources.jar
>> java130244 root  mem   REG8,299680   133076 
>> /usr/lib64/libgcc_s-8-20191121.so.1
>> java130244 root  mem   REG8,2  3135658 9133 
>> /usr/local/jdk/jre1.8.0_271/lib/charsets.jar
>> java130244 root  mem   REG8,2   283368 8980 
>> 

Re: apache-tomcat-8.5.59 too many open files on Linux 8

[Felix Schumacher]

Am 22.05.21 um 18:03 schrieb Yeggy Javadi:
> Here it is:
>
> # netstat -p -a  --tcp | grep 130244
> tcp6   0  0 [::]:pcsync-https   [::]:*  LISTEN
>   130244/java
> tcp6   0  0 [::]:https  [::]:*  LISTEN
>   130244/java
> tcp6   0  0 [::]:37537  [::]:*  LISTEN
>   130244/java
> tcp6   0  0 localhost.localdoma:mxi [::]:*  LISTEN
>   130244/java
> tcp6   0  0 [::]:8009   [::]:*  LISTEN
>   130244/java
> tcp6   0  0 [::]:rmiregistry[::]:*  LISTEN
>   130244/java
> tcp6   0  0 [::]:http   [::]:*  LISTEN
>   130244/java
> tcp6  86  0 Yeggy-F8-FMSVA:39680172.22.22.192:https 
> CLOSE_WAIT  130244/java
> tcp6   0  1 Yeggy-F8-FMSVA:5361810.12.3.78:httpsSYN_SENT  
>   130244/java
> tcp6   0  0 Yeggy-F8-FMSVA:54772Yeggy-F8-FMSVA:vrace
> ESTABLISHED 130244/java
> tcp6   0  0 localhost.localdo:42664 localhost.loca:postgres 
> ESTABLISHED 130244/java
> tcp6   0  0 Yeggy-F8-FMSVA:54782Yeggy-F8-FMSVA:vrace
> ESTABLISHED 130244/java
> tcp6   0  0 Yeggy-F8-FMSVA:54766Yeggy-F8-FMSVA:vrace
> ESTABLISHED 130244/java
> tcp6   0  0 localhost.localdo:42662 localhost.loca:postgres 
> ESTABLISHED 130244/java
> tcp6   0  0 Yeggy-F8-FMSVA:54778Yeggy-F8-FMSVA:vrace
> ESTABLISHED 130244/java
> tcp6   0  0 Yeggy-F8-FMSVA:54788Yeggy-F8-FMSVA:vrace
> ESTABLISHED 130244/java
> tcp6   0  0 Yeggy-F8-FMSVA:54770Yeggy-F8-FMSVA:vrace
> ESTABLISHED 130244/java
> tcp6   0  0 Yeggy-F8-FMSVA:54790Yeggy-F8-FMSVA:vrace
> ESTABLISHED 130244/java
> tcp6   0  0 Yeggy-F8-FMSVA:54776Yeggy-F8-FMSVA:vrace
> ESTABLISHED 130244/java
> tcp6   0  0 Yeggy-F8-FMSVA:54786Yeggy-F8-FMSVA:vrace
> ESTABLISHED 130244/java
> tcp6   0  0 Yeggy-F8-FMSVA:54780Yeggy-F8-FMSVA:vrace
> ESTABLISHED 130244/java
> tcp6   0  0 localhost.localdo:45736 localhost.loca:postgres 
> ESTABLISHED 130244/java
> tcp6   0  0 Yeggy-F8-FMSVA:54768Yeggy-F8-FMSVA:vrace
> ESTABLISHED 130244/java
> tcp6   0  0 Yeggy-F8-FMSVA:54784Yeggy-F8-FMSVA:vrace
> ESTABLISHED 130244/java
> tcp6   0  0 localhost.localdo:42660 localhost.loca:postgres 
> ESTABLISHED 130244/java
> tcp6   0  1 Yeggy-F8-FMSVA:4292210.12.3.77:httpsSYN_SENT  
>   130244/java
> tcp6   0  0 Yeggy-F8-FMSVA:35794172.22.22.192:https 
> ESTABLISHED 130244/java
> tcp6   0  0 Yeggy-F8-FMSVA:54774Yeggy-F8-FMSVA:vrace
> ESTABLISHED 130244/java
> tcp6   0  0 localhost.localdo:45734 localhost.loca:postgres 
> ESTABLISHED 130244/java
> tcp6   0  0 localhost.localdo:41016 localhost.localdo:vrace 
> ESTABLISHED 130244/java
>
>
> # lsof -p 130244
> COMMANDPID USER   FD  TYPE DEVICE SIZE/OFF NODE NAME
> java130244 root  cwd   DIR8,2 4096   157664 
> /usr/local/freestor/bin
> java130244 root  rtd   DIR8,3 40962 /
> java130244 root  txt   REG8,2 8712 8913 
> /usr/local/jdk/jre1.8.0_271/bin/java
> java130244 root  mem   REG8,2   498864 9007 
> /usr/local/jdk/jre1.8.0_271/lib/amd64/libfontmanager.so
> java130244 root  mem   REG8,239176 9006 
> /usr/local/jdk/jre1.8.0_271/lib/amd64/libawt_headless.so
> java130244 root  mem   REG8,2   759184 8996 
> /usr/local/jdk/jre1.8.0_271/lib/amd64/libawt.so
> java130244 root  mem   REG8,2  3559360 9139 
> /usr/local/jdk/jre1.8.0_271/lib/resources.jar
> java130244 root  mem   REG8,299680   133076 
> /usr/lib64/libgcc_s-8-20191121.so.1
> java130244 root  mem   REG8,2  3135658 9133 
> /usr/local/jdk/jre1.8.0_271/lib/charsets.jar
> java130244 root  mem   REG8,2   283368 8980 
> /usr/local/jdk/jre1.8.0_271/lib/amd64/libsunec.so
> java130244 root  mem   REG8,2  1907341 9138 
> /usr/local/jdk/jre1.8.0_271/lib/jsse.jar
> java130244 root  mem   REG8,2   285868 9126 
> /usr/local/jdk/jre1.8.0_271/lib/ext/sunjce_provider.jar
> java130244 root  mem   REG8,243191 9125 
> /usr/local/jdk/jre1.8.0_271/lib/ext/sunec.jar
> java130244 root  mem   REG8,2   283206 9127 
> /usr/local/jdk/jre1.8.0_271/lib/ext/sunpkcs11.jar
> java130244 root  mem   REG8,2   118047 9136 
> /usr/local/jdk/jre1.8.0_271/lib/jce.jar
> java130244 root  mem   REG8,2  1179462 9128 
> 

Re: ApacheCon @Home 2020 links for the presentations page

[Felix Schumacher]

Hi Leon,

thanks for the reminder. The pages have been updated

Felix

Am 13.04.21 um 12:09 schrieb Leon Atherton:
> I noticed the presentations page
> (https://tomcat.apache.org/presentations.html) does not yet have the
> links from ApacheCon @Home 2020. Please find below the HTML that will
> correct this. I wasn't able to find links to the slides.
>
> Whilst you are there, I also noticed the legal page
> (https://tomcat.apache.org/legal.html) needs the copyright year
> updated from 2020 to 2021 in the first paragraph.
>
> Regards,
> Leon
>
> ---
>
> ApacheCon @Home
> 2020
> 
>   
>     State of the Cat - Mark Thomas,
>     https://www.youtube.com/watch?v=uDy-Dwexy2Q;>video
>   
>   
>     Lost in the Docs - Felix Schumacher,
>     https://www.youtube.com/watch?v=pSU0l5kbcJ8;>video
>   
>   
>     Deploying a Production Instance - Andrew Carr,
>     https://www.youtube.com/watch?v=V75wPfhYsj4;>video
>   
>   
>     HTTP/2, HTTP/3, and SSL/TLS State of the Art in our Servers
> (httpd, Traffic Server, and Tomcat) - Jean-Frederic Clere,
>     https://www.youtube.com/watch?v=xzqOU6ILJzQ;>video
>   
>   
>     Split your Tomcat Installation for Easier Upgrades - Christopher
> Schultz,
>     https://www.youtube.com/watch?v=nu229pb09D0;>video
>   
>   
>     Tomcat: New and Upcoming - Rmy Mucherat,
>     https://www.youtube.com/watch?v=L5PFoJyS-aU;>video
>   
>   
>     Reverse-Proxying with nginx - Igal Sapir,
>     https://www.youtube.com/watch?v=8e1V9tVwNR8;>video
>   
>   
>     Tomcat: From a Cluster to a Cloud - Jean-Frederic Clere,
>     https://www.youtube.com/watch?v=COsTWphp2fk;>video
>   
>   
>     Migrating from AJP to HTTP: It's About Time - Christopher Schultz,
>     https://www.youtube.com/watch?v=qUjUEvGFstI;>video
>   
>   
>     Tomcat 10 and Jakarta EE - Mark Thomas,
>     https://www.youtube.com/watch?v=10PkrWRPgPU;>video
>   
>   
>     Getting Started Hacking Tomcat - Christopher Schultz,
>     https://www.youtube.com/watch?v=O2wXAldxQWA;>video
>   
>   
>     Apache Tomcat and Spring Boot - Andrew Carr,
>     https://www.youtube.com/watch?v=Nk-rKXQC0BU;>video
>   
>   
>     Openly Handling Security Vulnerabilities (Q/Panel) - Mark
> Thomas, Christopher Schultz, Coty Sutherland,
>     https://www.youtube.com/watch?v=tGjyX6meGcA;>video
>   
> 
> 
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>



OpenPGP_signature
Description: OpenPGP digital signature

Re: RemoteIpValve resolving localname is really slow

[Felix Schumacher]

Am 12.04.21 um 15:49 schrieb Bourdais Nicolas:
> We are hosting our tomcats on windows vms behind a reverse proxy and have 
> enabled RemoteIPValve.
> In the same time we have many hardware which talk to tomcat through a vpn.
> Recently we updated our tomcats to a more recent version (8.5.43 to 8.5.53) 
> and our apps running on hardware through vpn had difficulties to talk to 
> tomcat.
>
> We identified that these difficulties came from very slow localname 
> resolution in RemoteIpValve when calling through vpn.
> We added vpn IP to hosts file of our tomcat’s vms which resolved our errors.
>
> We found that these behaviour appeared with tomcat 8.5.44 and was a 
> consequence of the new feature in RemoteIPValve and RemoteIpFilter : 'support 
> x-forwarded-host’ id 57665.
> Since this feature the valve begins by resolving localname (along remoteAddr, 
> remoteHost, serverName etc…) which in our case is time consuming (> 5 s) and 
> leads to communication errors
>
> Is this behaviour expected and necessary ?
> Could localName be resolved only if changeLocalName is set to true ?

How is your connector configured? Has it an attribute enableLookups (set
to true)?

Felix

> Should I comment on bugzilla ?
>
>
> Ce message et toutes les pieces jointes (ci-apres le "message") sont etablis 
> a l'intention exclusive de ses destinataires.
> Si vous recevez ce message par erreur, merci de le detruire et d'en avertir 
> immediatement l'expediteur par e-mail.
> Toute utilisation de ce message non conforme a sa destination, toute 
> diffusion ou toute publication, totale ou partielle, est interdite, sauf 
> autorisation expresse. Les communications sur Internet n'etant pas 
> securisees, l'expediteur informe qu'il ne peut accepter aucune responsabilite 
> quant au contenu de ce message.
> This mail message and attachments (the "message") are solely intended for the 
> addresses. It is confidential in nature.
> If you receive this message in error, please delete it and immediately notify 
> the sender by e-mail.
> Any use other than its intended purpose, dissemination or disclosure, either 
> whole or partial, is prohibited except if formal approval is granted. As 
> communication on the Internet is not secure, the sender does not accept 
> responsibility for the content of this message.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>



OpenPGP_signature
Description: OpenPGP digital signature

Re: [OT] visualvm time stamps

[Felix Schumacher]

Am 9. April 2021 21:02:56 MESZ schrieb Chris Cheshire :
>My googlefu is failing me here.
>
>I am trying to figure out some anomalous database connection behavior
>in my tomcat web app. I have enabled JMX/RMI and have visualvm running
>on my local machine.
>
>I found the ability to monitor the active connections as a live chart,
>and it has an export data function. This export creates a csv with what
>is supposed to be a time stamp and a count but the time stamp is in a
>5.6 format. I have never seen this before. How do I convert this into
>something normal - millis since epoch or even a human readable ISO
>format? 
>
>Example
>44295.607552

Could it be seconds since start of the jvm? That would mean around 12 h? 

Felix 

>
>Chris
>
>
>-
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat, maybe Apache on Widows 10

[Felix Schumacher]

Am 09.04.21 um 22:31 schrieb Orendt, John:
> Hi
>
> My goal is to set up a web server on Windows 10 that supports TLSv1.3 with 
> mutual authentication.
>
> I have had success with Apache on Ubuntu 20.04. I was able to generate the 
> server and client x509 leaf certs which apache validates up the chain of 
> trust and actually does refuse the connection if a client cert has been 
> revoked. Very nice.
>
> Also, Apache provides these useful environmental variables like REMOTE_ADDR, 
> SSL_CLIENT_VERIFY, SSL_CLIENT_S_DN, and SSL_PROTOCOL.
>
> I'm using ProxyPass, ProxyPassReverse as a connector to Tomcat 9.
>
> Unfortunately, these env vars do not get through to Tomcat 9.

Can you give us more details, what you already tried?

If you want to use those Header variables, you will have to enable the
SSL Valve in Tomcat. The valve is described at
http://tomcat.apache.org/tomcat-10.0-doc/config/valve.html#SSL_Valve

You might want to combine that with the Remote IP Valve
(http://tomcat.apache.org/tomcat-10.0-doc/config/valve.html#Remote_IP_Valve)
and watch out to only accept connections from the httpd and not any
other clients (as you have to trust the values in the header fields
Tomcat will use).

>
> For other reasons, related to TPM, I need to get this to work on Windows 10.
>
> So far, my best three options are :
>
>
>   1.  Use Tomcat 9 standalone and configure TLSv1.3
>   2.  Use Tomcat 10 standalone and configure TLSv1.3
>   3.  Use Apache2 and Tomcat and find a work around to get the environmental 
> variables To Tomcat
>
> For configuring TLS on Tomcat 9 or 10, a working example would be useful.
Which parts are missing on
http://tomcat.apache.org/tomcat-10.0-doc/ssl-howto.html ?
>
> Will standalone Tomcat validate certs up the chain of trust and actually  
> refuse the connection if a client cert has been revoked?

I think it should. But it is always a good idea to test it yourself :)

Felix

>
> Please advise.
>
> John Orendt
> john.p.ore...@medtronic.com
> [CONFIDENTIALITY AND PRIVACY NOTICE] Information transmitted by this email is 
> proprietary to Medtronic and is intended for use only by the individual or 
> entity to which it is addressed, and may contain information that is private, 
> privileged, confidential or exempt from disclosure under applicable law. If 
> you are not the intended recipient or it appears that this mail has been 
> forwarded to you without proper authority, you are notified that any use or 
> dissemination of this information in any manner is strictly prohibited. In 
> such cases, please delete this mail from your records. To view this notice in 
> other languages you can either select the following link or manually copy and 
> paste the link into the address bar of a web browser: 
> http://emaildisclaimer.medtronic.com
>



OpenPGP_signature
Description: OpenPGP digital signature

Re: IDNs emoji replaced by punycode - how to remain with emoji?

[Felix Schumacher]

Am 08.03.21 um 17:31 schrieb Peter Rader:
> Hi,
>  
> I try to support a emoji in a IDN. This is the head of my engine-config:
>  
>
>     className="org.apache.catalina.realm.LockOutRealm">
>         resourceName="UserDatabase"/>
>   
>        unpackWARs="true" autoDeploy="true">
>  
> Both, HTTP and HTTPS connector have the UTF8 encoding:
>  
>
>       connectionTimeout="2" URIEncoding="UTF-8"
>     redirectPort="8443" />
>  
>      protocol="org.apache.coyote.http11.Http11Nio2Protocol" scheme="https" 
> secure="true" SSLEnabled="true" URIEncoding="UTF-8">
>      truststorePassword="example" certificateVerification="optionalNoCA" 
> ciphers="TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
>  truststoreType="JKS">
>      certificateKeyFile="/example/privkey.pem" 
> certificateChainFile="/example/chain.pem" type="RSA"/>
>     
>     
>  
>  
> Unfortunately the browser-url redirect to the punycode xn--x7h.example.com in 
> Chrome, Edge and Firefox (did not test more).
>  
> How to remain with emoji IDN in the browser URL?

After a short look around the net, I think you will have no luck here,
as it seems to be a restriction posed by the browsers.

For Chrome you can read those restrictions at
https://chromium.googlesource.com/chromium/src/+/master/docs/idn.md

What I understood from that document, you have to stay close to actually
characters of your language (or at least stay with one language
(script)). Emojis are probably not yet recognized as a language :)

Felix

>  
> Kind regards
>
> Peter Rader
> --
> Fachinformatiker AE / IT Software Developer
> Peter Rader
> Wilsnacker Strasse 17
> 10559 Berlin - GERMANY
> Tel: 0049 (0)30 / 6 29 33 29 6
> Fax: 0049 (0)30 / 6 29 33 29 6
> Handy: 0049 (0)176 / 8 7521576
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: AccessLog implementation via logging subsystem?

[Felix Schumacher]

Am 20.01.21 um 18:44 schrieb Mark Thomas:
> On 20/01/2021 10:59, Thomas Meyer wrote:
>> Hi,
>>
>> as far as I can see there seems to be no AccessLog interface implementation 
>> that is using the standard tomcat logging subsystem.
>> Is there a reason for this?
>> I have a use case were I want to forward access log to splunk via http event 
>> collector endpoint.
>> The idea is to log access log via tomcat logging and configure tomcat 
>> logging to use HttpEventCollectorLog4jAppender to forward all access logs to 
>> splunk.
> https://tomcat.markmail.org/thread/aawkctjwltiqkmby

At work we use something like the attached version of an subclassed
AbstractAccessLogValve to send our access log to log4j2. That way we can
format the access log as json and print it out on STDOUT. Might not be
the most performant way to log those accesses, but it is a convenient
way to run in a kubernetes environment, where JSON formatted events are
automatically parsed.

This implementation (well the log4j part really) has some other downsides.

You have to enable log4j2 globally in tomcat, which is not that well
documented. Enabling it globally can be an annoyance, when webapps
include their own copy of log4j.

Felix

>
> Mark
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
package de.internetallee;

import java.io.CharArrayWriter;
import java.util.Collections;
import java.util.Date;
import java.util.HashSet;
import java.util.Set;

import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.valves.AbstractAccessLogValve;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.ThreadContext;

public class Log4jAccessLogValve extends AbstractAccessLogValve {

private Logger logger = LogManager.getLogger();

private Set logPattern = Collections.emptySet();

/**
 * The system time when we last updated the Date that this valve uses for log
 * lines.
 */
private static final ThreadLocal localDate = new ThreadLocal() {
@Override
protected Date initialValue() {
return new Date();
}
};

private AccessLogElement requestLine = createAccessLogElement('r');

@Override
public void setPattern(String pattern) {
Set newLogPattern = new HashSet<>();
char last = ' ';
for (int pos = 0; pos < pattern.length(); pos++) {
char currentChar = pattern.charAt(pos);
if (last == '%') {
newLogPattern.add(createAccessLogElement(currentChar));
last = ' ';
} else {
last = currentChar;
}
}
logPattern = newLogPattern;
logger.debug("Use patterns: {}", newLogPattern);
}

private static Date getDate(long systime) {
Date date = localDate.get();
date.setTime(systime);
return date;
}

@Override
public void log(Request request, Response response, long time) {
logger.debug("log message: isNotActive: {} logElements: {}", isNotActive(), logElements);
if (isNotActive() || logPattern == null
|| hasNotCondition(request)
|| hasConditionIf(request)) {
return;
}

/**
 * XXX This is a bit silly, but we want to have start and stop time and duration
 * consistent. It would be better to keep start and stop simply in the request
 * and/or response object and remove time (duration) from the interface.
 */
long start = request.getCoyoteRequest().getStartTime();
Date date = getDate(start + time);

CharArrayWriter buf = new CharArrayWriter(128);
for (AccessLogElement element : logPattern) {
buf.reset();
element.addElement(buf, date, request, response, time);
ThreadContext.put(element.getClass().getSimpleName(), buf.toString());
}

buf.reset();
requestLine.addElement(buf, date, request, response, start);
logger.info(buf.toString());

}

private boolean isNotActive() {
return !getState().isAvailable() || !getEnabled();
}

private boolean hasConditionIf(Request request) {
return conditionIf != null && null == request.getRequest().getAttribute(conditionIf);
}

private boolean hasNotCondition(Request request) {
return condition != null && null != request.getRequest().getAttribute(condition);
}

@Override
protected void log(CharArrayWriter message) {
logger.info(message);
}

}


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: The main resource set specified is not valid

[Felix Schumacher]

A few other things that come to my mind after reading the message:

 * What user (and group) is Tomcat running with?

 * Did it fail on SuSE 15.0, or only on 15.2?

 * How are you starting the Tomcat (initd or systemd)

Felix

Am 21.12.20 um 01:50 schrieb Marc Chamberlin:
> Hello - I am encountering a problem, on OpenSuSE15.0 and on
> OpenSuSE15.2, which suddenly appeared, possibly via an update or
> possibly from me working on Tomcat and doing something that I can't find
> a way to resolve. I am now getting a rather obtuse set of error messages
> for all my webapps, which is coming from a series of stack walk-back
> traces (shown without the actual program trace messages) from the
> Tomcat/Catalina logfile -
>
> 9-Dec-2020 13:47:22.732 SEVERE [main]
> org.apache.catalina.startup.HostConfig.beforeStart Unable to create
> directory for deployment: [/usr/share/tomcat/webapps]
> 19-Dec-2020 13:47:22.734 SEVERE [main]
> org.apache.catalina.core.ContainerBase.startInternal A child container
> failed during start
>     java.util.concurrent.ExecutionException:
> org.apache.catalina.LifecycleException: Failed to start component
> [org.apache.catalina.webresources.StandardRoot@704921a5]
>     Caused by: org.apache.catalina.LifecycleException: Failed to
> start component [org.apache.catalina.webresources.StandardRoot@704921a5]
>    Caused by: java.lang.IllegalArgumentException: The main resource
> set specified [/usr/share/tomcat/webapps] is not valid
>
> The last error message - java.lang.IllegalArgumentException seems to the
> the pertinent one telling me the path /usr/share/tomcat/webapps is not
> valid. Doesn't tell me why it is invalid, sigh, when will programmers
> write decent user friendly error messages which can actually help?
> Anywise, on my system I am guessing that the problem is that this app
> path is actually a double soft link i.e.
>
> quasar:/usr/share/tomcat # ll -d /usr/share/tomcat/webapps
> lrwxrwxrwx 1 root tomcat 19 Jul 12  2019 /usr/share/tomcat/webapps ->
> /srv/tomcat/webapps
>
> quasar:/usr/share/tomcat # ll -d /srv/tomcat/webapps
> lrwxrwxrwx 1 root tomcat 38 Nov 23 14:58 /srv/tomcat/webapps ->
> /websites/home/marc/domain.com
>
> quasar:/usr/share/tomcat # ll -d /websites/home/marc/domain.com/
> drwxrwxr-x 39 marc users 4096 Aug 13 23:52 /websites/home/marc/domain.com/
>
> I did try shortening this to a single soft link but that didn't change
> anything.  The only other possibility I can think of is that Tomcat may
> have troubles reaching a file system on a different mount point??? 
> /webapps/... is on a different disk drive and is a mount point.
>
> These two environment variables are defined in tomcat.conf -
>
> CATALINA_HOME="/usr/share/tomcat"
> CATALINA_BASE="/usr/share/tomcat"
>
> The host declaration for this application, in server.xml, is -
>
>       unpackWARs="true" autoDeploy="true">
>      directory="logs"
>    prefix="localhost_access_log." suffix=".txt"
>    pattern="%h %l %u %t %r %s %b" />
>       
>     
>        
>     
>   
>
> The context.xml file is -
>
> 
>     WEB-INF/web.xml
>     WEB-INF/tomcat-web.xml
>     ${catalina.base}/conf/web.xml
>
>     
> 
>
> Sure would appreciate any help offered and thanks in advance. I been
> spending lots of hours trying to noodle this problem out and just not
> getting anywhere! A puzzler is that I had Tomcat working on OpenSuSE
> 15.0 at one time and this error message surfaced when I was trying to
> port Tomcat to OpenSuSE 15.2. I may have done something bad that broke
> Tomcat on OpenSuSE 15.0 but can't remember what I might had done that
> might have broken Tomcat. A couple other tidbits of information that
> might prove helpful -
>
> # tomcat version
>
> Server version: Apache Tomcat/9.0.21
> Server built:   Jul 4 2019 12:00:00 UTC
> Server number:  9.0.21.0
> OS Name:    Linux
> OS Version: 4.12.14-lp150.12.82-default
> Architecture:   amd64
> JVM Version:    1.8.0_222-b10
> JVM Vendor: IcedTea
>
> java -version
> openjdk version "1.8.0_222"
> OpenJDK Runtime Environment (IcedTea 3.13.0) (build 1.8.0_222-b10
> suse-lp150.2.19.1-x86_64)
> OpenJDK 64-Bit Server VM (build 25.222-b10, mixed mode)
>
>
> Thanks,  Marc
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat JDBC Pool Cleaner Deadlock Problem

[Felix Schumacher]

Am 31.08.20 um 18:53 schrieb Phil Steitz:
>
> On 8/31/20 3:21 AM, Felix Schumacher wrote:
>> Am 31.08.20 um 06:15 schrieb Gokhan Akgul:
>>> Dear Phil ,
>>> Thanks for your feedback. I forgot to mention the mysql driver
>>> version. The
>>> Mysql driver version is 5.1.32.
>>> My plan is to upgrade the mysql driver to 5.1.46 version and monitor
>>> for a
>>> while.
>> If I read the bug report correctly, MySQL will not change its logic and
>> therefore using newer versions of the driver will not help.
>
> Yeah.  There was a comment in another related bug report about
> changing the locking model in 5.1.x, so it is possible a later version
> will help, but you are right that it probably won't.
>
>>
>> What MySQL advises is to change the pool to use the abort-Method of the
>> connection to close it in the case of abandoned connections.
>>
>> The dbcp2 pools seems to be able to use that method, while I found no
>> reference to it in the jdbc-pool module (which you are using).
>
> We are talking about making that change on commons-dev now [1], but
> currently dbcp2 uses close as jdbc-pool does.

You are of course right, I just grepped the sources for abort and
skimmed the comments. Should have looked more closely.

Felix

>
> Comments / patches welcome!
>
> Phil
>
>>
>> So, maybe it is a good idea to switch the used pool from the jdbc-pool
>> to the default tomcat pool (see
>> http://tomcat.apache.org/tomcat-9.0-doc/jndi-datasource-examples-howto.html).
>>
>> It should work equally well (I am not sure, if it supports something
>> like the slowqueryreport, though). If you want to continue using the old
>> jdbc-pool module, you might want to file a bug on the bugtracker asking
>> for an enhancement to support the abort method. (I would use the dbcp2
>> pool.)
>>
>> Felix
>
>
> [1]
> https://lists.apache.org/thread.html/r598c0f654477372d112858af1c18bfc04008250156989647d883576f%40%3Cdev.commons.apache.org%3E
>
>>
>>> On Sat, Aug 29, 2020 at 6:50 PM Phil Steitz 
>>> wrote:
>>>
>>>> On 8/27/20 2:47 AM, Gokhan Akgul wrote:
>>>>> Hi ,
>>>>>
>>>>> I have been facing the deadlock issue for the last 2 months  about
>>>>> JDBCPoolCleaner Thread .
>>>>>
>>>>> Following config set in context.xml
>>>>>
>>>>> >>>>    auth="Container"
>>>>>    type="javax.sql.DataSource"
>>>>>   
>>>>> factory="org.apache.tomcat.jdbc.pool.DataSourceFactory"
>>>>>    driverClassName="com.mysql.jdbc.Driver"
>>>>>
>>>>  
>>>> url="jdbc:mysql://adress:3306/db?useUnicode=truecharacterEncoding=latin5characterResultSet=latin5zeroDateTimeBehavior=convertToNullautoReconnect=trueinteractiveClient=true"
>>>>>    username="user"
>>>>>    password="pass"
>>>>>    initialSize="10"
>>>>>    maxActive="30"
>>>>>    maxIdle="15"
>>>>>    minIdle="10"
>>>>>    maxWait="3"
>>>>>    timeBetweenEvictionRunsMillis="5000"
>>>>>    minEvictableIdleTimeMillis="6"
>>>>>    removeAbandonedTimeout="600"
>>>>>    removeAbandoned="true"
>>>>>    logAbandoned="false"
>>>>>    testWhileIdle="true"
>>>>>    testOnBorrow="true"
>>>>>    testOnReturn="false"
>>>>>    validationQuery="/* ping */ SELECT 1"
>>>>>    validationInterval="3"
>>>>>    jmxEnabled="true"
>>>>>
>>>>  
>>>> jdbcInterceptors="ConnectionState;StatementFinalizer;ResetAbandonedTimer;SlowQueryReport"
>>>>>   />
>>>>>
>>>>>
>>>>>
>>>>> Thread dump
>>>>>
>>>>> Tomcat JDBC Pool Cleaner[63445188:1598345711425] id=16 state=BLOCKED
>>>>>   - waiting to lock <0x57dcb0b7> (a
>>>> com.mysql.jdbc.JDBC4PreparedStatement)
>&g

Re: Tomcat JDBC Pool Cleaner Deadlock Problem

[Felix Schumacher]

Am 31.08.20 um 06:15 schrieb Gokhan Akgul:
> Dear Phil ,
> Thanks for your feedback. I forgot to mention the mysql driver version. The
> Mysql driver version is 5.1.32.
> My plan is to upgrade the mysql driver to 5.1.46 version and monitor for a
> while.

If I read the bug report correctly, MySQL will not change its logic and
therefore using newer versions of the driver will not help.

What MySQL advises is to change the pool to use the abort-Method of the
connection to close it in the case of abandoned connections.

The dbcp2 pools seems to be able to use that method, while I found no
reference to it in the jdbc-pool module (which you are using).

So, maybe it is a good idea to switch the used pool from the jdbc-pool
to the default tomcat pool (see
http://tomcat.apache.org/tomcat-9.0-doc/jndi-datasource-examples-howto.html).
It should work equally well (I am not sure, if it supports something
like the slowqueryreport, though). If you want to continue using the old
jdbc-pool module, you might want to file a bug on the bugtracker asking
for an enhancement to support the abort method. (I would use the dbcp2
pool.)

Felix

>
> On Sat, Aug 29, 2020 at 6:50 PM Phil Steitz  wrote:
>
>> On 8/27/20 2:47 AM, Gokhan Akgul wrote:
>>> Hi ,
>>>
>>> I have been facing the deadlock issue for the last 2 months  about
>>> JDBCPoolCleaner Thread .
>>>
>>> Following config set in context.xml
>>>
>>> >>   auth="Container"
>>>   type="javax.sql.DataSource"
>>>   factory="org.apache.tomcat.jdbc.pool.DataSourceFactory"
>>>   driverClassName="com.mysql.jdbc.Driver"
>>>
>>  
>> url="jdbc:mysql://adress:3306/db?useUnicode=truecharacterEncoding=latin5characterResultSet=latin5zeroDateTimeBehavior=convertToNullautoReconnect=trueinteractiveClient=true"
>>>   username="user"
>>>   password="pass"
>>>   initialSize="10"
>>>   maxActive="30"
>>>   maxIdle="15"
>>>   minIdle="10"
>>>   maxWait="3"
>>>   timeBetweenEvictionRunsMillis="5000"
>>>   minEvictableIdleTimeMillis="6"
>>>   removeAbandonedTimeout="600"
>>>   removeAbandoned="true"
>>>   logAbandoned="false"
>>>   testWhileIdle="true"
>>>   testOnBorrow="true"
>>>   testOnReturn="false"
>>>   validationQuery="/* ping */ SELECT 1"
>>>   validationInterval="3"
>>>   jmxEnabled="true"
>>>
>>  
>> jdbcInterceptors="ConnectionState;StatementFinalizer;ResetAbandonedTimer;SlowQueryReport"
>>>  />
>>>
>>>
>>>
>>> Thread dump
>>>
>>> Tomcat JDBC Pool Cleaner[63445188:1598345711425] id=16 state=BLOCKED
>>>  - waiting to lock <0x57dcb0b7> (a
>> com.mysql.jdbc.JDBC4PreparedStatement)
>>>   owned by http-nio-8080-exec-8 id=25
>>>  at
>> com.mysql.jdbc.PreparedStatement.realClose(PreparedStatement.java:3078)
>>>  at
>> com.mysql.jdbc.ConnectionImpl.closeAllOpenStatements(ConnectionImpl.java:1584)
>>>  at com.mysql.jdbc.ConnectionImpl.realClose(ConnectionImpl.java:4364)
>>>  at com.mysql.jdbc.ConnectionImpl.close(ConnectionImpl.java:1556)
>>>  at
>> org.apache.tomcat.jdbc.pool.PooledConnection.disconnect(PooledConnection.java:388)
>>>  at
>> org.apache.tomcat.jdbc.pool.PooledConnection.release(PooledConnection.java:618)
>>>  at
>> org.apache.tomcat.jdbc.pool.ConnectionPool.release(ConnectionPool.java:612)
>>>  at
>> org.apache.tomcat.jdbc.pool.ConnectionPool.abandon(ConnectionPool.java:569)
>>>  at
>> org.apache.tomcat.jdbc.pool.ConnectionPool.checkAbandoned(ConnectionPool.java:999)
>>>  at
>> org.apache.tomcat.jdbc.pool.ConnectionPool$PoolCleaner.run(ConnectionPool.java:1468)
>>>  at java.util.TimerThread.mainLoop(Timer.java:555)
>>>  at java.util.TimerThread.run(Timer.java:505)
>>>
>>>  Locked synchronizers: count = 1
>>>-
>> java.util.concurrent.locks.ReentrantReadWriteLock$NonfairSync@58039868
>>>
>>>
>>> http-nio-8080-exec-8 id=25 state=BLOCKED
>>>  - waiting to lock <0x42de9995> (a com.mysql.jdbc.JDBC4Connection)
>>>   owned by Tomcat JDBC Pool Cleaner[63445188:1598345711425] id=16
>>>  at
>> com.mysql.jdbc.ConnectionImpl.useAnsiQuotedIdentifiers(ConnectionImpl.java:5435)
>>>  at
>> com.mysql.jdbc.DatabaseMetaData.getIdentifierQuoteString(DatabaseMetaData.java:3269)
>>>  at com.mysql.jdbc.DatabaseMetaData.(DatabaseMetaData.java:675)
>>>  at
>> com.mysql.jdbc.JDBC4DatabaseMetaData.(JDBC4DatabaseMetaData.java:39)
>>>  at sun.reflect.GeneratedConstructorAccessor24.newInstance(Unknown
>> Source)
>>>  at
>> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
>>>  at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
>>>  at com.mysql.jdbc.Util.handleNewInstance(Util.java:411)
>>>  at
>> 

Re: Tomcat JDBC Pool Cleaner Deadlock Problem

[Felix Schumacher]

Am 31.08.20 um 06:26 schrieb Gokhan Akgul:
> Dear Felix,
>
> Thanks for your feedback , the health check period is so aggressive now.
> SRE team's and apm monitor tools call internally and externally endpoint
> and health indicators.
> I asked the sre guys to decrease the frequency of those calls. They made
> some decrease on calls but nothing changed.
No, don't decrease the frequency. I meant to have the calls happen more
often than every ten minutes.
> Due to an old spring mvc project it doesn't have a kubernetes probe , about
> 100 calls in minutes.

Those calls have to use the connection, that the health check is using.

Maybe you could check, whether the healtcheck is releasing its
connection back to the pool after it has done its work.

Felix

>
> Gökhan
>
> On Thu, Aug 27, 2020 at 9:48 PM Felix Schumacher <
> felix.schumac...@internetallee.de> wrote:
>
>> Am 27.08.20 um 11:47 schrieb Gokhan Akgul:
>>> Hi ,
>>>
>>> I have been facing the deadlock issue for the last 2 months  about
>>> JDBCPoolCleaner Thread .
>>>
>>> Following config set in context.xml
>>>
>>> >>  auth="Container"
>>>  type="javax.sql.DataSource"
>>>  factory="org.apache.tomcat.jdbc.pool.DataSourceFactory"
>>>  driverClassName="com.mysql.jdbc.Driver"
>>>
>> url="jdbc:mysql://adress:3306/db?useUnicode=truecharacterEncoding=latin5characterResultSet=latin5zeroDateTimeBehavior=convertToNullautoReconnect=trueinteractiveClient=true"
>>>  username="user"
>>>  password="pass"
>>>  initialSize="10"
>>>  maxActive="30"
>>>  maxIdle="15"
>>>  minIdle="10"
>>>  maxWait="3"
>>>  timeBetweenEvictionRunsMillis="5000"
>>>  minEvictableIdleTimeMillis="6"
>>>  removeAbandonedTimeout="600"
>>>  removeAbandoned="true"
>>>  logAbandoned="false"
>>>  testWhileIdle="true"
>>>  testOnBorrow="true"
>>>  testOnReturn="false"
>>>  validationQuery="/* ping */ SELECT 1"
>>>  validationInterval="3"
>>>  jmxEnabled="true"
>>>
>> jdbcInterceptors="ConnectionState;StatementFinalizer;ResetAbandonedTimer;SlowQueryReport"
>>> />
>>>
>>>
>>>
>>> Thread dump
>>>
>>> Tomcat JDBC Pool Cleaner[63445188:1598345711425] id=16 state=BLOCKED
>>> - waiting to lock <0x57dcb0b7> (a
>> com.mysql.jdbc.JDBC4PreparedStatement)
>>>  owned by http-nio-8080-exec-8 id=25
>> So, Tomcat tries to close a connection, that it thinks is abandoned
>> (i.e. in your setup hasn't been used for more than 600 seconds and the
>> pool of idle connections is getting empty).
>>
>> The connection is still in use ...
>>
>>> at
>> com.mysql.jdbc.PreparedStatement.realClose(PreparedStatement.java:3078)
>>> at
>> com.mysql.jdbc.ConnectionImpl.closeAllOpenStatements(ConnectionImpl.java:1584)
>>> at com.mysql.jdbc.ConnectionImpl.realClose(ConnectionImpl.java:4364)
>>> at com.mysql.jdbc.ConnectionImpl.close(ConnectionImpl.java:1556)
>>> at
>> org.apache.tomcat.jdbc.pool.PooledConnection.disconnect(PooledConnection.java:388)
>>> at
>> org.apache.tomcat.jdbc.pool.PooledConnection.release(PooledConnection.java:618)
>>> at
>> org.apache.tomcat.jdbc.pool.ConnectionPool.release(ConnectionPool.java:612)
>>> at
>> org.apache.tomcat.jdbc.pool.ConnectionPool.abandon(ConnectionPool.java:569)
>>> at
>> org.apache.tomcat.jdbc.pool.ConnectionPool.checkAbandoned(ConnectionPool.java:999)
>>> at
>> org.apache.tomcat.jdbc.pool.ConnectionPool$PoolCleaner.run(ConnectionPool.java:1468)
>>> at java.util.TimerThread.mainLoop(Timer.java:555)
>>> at java.util.TimerThread.run(Timer.java:505)
>>>
>>> Locked synchronizers: count = 1
>>>   -
>> java.util.concurrent.locks.ReentrantReadWriteLock$NonfairSync@58039868
>>>
>>>
>>> http-nio-8080-exec-8 id=25 state=BLOCKED
>>> - waiting to lock <0x42de9995> (a com.mysql.jdbc.JDBC4Connection)
>>>  owned 

Re: Tomcat 9.0.29 - HTTPS threads age, max connections reached, Tomcat not responding on 8443

[Felix Schumacher]

Am 27.08.20 um 19:35 schrieb Christopher Schultz:
> David,
>
> On 8/27/20 10:48, David wrote:
> > In the last two weeks I've had two occurrences where a single
> > CentOS 7 production server hosting a public webpage has become
> > unresponsive. The first time, all 300 available
> > "https-jsse-nio-8443" threads were consumed, with the max age being
> > around 45minutes, and all in a "S" status. This time all 300 were
> > consumed in "S" status with the oldest being around ~16minutes. A
> > restart of Tomcat on both occasions freed these threads and the
> > website became responsive again. The connections are post/get
> > methods which shouldn't take very long at all.
>
> > CPU/MEM/JVM all appear to be within normal operating limits. I've
> > not had much luck searching for articles for this behavior nor
> > finding remedies. The default timeout values are used in both
> > Tomcat and in the applications that run within as far as I can
> > tell. Hopefully someone will have some insight on why the behavior
> > could be occurring, why isn't Tomcat killing the connections? Even
> > in a RST/ACK status, shouldn't Tomcat terminate the connection
> > without an ACK from the client after the default timeout?
>
> Can you please post:
>
> 1. Complete Tomcat version
> 2. Connector configuration (possibly redacted)
>
> > Is there a graceful way to script the termination of threads in
> > case Tomcat isn't able to for whatever reason?
>
> Not really.

(First look at Marks response on determining the root cause)

Well, there might be a way (if it is sane, I don't know). You can
configure a valve to look for seemingly stuck threads and try to
interrupt them:

http://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Stuck_Thread_Detection_Valve

There are a few caveats there. First it is only working, when both
conditions are true

 * the servlets are synchronous
 * the stuck thread can be "freed" with an Interrupt

But really, if your threads are stuck for more than 15 minutes, you have
ample of time to take a thread dump and hopefully find the root cause,
so that you don't need this valve.

Felix

>
> > My research for killing threads results in system threads or
> > application threads, not Tomcat Connector connection threads, so
> > I'm not sure if this is even viable. I'm also looking into ways to
> > terminate these aged sessions via the F5. At this time I'm open to
> >  any suggestions that would be able to automate a resolution to
> > keep the system from experiencing downtime, or for any insight on
> > where to look for a root cause. Thanks in advance for any guidance
> > you can lend.
> It might actually be the F5 itself, especially if it opens up a large
> number of connections to Tomcat and then tries to open additional ones
> for some reason. If it opens 300 connections (which are then e.g.
> leaked by the F5 internally) but the 301st is refused, then your
> server is essentially inert from that point forward.
>
> NIO connectors default to max 10k connections so that's not likely the
> actual problem, here, but it could be for some configurations.
>
> Do you have a single F5 or a group of them?
>
> -chris
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Apache 8.5.57 shared class loader does not find its default classpath

[Felix Schumacher]

Are you sure, that the Tomcat you reach under the ip and port is the
same, than that you reach by dns?

Have you checked, whether the Java version running Tomcat is new enough
to read the class lib.Text?

Are there any other errors in catalina.out or localhost.DATE.log in the
Tomcat instance, that is throwing the error?

Felix

Am 27.08.20 um 20:34 schrieb Carles Franquesa:
> Chris,
>
> Thank you very much for the help. Follows the $unzip -v aprenonline.war
> output.
>
> I've put away a whole folder of sql sources that the war contains just to
> make this output shorter. The reference to Text.class is in the sixth
> position of WEB-INF files.
>
> This is it:
>
> Archive:  aprenonline.war
>  Length   Method    Size  Cmpr    Date    Time   CRC-32   Name
>   --  ---  -- -   
>    0  Stored    0   0% 2020-08-27 13:18   META-INF/
>  103  Stored  103   0% 2020-08-27 13:18 3d32040a
>  META-INF/MANIFEST.MF
>    0  Stored    0   0% 2020-08-27 13:18   WEB-INF/
>    0  Stored    0   0% 2020-08-27 13:18   WEB-INF/classes/
>    0  Stored    0   0% 2020-08-27 13:18 
>  WEB-INF/classes/lib/
>    0  Stored    0   0% 2020-08-27 13:18 
>  WEB-INF/classes/model/
>    0  Stored    0   0% 2020-08-27 13:18 
>  WEB-INF/classes/servlets/
>    0  Stored    0   0% 2020-08-27 13:18 
>  WEB-INF/classes/servlets/ao/
>
>    0  Stored    0   0% 2020-08-27 13:18   WEB-INF/lib/
>    0  Stored    0   0% 2020-08-27 13:18   ao/
>    0  Stored    0   0% 2020-08-27 13:18   ao/css/
>    0  Stored    0   0% 2020-08-27 13:18 
>  confirma_preinscripcions/
>    0  Stored    0   0% 2020-08-27 13:18   css/
>    0  Stored    0   0% 2020-08-27 13:18   css/dialegs/
>    0  Stored    0   0% 2020-08-27 13:18   css/main/
>    0  Stored    0   0% 2020-08-27 13:18   css/parts/
>    0  Stored    0   0% 2020-08-27 13:18   cursos/
>    0  Stored    0   0% 2020-08-27 13:18   estat/
>    0  Stored    0   0% 2020-08-27 13:18   img/
>    0  Stored    0   0% 2020-08-27 13:18   js/
>    0  Stored    0   0% 2020-08-27 13:18   js/jquery/
>    0  Stored    0   0% 2020-08-27 13:18   mail_conegut/
>    0  Stored    0   0% 2020-08-27 13:18   matriculacio/
>    0  Stored    0   0% 2020-08-27 13:18   nou_estudiant/
>    0  Stored    0   0% 2020-08-27 13:18   pagament/
>    0  Stored    0   0% 2020-08-27 13:18   verificacio/
>   92  Stored   92   0% 2020-08-27 13:18 722fe088
>  META-INF/context.xml
>   88  Stored   88   0% 2020-08-27 13:18 386832d5
>  WEB-INF/classes/a.bat
>   84  Stored   84   0% 2020-08-27 13:18 05546721
>  WEB-INF/classes/l.bat
> 3045  Stored 3045   0% 2020-08-27 13:18 49e914c6
>  WEB-INF/classes/lib/Fitxer.class
>    17744  Stored    17744   0% 2020-08-27 13:18 ff442cb9
>  WEB-INF/classes/lib/Pagina.class
> 6104  Stored 6104   0% 2020-08-27 13:18 76df9796
>  WEB-INF/classes/lib/Registre.class
> 3047  Stored 3047   0% 2020-08-27 13:18 34720d8b
>  WEB-INF/classes/lib/Text.class
> 2679  Stored 2679   0% 2020-08-27 13:18 738d5f31
>  WEB-INF/classes/lib/csv.class
>  242  Stored  242   0% 2020-08-27 13:18 1052a3c9
>  WEB-INF/classes/lib/lib.class
> 1155  Stored 1155   0% 2020-08-27 13:18 3314a2b8
>  WEB-INF/classes/lib/numeriques.class
>  838  Stored  838   0% 2020-08-27 13:18 43515f3d
>  WEB-INF/classes/lib/sexe.class
> 1682  Stored 1682   0% 2020-08-27 13:18 1e7a0936
>  WEB-INF/classes/lib/temps.class
> 6217  Stored 6217   0% 2020-08-27 13:18 d127aa85
>  WEB-INF/classes/model/Connexio.class
> 1876  Stored 1876   0% 2020-08-27 13:18 7fd4edf3
>  WEB-INF/classes/model/curs.class
> 1311  Stored 1311   0% 2020-08-27 13:18 fd7b55be
>  WEB-INF/classes/model/docent.class
> 1658  Stored 1658   0% 2020-08-27 13:18 f085c9d9
>  WEB-INF/classes/model/estudiant.class
> 2404  Stored 2404   0% 2020-08-27 13:18 89836b06
>  WEB-INF/classes/model/persona.class
> 1012  Stored 1012   0% 2020-08-27 13:18 6604d075
>  WEB-INF/classes/model/preinscripcio.class
>   88  Stored   88   0% 2020-08-27 13:18 d5b1a89d
>  WEB-INF/classes/r.bat
> 1400  Stored 1400   0% 2020-08-27 13:18 2e06d9bb
>  WEB-INF/classes/servlets/FileLocationContextListener.class
> 6338  Stored 6338   0% 2020-08-27 13:18 8da94aec
>  WEB-INF/classes/servlets/UploadDownloadFileServlet.class
> 1365  Stored 1365   0% 2020-08-27 13:18 8aa46dad
>  WEB-INF/classes/servlets/ao/accepta_pendent.class
> 2650  Stored 2650   0% 2020-08-27 13:18 1b35e8ab
>  WEB-INF/classes/servlets/ao/acus_de_rebut.class
> 2301 

Re: Tomcat JDBC Pool Cleaner Deadlock Problem

[Felix Schumacher]

Am 27.08.20 um 11:47 schrieb Gokhan Akgul:
> Hi ,
>
> I have been facing the deadlock issue for the last 2 months  about
> JDBCPoolCleaner Thread .
>
> Following config set in context.xml
>
>   auth="Container"
>  type="javax.sql.DataSource"
>  factory="org.apache.tomcat.jdbc.pool.DataSourceFactory"
>  driverClassName="com.mysql.jdbc.Driver"
>  
> url="jdbc:mysql://adress:3306/db?useUnicode=truecharacterEncoding=latin5characterResultSet=latin5zeroDateTimeBehavior=convertToNullautoReconnect=trueinteractiveClient=true"
>  username="user"
>  password="pass"
>  initialSize="10"
>  maxActive="30"
>  maxIdle="15"
>  minIdle="10"
>  maxWait="3"
>  timeBetweenEvictionRunsMillis="5000"
>  minEvictableIdleTimeMillis="6"
>  removeAbandonedTimeout="600"
>  removeAbandoned="true"
>  logAbandoned="false"
>  testWhileIdle="true"
>  testOnBorrow="true"
>  testOnReturn="false"
>  validationQuery="/* ping */ SELECT 1"
>  validationInterval="3"
>  jmxEnabled="true"
>  
> jdbcInterceptors="ConnectionState;StatementFinalizer;ResetAbandonedTimer;SlowQueryReport"
> />
>
>
>
> Thread dump
>
> Tomcat JDBC Pool Cleaner[63445188:1598345711425] id=16 state=BLOCKED
> - waiting to lock <0x57dcb0b7> (a com.mysql.jdbc.JDBC4PreparedStatement)
>  owned by http-nio-8080-exec-8 id=25

So, Tomcat tries to close a connection, that it thinks is abandoned
(i.e. in your setup hasn't been used for more than 600 seconds and the
pool of idle connections is getting empty).

The connection is still in use ...

> at com.mysql.jdbc.PreparedStatement.realClose(PreparedStatement.java:3078)
> at 
> com.mysql.jdbc.ConnectionImpl.closeAllOpenStatements(ConnectionImpl.java:1584)
> at com.mysql.jdbc.ConnectionImpl.realClose(ConnectionImpl.java:4364)
> at com.mysql.jdbc.ConnectionImpl.close(ConnectionImpl.java:1556)
> at 
> org.apache.tomcat.jdbc.pool.PooledConnection.disconnect(PooledConnection.java:388)
> at 
> org.apache.tomcat.jdbc.pool.PooledConnection.release(PooledConnection.java:618)
> at 
> org.apache.tomcat.jdbc.pool.ConnectionPool.release(ConnectionPool.java:612)
> at 
> org.apache.tomcat.jdbc.pool.ConnectionPool.abandon(ConnectionPool.java:569)
> at 
> org.apache.tomcat.jdbc.pool.ConnectionPool.checkAbandoned(ConnectionPool.java:999)
> at 
> org.apache.tomcat.jdbc.pool.ConnectionPool$PoolCleaner.run(ConnectionPool.java:1468)
> at java.util.TimerThread.mainLoop(Timer.java:555)
> at java.util.TimerThread.run(Timer.java:505)
>
> Locked synchronizers: count = 1
>   - java.util.concurrent.locks.ReentrantReadWriteLock$NonfairSync@58039868
>
>
>
> http-nio-8080-exec-8 id=25 state=BLOCKED
> - waiting to lock <0x42de9995> (a com.mysql.jdbc.JDBC4Connection)
>  owned by Tomcat JDBC Pool Cleaner[63445188:1598345711425] id=16

... by hibernate. The question now is, how often is your healtheck
getting called (every 10 min == 600s)?

If they are close together, you might want to set the abandoned timeout
higher than the healthcheck interval, or you could try to close the
connection (or whatever the equivalent is in hibernate (a session?)) in
your code.

Felix

> at 
> com.mysql.jdbc.ConnectionImpl.useAnsiQuotedIdentifiers(ConnectionImpl.java:5435)
> at 
> com.mysql.jdbc.DatabaseMetaData.getIdentifierQuoteString(DatabaseMetaData.java:3269)
> at com.mysql.jdbc.DatabaseMetaData.(DatabaseMetaData.java:675)
> at 
> com.mysql.jdbc.JDBC4DatabaseMetaData.(JDBC4DatabaseMetaData.java:39)
> at sun.reflect.GeneratedConstructorAccessor24.newInstance(Unknown Source)
> at 
> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
> at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
> at com.mysql.jdbc.Util.handleNewInstance(Util.java:411)
> at com.mysql.jdbc.DatabaseMetaData.getInstance(DatabaseMetaData.java:657)
> at com.mysql.jdbc.ConnectionImpl.getMetaData(ConnectionImpl.java:3064)
> at com.mysql.jdbc.ConnectionImpl.getMetaData(ConnectionImpl.java:3056)
> at 
> com.mysql.jdbc.PreparedStatement.executeQuery(PreparedStatement.java:2315)
> at sun.reflect.GeneratedMethodAccessor43.invoke(Unknown Source)
> at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:606)
> at 
> org.apache.tomcat.jdbc.pool.interceptor.AbstractQueryReport$StatementProxy.invoke(AbstractQueryReport.java:210)
> at com.sun.proxy.$Proxy44.executeQuery(Unknown Source)
> at sun.reflect.GeneratedMethodAccessor43.invoke(Unknown Source)
> at 
> 

Re: Allowing dir listing of root (/) dir of the machine

[Felix Schumacher]

Am 24.08.20 um 16:41 schrieb Aryeh Friedman:
> On Mon, Aug 24, 2020 at 4:27 AM Mark Thomas  wrote:
>
>> On 23/08/2020 22:05, Aryeh Friedman wrote:
>>> In order to allow my developers to quickly access any temporarily
>> produced
>>> html files created/stored outside of webapps (such as those created by
>> the
>>> jacoco test coverage tool) I want to allow read only access to the root
>>> directory of the development server (firewalled and all access outside of
>>> the LAN is disabled) via tomcat.   I can get it to do any directory
>>> *EXCEPT* / as the docBase but a docBase of "/" returns an empty dir
>> listing
>>> (which is obviously wrong):
>>>
>>> In config/web.xml:
>>> 
>>> default
>>>
>>>
>> org.apache.catalina.servlets.DefaultServlet
>>> 
>>> debug
>>> 0
>>> 
>>> 
>>> listings
>>> true
>>> 
>>> 1
>>> 
>> That should be sufficient to enable directory listings for all web
>> applications.
>>
>>> In server.xml (this works):
>>> >> unpackWARs="true" autoDeploy="true">
>>>
>>> 
>>> 
>>>
>>> 
>>> >> directory="logs"
>>>prefix="localhost_access_log" suffix=".txt"
>>>pattern="%h %l %u %t %r %s %b" />
>>> 
>>> 
>> I'd do this with a ROOT.xml file in
>> $CATALINA_BASE/conf/Catalina/localhost but the above should work.
>>
>>> But this does not work:
>>> 
>> The docBase is not correct (it should be "") but Tomcat probably will
>> let you get away with that.
>>
>>
> Tried and it gives me /usr/local/apache-tomcat-9.0/webapps as the effective
> dir.   This is *NOT* what I meant by the root dir I meant the one that is
> the highest point in the file system hierarchy (i.e. the one you get when
> at a shell prompt when you type "cd /") [this is for a Unix machine of
> course since Windows has no concept of such a directory/folder]

It seems, that Tomcat will do a bit of cleanup on the paths you specify
in docBase. If I read it correctly, ContextConfig#fixDocBase will
convert the base you give to a canonical representation and remove the
leading slash. Therefore, if you specify docBase="/" (to indicate the
mount point "/" aka root of the filesystem), Tomcat will change it to
"", which then (and this is guessing) could lead to a state, Tomcat
doesn't know where to find any files.

I believe, there is no easy (safe/sane) way to get Tomcat (that is the
DefaultServlet) serve the OS-root as you want to have it. There are
probably other things you can do, to achieve your goals. Use a real
filemanager app inside of Tomcat, or use another lightweight http server
(if you really want to use http for this). Python3 has a built-in module
http.server, which could be used to do this with a one-liner in shell.

But, as others already said: Be careful!

Felix

>
>
>> I tested this locally and it works as expected.
>>
>> Maybe a file permissions issue?
>>
>> Mark
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Logging Rewrite Activity

[Felix Schumacher]

Am 06.08.20 um 21:36 schrieb Jerry Malcolm:
> How do configure TC to log the activities of the RewriteValve?  I added
>
> org.apache.catalina.valves.rewrite.RewriteValve.level = FINE
>
> to logging.properties.  But I'm not seeing any output related to
> rewrite. Do I have the logging config wrong?  Am I looking in the
> wrong place for the log data?

Where are you looking?

The config in logging.properties is the right place (assuming you edited
the $CATALINA_BASE/conf/logging.properties file).

Felix

>
> Thx
>
> Jerry
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 8.5.(x > 5) & SSL Connections (sun.security.provider.certpath.SunCertPathBuilderException)

[Felix Schumacher]

Hi David,

when debugging SSL problems, it is important to know, which certs are
the troublemakers. Are those errors reported when tomcat is used as a
client as a server?

Try to get more information about the cert that is making problems. I
always try to get the cert with an openssl command like

: | openssl x509 -text

It will print out a lot of information about the cert of the target you
want to access (I assume, that you use tomcat as a client, that is your
app code is the client).

Problems with a cert could arise from an old hashing algorithm, a
signing CA, that your trust store doesn't trust, a signature algorithm, ...

If you want to debug yourself a bit further, you could switch on the
debugging of certs/ssl stuff by setting the JVM system property
javax.net.debug=all (or a bit less).

As a tip, I would add properties via $CATALINA_BASE/bin/setenv.sh
instead of editing catalina.sh.

Cert problems depend on the trust store you are using and each JVM
brings there own set of trusted ca certs, so be sure to have a look at
the used JVMs. Which worked, which doesn't?

Hope this will help you debugging the problem further.

Felix

Am 09.08.20 um 00:16 schrieb David Filip:
> Well, it is not consistent ... sometimes when I stop and start it from the 
> command line it works, and other times it doesn't, but every time it is 
> getting the -Djavax.net .ssl.trustStore parameter ... 
> which I check by doing a:
>
> $ ps -aef | grep java | tr ' ' '\n'
>
> which lists each parameter on a separate line.  So I wish it were that 
> simple, but it does not appear to be so.  But specifically to answer your 
> question, I use this script to toggle tomcat on and off:
>
> # tomcat
> #
> # Start / Stop Tomcat Application Server
> #
> # - If tomcat is running, stop it
> # - if tomcat is not running, start it
> #
> # 24-Apr-2010 - DEF, original coding
> #
>
> found=`ps -aef | grep /Library/Tomcat/bin/bootstrap.jar | grep -v grep | wc 
> -l`
>
> if [ $found -eq 0 ]
> then
>   echo Starting Tomcat Application Server ...
>   sudo launchctl load /Library/LaunchDaemons/org.apache.tomcat.plist
> else
>   echo Stopping Tomcat Application Server ...
>   sudo launchctl unload /Library/LaunchDaemons/org.apache.tomcat.plist
> fi
>
> And the org.apache.tomcat.plist contains:
>
> 
>  "http://www.apple.com/DTDs/PropertyList-1.0.dtd;>
> 
>   
>   Label
>   org.apache.tomcat
>   RunAtLoad
>   
>   ProgramArguments
>   
>   /Library/Tomcat/bin/catalina.sh
>   run
>   
>   StandardOutPath
>   /tmp/Tomcat.log
>   UserName
>   tomcat
>   
> 
>
> so it is using catalina.sh.  But right now, I just ran this command:
>
> $ ps -aef | grep java | tr ' ' '\n' | grep -- '-D'
> -Djava.util.logging.config.file=/Library/Tomcat/conf/logging.properties
> -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
> -Dbis.home=/home/infodesk
> -Dbis.download=/tmp
> -Dinfodoc.home=/home/infodesk
> -Dinfodoc.download=/tmp
> -Djavax.net.ssl.trustStore=/Library/Java/JavaVirtualMachines/jdk1.8.0_121.jdk/Contents/Home/jre/lib/security/cacerts
> -Djdk.tls.ephemeralDHKeySize=2048
> -Djava.protocol.handler.pkgs=org.apache.catalina.webresources
> -Dorg.apache.catalina.security.SecurityListener.UMASK=0027
> -Djava.endorsed.dirs=/Library/Tomcat/endorsed
> -Dcatalina.base=/Library/Tomcat
> -Dcatalina.home=/Library/Tomcat
> -Djava.io.tmpdir=/Library/Tomcat/temp
>
> and that file exists:
>
> $ ls -l 
> /Library/Java/JavaVirtualMachines/jdk1.8.0_121.jdk/Contents/Home/jre/lib/security/cacerts
> -rw-rw-r--  1 root  wheel  115588 Dec  1  2019 
> /Library/Java/JavaVirtualMachines/jdk1.8.0_121.jdk/Contents/Home/jre/lib/security/cacerts
>
> but I am getting the error:
>
> sun.security.validator.ValidatorException: PKIX path building failed: 
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
> valid certification path to requested target
>
> However, I may have previously misspoken, as I *thought* it was related to 
> Apache 8.5.x, because I saw it on the new server with 8.5.57 but not an older 
> server running 7.0.x, and when I upgraded the old 7.0.x server to 8.5.57 it 
> immediately began to exhibit the problem.  So cause and effect, right?  But I 
> just downgraded the old server back to 7.0.x, and I am still seeing the 
> problem!  Ugh!
>
> So I tried running the same app on an 8.5.37 server running on AWS Linux 2 
> (similar to CentOS 7), and it works fine there, even after stopping and 
> starting the Tomcat server 6 (!) times -- just because I don't trust anything 
> right now.
>
> My original thought -- which I did not previously share because I convinced 
> myself it was crazy -- was that I first noticed the problem after I applied 
> the latest macOS security patch.  However, once I saw that the Tomcat 7.0.x 
> server 

Re: Tomcat 9.0.12 shows in browser but tomcat8 installed

[Felix Schumacher]

Am 12.07.20 um 10:14 schrieb Christoph Kukulies:
> Strange. I’m running an apache2 and a tomcat8 (AFAIK) on my server.
>
>
> When I open a browser on my server remotely and enter http://localhost:8080/ 
>  I’m getting the tomcat
> congratulations page saying:
>
> Apache Tomcat/9.0.12
>
> How can I determine which tomcat I’m running? Could it be that I once had 
> installed Tomcat 9 and it is still installed as a service?
> System is Ubuntu 18.04.4.

I would first have a look at which process is running on port 8080 and
which processes are likely to be tomcats:

$ ss -pln | grep 8080
tcp    LISTEN  0   
100 
 
*:8080   
*:*  users:(("java",pid=460709,fd=40))

and

$ ps aux | grep catalina
felix 460709  3.1  0.8 8353292 137908 pts/0  Sl   11:13   0:05
/usr/lib/jvm/jdk-14.0.1+7/bin/java
-Djava.util.logging.config.file=/home/felix/Developer/tomcat/output/build/conf/logging.properties
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djdk.tls.ephemeralDHKeySize=2048
-Djava.protocol.handler.pkgs=org.apache.catalina.webresources
-Dorg.apache.catalina.security.SecurityListener.UMASK=0027
-Dignore.endorsed.dirs= -classpath
/home/felix/Developer/tomcat/output/build/bin/bootstrap.jar:/home/felix/Developer/tomcat/output/build/bin/tomcat-juli.jar
-Dcatalina.base=/home/felix/Developer/tomcat/output/build
-Dcatalina.home=/home/felix/Developer/tomcat/output/build
-Djava.io.tmpdir=/home/felix/Developer/tomcat/output/build/temp
org.apache.catalina.startup.Bootstrap start

On my machine, there is one process listening on port 8080 (pid=460709)
and one process likely a tomcat (which has surprisingly the same pid :) )

After that, I would have look into the directories listed as
catalina.base and catalina.home (which in this example are identical)
and try to decide, whether they were part of a system package
installation or a manual installation.

If I still don't know what to do next, I would come back to the mailing
list with the information I found out by this. Maybe enhanced with the
output of (dpkg -l | grep -i tomcat)

Felix

>
>
> Christoph 
>
>
>
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: broken pipe error keeps increasing open files

[Felix Schumacher]

Am 22.06.20 um 13:22 schrieb Ayub Khan:
> Felix,
>
> I executed ls -l /proc/$(cat /var/run/tomcat8.pid)/fd/ and  from the output
> I see majority of them are related to sockets as shown below, some of them
> point to the jar file of tomcat and others to the log file which is created.
>
>  socket:[2084570754]
>  socket:[2084579487]
>  socket:[2084578478]
> socket:[2084570167]

Can you try the other command (lsof -p $(cat ...tomcat.pid))? It should
give a bit more details on the used sockets that the proc directory.

Felix

>
> On Mon, Jun 22, 2020 at 1:28 PM Felix Schumacher <
> felix.schumac...@internetallee.de> wrote:
>
>> Am 22.06.20 um 11:41 schrieb Ayub Khan:
>>> Chris,
>>>
>>> I am using HikariCP for connection pooling. If the database is leaking
>>> connections then I should see connection not available exception.
>>>
>>> How do I find out which file descriptors are leaking ?  these are not
>> files
>>> open on disk as there is no explicit disk file I/O in this application.
>>>
>>> I just use the below command to check for open file descriptors:
>>>
>>> watch "sudo ls /proc/`cat /var/run/tomcat8.pid`/fd/ | wc -l"
>> You could have a look at the name of the files in the pids proc directory.
>>
>>  $ ls -l /proc/$(cat /var/run/tomcat8.pid)/fd/
>>
>> Or you could use the tool lsof to find the open file descriptors.
>>
>>  $ lsof -p $(cat /var/run/tomcat8.pid)
>>
>> For both calls you should first change to the uid of the tomcat user or
>> use sudo as in your example.
>>
>> Felix
>>
>>> Thanks and Regards
>>> Ayub
>>>
>>> On Sun, Jun 21, 2020 at 8:18 PM Christopher Schultz <
>>> ch...@christopherschultz.net> wrote:
>>>
>>> Ayub,
>>>
>>> On 6/20/20 11:51, Ayub Khan wrote:
>>>>>> Sorry we are using  8.0.32 version of tomcat.
>>>>>>
>>>>>> below is the configuration:
>>>>>>
>>>>>> Server version: Apache Tomcat/8.0.32 (Ubuntu) Server built:   Jan
>>>>>> 24 2020 16:24:30 UTC Server number:  8.0.32.0 OS Name:
>>>>>> Linux OS Version: 4.4.0-1087-aws Architecture:   amd64 JVM
>>>>>> Version:1.8.0_181-b13 JVM Vendor: Oracle Corporation
>>>>>>
>>>>>> I use the below command to check the file descriptors:
>>>>>>
>>>>>> watch "sudo ls /proc/`cat /var/run/tomcat8.pid`/fd/ | wc -l"
>>> So you know there is some kind of increase in file-handle use, but you
>>> don't know what types of file handles are increasing, right?
>>>
>>> Can you try to find out which kinds of file handles are increasing?
>>>
>>> I have a sneaking suspicion that it's your database connections and
>>> not actually files open on the disk.
>>>
>>> Are you using a database connection pool? If not, you should really
>>> use one and limit the number of connections to something sane. If you
>>> are using one, are you monitoring it to see how many connections are
>>> actually being used? Are you sure you are using proper resource
>>> management[1]? Even a single code-path that leaks connections can leak
>>> them quickly under load.
>>>
>>>>>> When there an issue related to broken files, this value keeps
>>>>>> increasing, the only way to bring it down is to remove vm instance
>>>>>> from AWS load balancer.> Which version of tomcat should I install
>>>>>> ?
>>> Tomcat 8.0.x hasn't been supported since its last release on 29 June
>>> 2018. That was 8.0.53. Your release is from 8 February 2016 and is
>>> dangerously out of date (unless you are using the Ubuntu-packaged
>>> version, in which case I hope they kept-up with security patches thee
>>> past 4 years).
>>>
>>> -chris
>>>
>>>>>> On Sat, Jun 20, 2020 at 6:28 PM Christopher Schultz <
>>>>>> ch...@christopherschultz.net> wrote:
>>>>>>
>>>>>> Ayub,
>>>>>>
>>>>>> On 6/19/20 16:46, Ayub Khan wrote:
>>>>>>>>> tomcat 8.5 broken pipe increases open files on ubuntu AWS
>>>>>> Which exact version of Tomcat 8.5? If you aren't running the
>>>>>> latest version (8.5.56), please upgrade and re-test.
>>>>>>
>>>>>>>>> If there is slow response f

Re: broken pipe error keeps increasing open files

[Felix Schumacher]

Am 22.06.20 um 11:41 schrieb Ayub Khan:
> Chris,
>
> I am using HikariCP for connection pooling. If the database is leaking
> connections then I should see connection not available exception.
>
> How do I find out which file descriptors are leaking ?  these are not
files
> open on disk as there is no explicit disk file I/O in this application.
>
> I just use the below command to check for open file descriptors:
>

> watch "sudo ls /proc/`cat /var/run/tomcat8.pid`/fd/ | wc -l"

You could have a look at the name of the files in the pids proc directory.

 $ ls -l /proc/$(cat /var/run/tomcat8.pid)/fd/

Or you could use the tool lsof to find the open file descriptors.

 $ lsof -p $(cat /var/run/tomcat8.pid)

For both calls you should first change to the uid of the tomcat user or
use sudo as in your example.

Felix

>
> Thanks and Regards
> Ayub
>
> On Sun, Jun 21, 2020 at 8:18 PM Christopher Schultz <
> ch...@christopherschultz.net> wrote:
>
> Ayub,
>
> On 6/20/20 11:51, Ayub Khan wrote:
> >>> Sorry we are using  8.0.32 version of tomcat.
> >>>
> >>> below is the configuration:
> >>>
> >>> Server version: Apache Tomcat/8.0.32 (Ubuntu) Server built:   Jan
> >>> 24 2020 16:24:30 UTC Server number:  8.0.32.0 OS Name:
> >>> Linux OS Version: 4.4.0-1087-aws Architecture:   amd64 JVM
> >>> Version:    1.8.0_181-b13 JVM Vendor: Oracle Corporation
> >>>
> >>> I use the below command to check the file descriptors:
> >>>
> >>> watch "sudo ls /proc/`cat /var/run/tomcat8.pid`/fd/ | wc -l"
>
> So you know there is some kind of increase in file-handle use, but you
> don't know what types of file handles are increasing, right?
>
> Can you try to find out which kinds of file handles are increasing?
>
> I have a sneaking suspicion that it's your database connections and
> not actually files open on the disk.
>
> Are you using a database connection pool? If not, you should really
> use one and limit the number of connections to something sane. If you
> are using one, are you monitoring it to see how many connections are
> actually being used? Are you sure you are using proper resource
> management[1]? Even a single code-path that leaks connections can leak
> them quickly under load.
>
> >>> When there an issue related to broken files, this value keeps
> >>> increasing, the only way to bring it down is to remove vm instance
> >>> from AWS load balancer.> Which version of tomcat should I install
> >>> ?
>
> Tomcat 8.0.x hasn't been supported since its last release on 29 June
> 2018. That was 8.0.53. Your release is from 8 February 2016 and is
> dangerously out of date (unless you are using the Ubuntu-packaged
> version, in which case I hope they kept-up with security patches thee
> past 4 years).
>
> -chris
>
> >>> On Sat, Jun 20, 2020 at 6:28 PM Christopher Schultz <
> >>> ch...@christopherschultz.net> wrote:
> >>>
> >>> Ayub,
> >>>
> >>> On 6/19/20 16:46, Ayub Khan wrote:
> >> tomcat 8.5 broken pipe increases open files on ubuntu AWS
> >>>
> >>> Which exact version of Tomcat 8.5? If you aren't running the
> >>> latest version (8.5.56), please upgrade and re-test.
> >>>
> >> If there is slow response from db I see this stack trace and
> >> the open files goes high and the only way to open files go
> >> down is to remove the instance from Amazon load balancer.
> >>
> >> Is there a way to keep the open files low even when Broken
> >> pipe error is thrown ?
> >>>
> >>> What is your evidence that file handles are being left open?
> >>>
> >>> Which file handles are being left open?
> >>>
> >>> -chris
> 
>  -
> 
> 
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>  For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> >>>
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
>


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Aw: Re: Fix for CVE-2020-1938

[Felix Schumacher]

Am 05.03.2020 08:12, schrieb Jürgen Göres:


Ghostcat is the name of a malware strain that has been around since at
least October last year. When referencing vulnerabilities it is best 
to
stick to the CVE reference since they should be unique (and if 
something
goes wrong and they aren't there are procedures to get them re-issued 
so

they are).

we are using Tomcat 9.0.x and 8.5.x in our stack. We make use of the 
AJP protocol since we use Apache HTTPD as reverse proxy and found it 
to be mostly hazzle-free over the last few years, so we would like to 
continue using it.
Since the HTTPD and the Tomcats are in general not on the same nodes, 
the AJP connector has to listen on all interfaces.
My first question is: what value do I need to set in the "address" 
attribute to indicate that I want the connector to listen on ALL 
interfaces (for IPv4 AND IPv6)? Maybe that should be documented. :-)


It will vary by system. Some systems can't listen on both IPv4 and 
IPv6

with a single socker. Usually either "::" or "0.0.0.0" will have the
desired result.


That is a bit of a problem for us. In the environments we support (Win
and Linux), from my observation the connectors would successfully bind
to both IPv4 and IPv6 addresses. Since we have customers that use
either IPv4, IPv6, or both and often have multiple interfaces on their
machines, we cannot know which address/interface (or even which IP
version) to bind to. And up to now, we didn't have to worry about it.
Now our installation routine would somehow need to find out whether it
should put a "::" or a "0.0.0.0" in the "address" attribute. What was
"zero conf" for us so far now suddently becomes a new source for
problems (=customer calls).
Is there no way to optionally configure the old binding behaviour for
the AJP connector?


Have you tried using either of the given configurations on your system?

I believe Thomas wanted to point out, that there are systems, that can't 
bind to both, but that depends on your system, so we can't tell you, if 
it works for you.


In my experience both of the configs will work and bind to both types 
IPv4 and IPv6.


Felix





So the question is: is the root cause actually fixed?


Yes.


Great, thx. :-)


The very nature of the AJP protocol is such that clients have to be 
trusted.
Tomcat trusts the "real" client IP address provided. That could be 
used

for access control.
Tomcat may be configured to trust the authenticated user name 
provided.

That almost certainly will then be used for access control.


So far, we had instructions for our customers to not expose the AJP
ports (or any other internal ports of other components in our stack).
However, I am pretty sure that there are installations out there where
these ports are exposed (hopefully only on the intranet).
In any case, we will update to the latest Tomcat version (but need to
find a way to solve the "to which interface should we bind" problem
without too much hazzle for customers), and in addition will also try
to use the "secret" approach to secure access to the AJP connectors,
so that even those customers that ignored the security guidelines will
not be affected by other possible attacks over the AJP protocol.



If it is, what is the recommended mitigation? We consider using the 
"secret" feature (the filtering by request attributes is infeasible 
for us), but that would be a bit of effort and we are in a hurry.


It would be unusual for an application to be using request attributes
directly. These have to be explicitly set in the reverse proxy and are
normally used for the reverse proxy to pass information to Tomcat 
about

the client etc.


I was under the naive assumptions that "request attributes" meant
"HTTP request attributes". ;-)
If I understand you right here we are talking about attributes used in
the AJP protocol to convey info between reverse proxy and Tomcat.
Like info about the true client IP address (i.e., an AJP equivalent to
HTTP's X-Forwarded-For header).



- setting up a dedicated subnet for reverse proxy to Tomcat
communication;
- configuring a firewall on the Tomcat box to only accept connections
to the AJP port from specific hosts


That is what we advise our customers to do.

For any network configuration you can configure a shared secret for 
the

reverse proxy workers and the AJP connector.


And since this is closest to "zero config" we can get, this is what we
will do on perspective.

Regards

JG


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Expression Language ${initParam.whatever} not working

[Felix Schumacher]

Am 10.02.2020 22:43, schrieb Richard Monson-Haefel:

Thanks, Mark. Your explanation was good but the code didn't do it.


Then try

 ${pageContext.servletConfig.getInitParameter("greeting_color")}

Felix



On Mon, Feb 10, 2020 at 12:10 PM Mark Thomas  wrote:


On 10/02/2020 18:03, Richard Monson-Haefel wrote:
> Hi Simon,
>
> Thanks for the response but I don't think that is the issue. I can use
the
>  instead, but I want to use the initParam for the JSP page
> which is named and mapped in the  element.  Perhaps I'm still
> missing something.

The EL implicit object initParam holds the *ServletConext*'s init
params, not the Servlet's.

You probably want something like (untested)

${ pageContext.servletConfig.initParameter("greeting_color") }

Mark


>
> On Mon, Feb 10, 2020 at 12:00 PM Simon Funnell 
> wrote:
>
>> In your web.xml you want:
>>
>> 
>> greeting_color
>> green
>>   
>>
>> I think you have defined an initialization parameter for the servlet,
not
>> the context.
>>
>> On Mon, 10 Feb 2020 at 17:54, Richard Monson-Haefel <
>> monsonhae...@gmail.com>
>> wrote:
>>
>>> Hi,
>>>
>>> Tomcat version: 9.0.30
>>> Operating System: macOS 10.15.2
>>>
>>> While I can access my initParam vis a JSP scriptlet I cannot access the
>>> same initial paramter EL expression.
>>>
>>> Here is the JSP code I'm using
>>>
>>> 
>>>   
>>> 
>>> >> %>">Hello ${param.name} from
hello.jsp
>>>
>>> 
>>> color is ${initParam["greeting_color"]}
>>>   
>>> 
>>>
>>> Here is my web.xml declaring the initial parameters
>>>
>>> http://xmlns.jcp.org/xml/ns/javaee;
>>>   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
>>>   xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
>>>
http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd
>> "
>>>   version="4.0"
>>>   metadata-complete="true">
>>>
>>>
>>>   
>>>   
>>>   HiJsp
>>>   /hello.jsp
>>>   
>>>   greeting_color
>>>   green
>>>   
>>>   
>>>   
>>>   HiJsp
>>>   /hola/*
>>>   
>>> 
>>>
>>> Here is the output (source)
>>>
>>> 
>>> 
>>> 
>>> Hello richard from
>>> hello.jsp
>>> 
>>> color is
>>> 
>>> 
>>>
>>> I don't understand why the JSP expression <%= %> works but the EL
>>> expression ${ } doesn't.  I've tried many variations and other EL
>> implicit
>>> objects I've tried worked fine.
>>>
>>> What am I missing?
>>>
>>> The WAR is attached for your convenience.
>>>
>>>
>>>
>>> --
>>> Richard Monson-Haefel
>>> https://twitter.com/rmonson
>>> https://www.linkedin.com/in/monsonhaefel/
>>>
>>> -
>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>
>


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Installing a program designed for Tomcat 5.5 on Tomcat 9

[Felix Schumacher]

Am 09.02.20 um 22:28 schrieb Shane Johnson:
> Attached is a screen shot copy of the files it extracts to the Shared
> folder the classes folder it creates is empty. I do now recall there
> were some similar file names to ones already in the library

Attachments tend to get removed on this mailing list - as has happened
to your image. Could you post the content as text?

Felix

>
> On Sun, Feb 9, 2020 at 11:36 AM Felix Schumacher
>  <mailto:felix.schumac...@internetallee.de>> wrote:
>
>
> Am 09.02.20 um 18:46 schrieb Shane Johnson:
> > I extracted the shared folder to my desktop to see what was in
> it. It
> > contains 2 folders Classes and lib, with 24 jar files in the lib
> folder. I
> > did try extracting it to the Libraries in the tomcat tree and
> running the
> > program with no success. I now am wiping the installation of
> tomcat and
> > extracted program and doing a full reload. This next time I am
> going to try
> > to move the Library files in the tomcat 9 directory into a
> folder named
> > shared by altering the directory tree first prior to extracting the
> > program. I think I read in the docs somewhere there is a command
> line that
> > can do this so tomcat knows where to look for the library and shared
> > library files.  Any more suggestions would be welcome.
>
> Try to do what Mark suggested :) The shared class loader has been
> "replaced by/merged with" the common loader. The common loader
> holds all
> classes and libs, that are common (shared) across all webapps.
>
> Copy everything (watch out for jars with same/similar names) that you
> found in your extracted shared folder into the lib folder. (If there
> really is a folder called Classes, that contains the class structures,
> copy the files/folders from inside Classes into the top level lib/
> folder.)
>
> It might help, if you post the elements of your shared folder, so that
> others can have a better guess on where to copy those.
>
> If you want to get fancy, you can edit conf/catalina.properties
> and edit
> the property "comon.loader" to include your shared folder. Be sure to
> both entries for the classes and the jar files.
>
> You might want to have a look at RUNNING.txt. There is a
> description on
> how to setup tomcat for multiple installations. Those setups are -
> in my
> opinion - easier to play with, as you are not messing with the
> original
> installation but a minimal shallow copy.
>
> Felix
>
> >
> > On Sun, Feb 9, 2020 at 5:09 AM Konstantin Kolinko
> mailto:knst.koli...@gmail.com>>
> > wrote:
> >
> >> вс, 9 февр. 2020 г. в 02:12, Peter Rader  <mailto:p.ra...@gmx.net>>:
> >>>
> >>>> I am currently trying to install a program designed to
> operate on Win
> >> XP 32
> >>>> and earlier on to a Win 10 environment. The program extracts
> to the
> >> Shared
> >>>> and Webapps folders of Tomcat 5.5 and uses a SQL database. After
> >> converting
> >>>> the database and installing it on SQL 2017 I added the JDBC
> connector
> >> and
> >>>> downloaded and installed tomcat 9 only to find there is no shared
> >> folder to
> >>>> extract the shared files to. Any suggestions?
> >>> Hm, shared ... do you mean the endorsed folder? From old apps
> I remember
> >> that some jdbc-jars have to be placed in tomcat's endorsed folder.
> >>> I am pretty sure that you could use the JVM/JDK's endorsed
> folder. They
> >> usually have their place in \lib\endorsed .
> >>
> >> Endorsed folder is a different beast. Please do not put
> anything there.
> >>
> >> Tomcat 5.5 documentation is still available online (if you know the
> >> address to type it in a browser's address bar) [1] The closest
> analogy
> >> to the "Shared" classloader in current Tomcat is the "Common"
> >> classloader that loads classes from ${catalina.base|/lib.
> >>
> >> [1]
> >>
> https://tomcat.apache.org/tomcat-5.5-doc/class-loader-howto.html#Overview
> >> [2]
> >>
> https://tomcat.apache.org/tomcat-9.0-doc/class-loader-howto.html#Overview
> >>
> >> It is possible to reconfigure Tomcat 9 to have a sepa

Re: Installing a program designed for Tomcat 5.5 on Tomcat 9

[Felix Schumacher]

Am 09.02.20 um 18:46 schrieb Shane Johnson:
> I extracted the shared folder to my desktop to see what was in it. It
> contains 2 folders Classes and lib, with 24 jar files in the lib folder. I
> did try extracting it to the Libraries in the tomcat tree and running the
> program with no success. I now am wiping the installation of tomcat and
> extracted program and doing a full reload. This next time I am going to try
> to move the Library files in the tomcat 9 directory into a folder named
> shared by altering the directory tree first prior to extracting the
> program. I think I read in the docs somewhere there is a command line that
> can do this so tomcat knows where to look for the library and shared
> library files.  Any more suggestions would be welcome.

Try to do what Mark suggested :) The shared class loader has been
"replaced by/merged with" the common loader. The common loader holds all
classes and libs, that are common (shared) across all webapps.

Copy everything (watch out for jars with same/similar names) that you
found in your extracted shared folder into the lib folder. (If there
really is a folder called Classes, that contains the class structures,
copy the files/folders from inside Classes into the top level lib/ folder.)

It might help, if you post the elements of your shared folder, so that
others can have a better guess on where to copy those.

If you want to get fancy, you can edit conf/catalina.properties and edit
the property "comon.loader" to include your shared folder. Be sure to
both entries for the classes and the jar files.

You might want to have a look at RUNNING.txt. There is a description on
how to setup tomcat for multiple installations. Those setups are - in my
opinion - easier to play with, as you are not messing with the original
installation but a minimal shallow copy.

Felix

>
> On Sun, Feb 9, 2020 at 5:09 AM Konstantin Kolinko 
> wrote:
>
>> вс, 9 февр. 2020 г. в 02:12, Peter Rader :
>>>
 I am currently trying to install a program designed to operate on Win
>> XP 32
 and earlier on to a Win 10 environment. The program extracts to the
>> Shared
 and Webapps folders of Tomcat 5.5 and uses a SQL database. After
>> converting
 the database and installing it on SQL 2017 I added the JDBC connector
>> and
 downloaded and installed tomcat 9 only to find there is no shared
>> folder to
 extract the shared files to. Any suggestions?
>>> Hm, shared ... do you mean the endorsed folder? From old apps I remember
>> that some jdbc-jars have to be placed in tomcat's endorsed folder.
>>> I am pretty sure that you could use the JVM/JDK's endorsed folder. They
>> usually have their place in \lib\endorsed .
>>
>> Endorsed folder is a different beast. Please do not put anything there.
>>
>> Tomcat 5.5 documentation is still available online (if you know the
>> address to type it in a browser's address bar) [1] The closest analogy
>> to the "Shared" classloader in current Tomcat is the "Common"
>> classloader that loads classes from ${catalina.base|/lib.
>>
>> [1]
>> https://tomcat.apache.org/tomcat-5.5-doc/class-loader-howto.html#Overview
>> [2]
>> https://tomcat.apache.org/tomcat-9.0-doc/class-loader-howto.html#Overview
>>
>> It is possible to reconfigure Tomcat 9 to have a separate Shared
>> classloader as well, but that is an overkill.
>>
>> Also, do not forget about Migration Guides [3].
>>
>> [3] https://tomcat.apache.org/migration.html
>> [4]
>> https://tomcat.apache.org/migration-6.html#Modified_directory_structure
>>
>> Best regards,
>> Konstantin Kolinko
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: RewriteValve does not work on HTTPS

[Felix Schumacher]

Am 04.02.2020 22:16, schrieb Hua Zhang:

What I mean with word 'works' is: the RewriteRule has been executed.

That is not the case by HTTPS. The rule has not been executed while the
RewriteCond is fulfilled.


Can you give us more information on your setup? Is there any 
Proxy/Loadbalancer in front of your tomcat? If so, can you show us 
details on that setup?

What is the value of the host request header in both cases?

Felix


Olaf Kock  于 2020年2月4日周二 下午9:06写道：



On 04.02.20 20:31, Hua Zhang wrote:
> Best tomcat team,
>
> Hereby I have a question about an issue I found by using RewriteValve
> on tomcat 9.30
>
> The rewrite.config is very simple:
>
> /RewriteCond %{HTTP_HOST} =youkoop.com 
> RewriteRule ^.*$ https://www.youkoop.com [R=301,L]
> /
>
> All I want is just redirect a naked root domain to a www domain with
> HTTPS.
>
> The redirection works on HTTP but not HTTPS.
>
> http://youkoop.com => https://www.youkoop.com *works*
>
Note: Images don't get through in this mailing list. I can imagine 
what

"works" means, but for your next example: Please elaborate what "does
not work" means.
>
> *https*://youkoop.com  =>
> https://www.youkoop.com *does not work*

First thing to test: Does https://youkoop.com work without the 
redirect,

then with the "wrong" host name? Otherwise it might be as simple as a
misconfigured TLS host that's never invoked because of a certificate
mismatch.

Olaf




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Install Comodo SSL in Tomcat

[Felix Schumacher]

Am 27.01.20 um 21:24 schrieb logo:
> Leonard,
>
> Please respond to the list!!! Easiest as respond to all...
>
>
>> Am 27.01.2020 um 17:48 schrieb Léonard WAMBERGUE
:
>>
>> Ok so i put 8443 in my connector but not yet the alias. Now i have in
my browser the error : ERR_CONNECTION_TIMED_OUT.
>>  
>> I have this error in Catalina out with context.xml :
>>  
>> 27-Jan-2020 16:40:12.646 SEVERE [main]
org.apache.catalina.startup.ContextConfig.processContextConfig Parse
error in context.xml for [/host-manager]
>> org.xml.sax.SAXParseException; systemId:
file:/opt/tomcat/webapps/host-manager/META-INF/context.xml; lineNumber:
19; columnNumber: 7; Invalid byte 1 of 1-byte UTF-8 sequence.
>> at
java.xml/com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.createSAXParseException(ErrorHandlerWrapper.java:204)
>> at
java.xml/com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.fatalError(ErrorHandlerWrapper.java:178)
>> at
java.xml/com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:400)
>> at
java.xml/com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:306)
>> at
java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:3085)
>> at
java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:605)
>> at
java.xml/com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:534)
>> at
java.xml/com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:888)
>> at
java.xml/com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:824)
>> at
java.xml/com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141)
>>  
>> And this :
>>  
>
>
>
>> 27-Jan-2020 16:40:12.639 WARNING [main]
org.apache.catalina.startup.SetContextPropertiesRule.begin
[SetContextPropertiesRule]{Context} Setting property
'antiResourceLocking' to 'false' did not find a matching property.
>> 27-Jan-2020 16:40:12.641 SEVERE [main]
org.apache.tomcat.util.digester.Digester.fatalError Parse fatal error at
line [19] column [7]
>> org.xml.sax.SAXParseException; systemId:
file:/opt/tomcat/webapps/host-manager/META-INF/context.xml; lineNumber:
19; columnNumber: 7; Invalid byte 1 of 1-byte UTF-8 sequence.
>> at
java.xml/com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.createSAXParseException(ErrorHandlerWrapper.java:204)
>> at
java.xml/com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.fatalError(ErrorHandlerWrapper.java:178)
>>  
>> But i have not find the same error it’s seem like port 8443 solve the
error in my last email. I hadn’t edit the context.xml so i don’t
understand this problem. It can be wrong installation of tomcat ?
>>  
>

> Ok, I’m at loss here. Maybe your web app did not get that far to load
before you changed the port??? Could you please put the (redacted)
content here?

Yes, context.xml will be parsed after server.xml.

Have a look at the context.xml file mentioned in the error trace and
look at line 19 column 7. There will probably be an umlaut with a wrong
enconding. The parser expects utf-8 (mentionend in the first line of the
xml file?) but I suspect it finds iso-8859-1 (or something similar). On
linux you could use the 'file' command to get information about the
encoding.

Regards

 Felix


>
> Peter
>
>
>> Thank for helping me !
>>  
>> Provenance : Courrier
 pour Windows 10
>>  
>> De : logo 
>> Envoyé le :lundi 27 janvier 2020 17:32
>> À : Tomcat Users List 
>> Cc : Léonard WAMBERGUE 
>> Objet :Re: RE : Install Comodo SSL in Tomcat
>>  
>> Leonard,
>>  
>>  
>> Am 2020-01-27 16:53, schrieb Léonard WAMBERGUE:
>>> Ok so i have find this error (severe) in my Catalina.out about
>>> connector :
>>>
>>> 27-Jan-2020 10:52:23.625 INFO [main]
>>> org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler
>>> ["http-nio-194.5.159.189-8080"]
>>> 27-Jan-2020 10:52:23.760 INFO [main]
>>> org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler
>>> ["https-openssl-nio-443"]
>>> 27-Jan-2020 10:52:23.764 SEVERE [main]
>>> org.apache.catalina.util.LifecycleBase.handleSubClassException Failed
>>> to initialize component [Connector[HTTP/1.1-443]]
>>> org.apache.catalina.LifecycleException: Protocol handler
>>> initialization failed
>>> at
>>> org.apache.catalina.connector.Connector.initInternal(Connector.java:983)
>>> at
>>> 

Re: Datasource Connections Problem

[Felix Schumacher]

Am 24. Januar 2020 06:22:49 MEZ schrieb Jerry Malcolm :
>
>On 1/23/2020 11:04 PM, Jerry Malcolm wrote:
>> Sorry... forgot the version.  You are correct.  It's 8.5.x running on
>
>> AWS Linux EC2.  I didn't intentionally configure anything special for
>
>> the pool.  So I assume it's dbcp 2.0.  Here is my resource config:
>>
>>   
>>   >
>url="jdbc:mysql://xx-db-1..us-east-1.rds.amazonaws.com/"
>
>>
>>     maxTotal="125"
>>     maxIdle="3"
>>     username="xx"
>>     password="x"
>>     auth="Container"
>>     type="javax.sql.DataSource"
>>     maxWaitMillis="3"
>>     removeAbandonedTimeout="5"
>>     logAbandoned="true"
>>     driverClassName="com.mysql.jdbc.Driver" />
>>   

The documentation for 8.5 mentions the parameters removeAbandonedOnBorrow and 
removeAbandonedOnMaintenance. You need to set one of them to true. 

Default for both is false, that is why you get your jmx values you showed us 
below. 

Regards 
 Felix 

>>
>> I didn't notice the problem for a couple of days.  Then it blew up on
>
>> a completely separate EC2 instance. It's a similar config, but only 
>> one virtual host, and it's in development, not a production server,  
>> so only a couple of developers are using it. I now have a log entry 
>> from JMX that monitors numActive each time a connection is
>requested.  
>> There have only been a handful of sessions over the past few days on 
>> this server. For a couple of days, the log showed between 1 and 10 
>> connections and always went back to 3 when idle. Then two days ago,
>in 
>> one session, it went from 3 to 80.  Then the server was idle for two 
>> hours.  When the next session started, it was still at 80 and went to
>
>> 110.  Then 14 hours later there was another session that started with
>
>> 110 and went to 125 which resulted in a bunch of 'pool exhausted' 
>> timeouts.  It remained at 125 until I rebooted TC.  I checked my RDS 
>> database connections, and it's fluctuating around 10-20 connections. 
>
>> So it appears the actual connections to the db are being closed.  But
>
>> apparently when the trigger occurs that is causing this, pool 
>> connections are being held forever.  I realize that this is something
>
>> I could be doing.  But I have one common entrance/exit module
>included 
>> in every jsp that requests a connection on entry and returns it on 
>> exit.  If I have a leak in my code, it seems it would be consistently
>
>> recurring.  And even if I never return any connection, shouldn't the 
>> configuration above still clean up the abandoned connections after a 
>> minute or so of idle?
>>
>> Is there any specific logging I can turn on that might show more of 
>> what is going on in the pool?
>>
>> Thx
>>
>> Jerry
>>
>Hmm, I just expanded my jmx logging and I'm getting:
>
>AbandonedConfig : false
>LogAbandoned : false
>RemoveAbandonedOnBorrow : false
>RemoveAbandonedOnMaintenance : false
>RemoveAbandonedTimeout : 2147483647
>
>which obviously means I've got something big-time wrong in my 
>configuration.  It just occurred to me that I was running TC 9.x on my 
>old Windows server and on my dev laptop, but AWS only would install 
>8.5.x.  So I completely forgot about the fact that a bunch of parameter
>
>names changed sometime back on resource definitions. I don't remember 
>doing parameter translations when I moved to 8.5.  I haven't looked it 
>up yet.  But do I have something stupid like a bunch of 9.x parameters 
>that should be changed back to 8.5.x on my config?  If the parameters 
>are correct, then there's something else wrong to give me the jmx
>values 
>above.  But the parameters above definitely would give me the results 
>I'm seeing.
>
>Am I on the right track?
>
>>
>> On 1/21/2020 12:49 PM, Christopher Schultz wrote:
>>> -BEGIN PGP SIGNED MESSAGE-
>>> Hash: SHA256
>>>
>>> Mark and Jerry,
>>>
>>> On 1/20/20 5:50 AM, Mark Thomas wrote:
 Can you share the configuration of the connection pool? Don't
 forget to mask any passwords.
>>> Also the Tomcat version ;)
>>>
>>> Recent posts from you suggest that this is 8.5.x, which means you
>are
>>> using commons-dbcp 2.0 unless you have specifically configured
>>> tomcat-pool (which will be obvious from your configuration).
>>>
>>> But it's always good to be sure.
>>>
>>> - -chris
>>>
 On 19/01/2020 05:43, Jerry Malcolm wrote:
> I have a web page that makes a couple of hundred ajax calls when
> it loads.  But the calls are recursive.  The response from one
> call generates a couple of more calls.  The responses from those
> calls generate others, etc.  So this is not a blast of 200
> simultaneous calls to the server.   In most cases the count of
> active database connections never gets over 10-15 at a time.  I
> have the max count on the connection pool set to 125.
>
> The server has very 

Re: lower/uppercase rewrite maps

[Felix Schumacher]

Am 09.01.20 um 17:35 schrieb Chris Cheshire:
> On Thu, Jan 9, 2020 at 11:15 AM Felix Schumacher
>  wrote:
>>
>> Am 09.01.20 um 17:01 schrieb Chris Cheshire:
>>> Looking through the documentation for the rewrite valve [1], I see
>>> there is an example of how to write and use a rewrite map to convert a
>>> value to upper case. This is the inverse of what I want (lowercase),
>>> so great, easy enough to implement. This seems like something that
>>> could be included by default but I couldn't see anything in
>>> catalina.jar.
>>>
>>> Is this something that would be included if I create a patch for it,
>>> and how would I go about it?
>> I have opened a PR a bit ago (https://github.com/apache/tomcat/pull/221)
>> but hadn't had time to investigate any further. Remy thought it would be
>> a bit overengineered. Romain liked the idea of ServiceLoader but wanted
>> to have it a bit more optimized (see
>> https://lists.apache.org/thread.html/472e875a46e811370f7df8b7d4fae37170a31d73c3d814a48e4d565c%40%3Cdev.tomcat.apache.org%3E).
>>
>> Would this be something you like to have?
>>
>> I think of committing the first part of the PR in any case, as I believe
>> that the parsing of the parameters should be more in line with that of
>> httpd.
>>
>> Felix
>>
> From the example in the docs
> **
> RewriteMap uc example.maps.UpperCaseMap
> RewriteRule ^/(.*)$ ${uc:$1}
> **
>
> All I would like is for UpperCaseMap to live within the Catalina
> packaging as written so that I don't have to introduce a compile time
> dependency for a configuration file entry. Maybe I am missing
> something, but I don't see where having an SPI for this gains anything
> for simple usages like this.

The idea was to include the maps that are included in the httpd
implementation as documented at
https://httpd.apache.org/docs/2.4/rewrite/rewritemap.html#int and at the
same time to make it easier to include custom implementations via SPI.

The good thing here is, that you showed interest int such
implementations and that it is a nice feature indeed.

Felix

>
> I can solve my problem by using multiple regular expressions, so it
> isn't critical. It just seemed like something that could be included
> by default.
>
> Chris
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: lower/uppercase rewrite maps

[Felix Schumacher]

Am 09.01.20 um 17:39 schrieb Rémy Maucherat:
> On Thu, Jan 9, 2020 at 5:16 PM Felix Schumacher <
> felix.schumac...@internetallee.de> wrote:
>
>> Am 09.01.20 um 17:01 schrieb Chris Cheshire:
>>> Looking through the documentation for the rewrite valve [1], I see
>>> there is an example of how to write and use a rewrite map to convert a
>>> value to upper case. This is the inverse of what I want (lowercase),
>>> so great, easy enough to implement. This seems like something that
>>> could be included by default but I couldn't see anything in
>>> catalina.jar.
>>>
>>> Is this something that would be included if I create a patch for it,
>>> and how would I go about it?
>> I have opened a PR a bit ago (https://github.com/apache/tomcat/pull/221)
>> but hadn't had time to investigate any further. Remy thought it would be
>> a bit overengineered. Romain liked the idea of ServiceLoader but wanted
>> to have it a bit more optimized (see
>>
>> https://lists.apache.org/thread.html/472e875a46e811370f7df8b7d4fae37170a31d73c3d814a48e4d565c%40%3Cdev.tomcat.apache.org%3E
>> ).
>>
>> Would this be something you like to have?
>>
>> I think of committing the first part of the PR in any case, as I believe
>> that the parsing of the parameters should be more in line with that of
>> httpd.
>>
> I was planning to pull the non service loader parts of the PR as they are
> likely useful utility classes, but I didn't (procrastination ... and bad
> colds ...). I think I'm really against ServiceLoader configuration for
> Tomcat at the moment, it seems even worse than system properties overall.

Do you think the int:xxx part is OK?

Felix

>
> Rémy
>
>
>> Felix
>>
>>> Chris
>>>
>>> [1] http://tomcat.apache.org/tomcat-9.0-doc/rewrite.html
>>>
>>> -
>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: lower/uppercase rewrite maps

[Felix Schumacher]

Am 09.01.20 um 17:01 schrieb Chris Cheshire:
> Looking through the documentation for the rewrite valve [1], I see
> there is an example of how to write and use a rewrite map to convert a
> value to upper case. This is the inverse of what I want (lowercase),
> so great, easy enough to implement. This seems like something that
> could be included by default but I couldn't see anything in
> catalina.jar.
>
> Is this something that would be included if I create a patch for it,
> and how would I go about it?

I have opened a PR a bit ago (https://github.com/apache/tomcat/pull/221)
but hadn't had time to investigate any further. Remy thought it would be
a bit overengineered. Romain liked the idea of ServiceLoader but wanted
to have it a bit more optimized (see
https://lists.apache.org/thread.html/472e875a46e811370f7df8b7d4fae37170a31d73c3d814a48e4d565c%40%3Cdev.tomcat.apache.org%3E).

Would this be something you like to have?

I think of committing the first part of the PR in any case, as I believe
that the parsing of the parameters should be more in line with that of
httpd.

Felix

>
> Chris
>
> [1] http://tomcat.apache.org/tomcat-9.0-doc/rewrite.html
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Dates on Linux vs. Windows

[Felix Schumacher]

Am 07.01.20 um 21:58 schrieb Jerry Malcolm:
> This may be more of a Java question than Tomcat.  But I'm not sure.  I
> have the same code, talking to the same MySql Linux (AWS) database.  I
> read a date column value in a Tomcat app.  After calling
> resultSet.getDate(...) I printed the date instance and the getTime()
> value:
>
> On windows: 2019-02-01 154900080
>
> On linux:   2019-01-31 154897920
>
> Again this is the SAME line of code in java reading the SAME field in
> the SAME database.  Only thing different is Linux/Windows OS.  The
> date is supposed to be 2/1/2019 and shows that in phpMyAdmin.
>
> I've been running on Linux for a few months.  But I don't have an
> extensive background in the specifics of Linux.  I'm sure there must
> be something that is configured differently.  I'm at a loss. But this
> is not a trivial problem.  I do monthly billing. My dates need to be
> accurate.
>
> What am I doing wrong? (BTW Tomcat 8.5.x and Java 1.8.0_222 running on
> AWS Linux, not AWS Linux 2).

Maybe different timezone settings on the clients that propagate to the
database?

Have you looked at setting/reading the timezones in mysql (and after
that on the clients) like
https://stackoverflow.com/questions/930900/how-do-i-set-the-time-zone-of-mysql

On linux a simple "date" command will print out the currently used
timezone. For me it prints:

$ date
Di 7. Jan 22:06:37 CET 2020

or without a language setting:

$ LANG= date
Tue Jan  7 22:12:05 CET 2020

Felix

>
> Thanks.
>
> Jerry
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: ECDSA Private Keys

[Felix Schumacher]

Am 01.01.20 um 18:19 schrieb logo:
> Felix,
>
>> Am 01.01.2020 um 11:49 schrieb Felix Schumacher 
>> :
>>
>>
>> Am 27.12.19 um 17:36 schrieb logo:
>>> Chris
>>>
>>> Am 2019-12-27 16:33, schrieb Christopher Schultz:
>>> Peter,
>>>
>>> On 12/26/19 18:55, logo wrote:
>>>>>> Hi Mark,
>>> I hope it's okay if I reply. :)
>>>
>>>> :-)
>>>
>>>
>>>>>> I just recently tested Step CA (smallstep.com) as an internal CA
>>>>>> that provides an internal ACME service.
>>>>>>
>>>>>> After I deployed the created cert to my Tomcat (8.5.50 with
>>>>>> adoptopenjdk 11) I noticed that while the openssl connector
>>>>>> immediately started, the JSSE connector with the same cert would
>>>>>> fail with a "java.security.KeyStoreException: Cannot store
>>>>>> non-PrivateKeys“ I use the openssl XML certificate config also for
>>>>>> JSSE.
>>>>>>
>>>>>> It took me quite a while to figure this one out - as the message
>>>>>> usually indicates a public key as cert. I noticed that Step Ca is
>>>>>> creating ECDSA certs by default. The Openssl Connector delivers the
>>>>>> new ECDSA cert just fine.
>>>>>>
>>>>>> While Java (afaik) seems to be able to handle ECDSA, tomcat will
>>>>>> fall through a case statement in
>>>>>> org.apache.tomcat.util.net.jsse.PEMFile
>>>>>>
>>>>>> When loading the PEM file parts it will skip all cases in
>>>>>>
>>>>>> for (Part part : parts) { switch (part.type) { case "PRIVATE KEY":
>>>>>> privateKey = part.toPrivateKey(null, keyAlgorithm, Format.PKCS8);
>>>>>> break; case "ENCRYPTED PRIVATE KEY": privateKey =
>>>>>> part.toPrivateKey(password, keyAlgorithm, Format.PKCS8); break;
>>>>>> case "RSA PRIVATE KEY": privateKey = part.toPrivateKey(null,
>>>>>> keyAlgorithm, Format.PKCS1); break; case "CERTIFICATE": case "X509
>>>>>> CERTIFICATE": certificates.add(part.toCertificate()); break; } }
>>>>>>
>>>>>> as an EC certificate will start with EC PRIVATE KEY.
>>>>>>
>>>>>> Is this something that is expected? ECDSA unsupported? Or just an
>>>>>> incomplete implementation, edge case or a bug?
>>> EC should work. What does your  configuration look like?
>>>
>>>
>>>>  >>> protocol="org.apache.coyote.http11.Http11Nio2Protocol"
>>>>
>>> sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
>>>> maxThreads="150"
>>>> SSLEnabled="true" >
>>>>  >> className="org.apache.coyote.http2.Http2Protocol" />
>>>>  
>>>>  >>>certificateKeyFile="${catalina.base}/conf/ssl/privkey.pem"
>>>>certificateFile="${catalina.base}/conf/ssl/cert.pem"
>>>> />
>>>>  
>>>>  
>>>> really basic.
>>>> First I had a type attribute "RSA" but even ommitting this didn't
>>> change it.
>>>
>>>> Once Tomcat hits the PEMFile-Class the parts read from the
>>> ECDSA-PEM-file are not transferred to a private key so the class
>>> member "privateKey" is null. None of the cases above match "EC PRIVATE
>>> KEY".
>> The comments at the beginning of PEMFile state that it works for PKCS8,
>> only. But the code makes an exception for RSA keys, so it probably makes
>> sense to ad EC keys, too.
>>
> Please!

After looking into the code, it doesn't look easy at all.

The code tries to stay away from oracles internal API for cryptography
and the standard API is not very helpful with regard to EC.

>
>> Have you tried to convert your key to pkcs8?
>>
> Thanks! That works fine!
>
> openssl pkcs8 -topk8 -nocrypt -in ssl/privkey.pem -out ssl/privkey-p8.pem


Glad it worked.

Felix

>
> Happy new Year!
>
> Peter
>
>> Felix
>>
>>>> Peter
>>> -chris
>>>> -
>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>> -
>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: ECDSA Private Keys

[Felix Schumacher]

Am 27.12.19 um 17:36 schrieb logo:
> Chris
>
> Am 2019-12-27 16:33, schrieb Christopher Schultz:
> Peter,
>
> On 12/26/19 18:55, logo wrote:
> >>> Hi Mark,
>
> I hope it's okay if I reply. :)
>
> > :-)
>
>
>
> >>> I just recently tested Step CA (smallstep.com) as an internal CA
> >>> that provides an internal ACME service.
> >>>
> >>> After I deployed the created cert to my Tomcat (8.5.50 with
> >>> adoptopenjdk 11) I noticed that while the openssl connector
> >>> immediately started, the JSSE connector with the same cert would
> >>> fail with a "java.security.KeyStoreException: Cannot store
> >>> non-PrivateKeys“ I use the openssl XML certificate config also for
> >>> JSSE.
> >>>
> >>> It took me quite a while to figure this one out - as the message
> >>> usually indicates a public key as cert. I noticed that Step Ca is
> >>> creating ECDSA certs by default. The Openssl Connector delivers the
> >>> new ECDSA cert just fine.
> >>>
> >>> While Java (afaik) seems to be able to handle ECDSA, tomcat will
> >>> fall through a case statement in
> >>> org.apache.tomcat.util.net.jsse.PEMFile
> >>>
> >>> When loading the PEM file parts it will skip all cases in
> >>>
> >>> for (Part part : parts) { switch (part.type) { case "PRIVATE KEY":
> >>> privateKey = part.toPrivateKey(null, keyAlgorithm, Format.PKCS8);
> >>> break; case "ENCRYPTED PRIVATE KEY": privateKey =
> >>> part.toPrivateKey(password, keyAlgorithm, Format.PKCS8); break;
> >>> case "RSA PRIVATE KEY": privateKey = part.toPrivateKey(null,
> >>> keyAlgorithm, Format.PKCS1); break; case "CERTIFICATE": case "X509
> >>> CERTIFICATE": certificates.add(part.toCertificate()); break; } }
> >>>
> >>> as an EC certificate will start with EC PRIVATE KEY.
> >>>
> >>> Is this something that is expected? ECDSA unsupported? Or just an
> >>> incomplete implementation, edge case or a bug?
>
> EC should work. What does your  configuration look like?
>
>
> >  >    protocol="org.apache.coyote.http11.Http11Nio2Protocol"
> >   
> sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
> >    maxThreads="150"
> >    SSLEnabled="true" >
> >  className="org.apache.coyote.http2.Http2Protocol" />
> > 
> >  >   certificateKeyFile="${catalina.base}/conf/ssl/privkey.pem"
> >   certificateFile="${catalina.base}/conf/ssl/cert.pem"
> >    />
> > 
> > 
>
> > really basic.
> > First I had a type attribute "RSA" but even ommitting this didn't
> change it.
>
> > Once Tomcat hits the PEMFile-Class the parts read from the
> ECDSA-PEM-file are not transferred to a private key so the class
> member "privateKey" is null. None of the cases above match "EC PRIVATE
> KEY".

The comments at the beginning of PEMFile state that it works for PKCS8,
only. But the code makes an exception for RSA keys, so it probably makes
sense to ad EC keys, too.

Have you tried to convert your key to pkcs8?

Felix

>
> > Peter
>
> -chris
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: JSP custom tag operating different when adoptOpenJDK is used vs Oracle (cross post from tomcat-taglibs-user)

[Felix Schumacher]

I tried to reproduce the bug with the following simple jsp:

<%@ taglib prefix = "fmt" uri = "http://java.sun.com/jsp/jstl/fmt; %>


   
  String/Object bug
   

   
  <%
    request.setAttribute("now", new java.util.Date());
  %>
  
   


but both Java versions (oracle 1.8.0_201 and openjdk 1.8.0_222) produce
the following java parts with tomcat 9.0.27:

...
// /index.jsp(12,6) name = value type = null reqTime = true required =
true fragment = false deferredValue = false expectedTypeName = null
deferredMethod = false methodSignature = null
  _jspx_th_fmt_005fformatDate_005f0.setValue((java.util.Date)
org.apache.jasper.runtime.PageContextImpl.proprietaryEvaluate("${now}",
java.util.Date.class, (javax.servlet.jsp.PageContext)_jspx_page_context,
null));
...

Can you share your tag implementation or even better give us a minimal
webapp that shows the error?

Is the Tomcat version the same for the different Java implementations?

Felix

Am 27.10.19 um 18:14 schrieb LoBello,Jeff:
> Sorry for not mentioning that before, Felix.  I’ve seen this bug under Mac & 
> Windows Java versions.  We only support Java 1.8, at the moment.
>
>
> Mac:
>
> openjdk version "1.8.0_222"
>
> OpenJDK Runtime Environment (AdoptOpenJDK)(build 1.8.0_222-b10)
>
> OpenJDK 64-Bit Server VM (AdoptOpenJDK)(build 25.222-b10, mixed mode)
>
>
>
> Windows:
>
> openjdk version "1.8.0_192"
>
> OpenJDK Runtime Environment (AdoptOpenJDK)(build 1.8.0_192-b12)
>
> OpenJDK 64-Bit Server VM (AdoptOpenJDK)(build 25.192-b12, mixed mode)
>
> We’ve also reproduced this issue with multiple Tomcat versions, including 7, 
> 8 & 9.   If we use Oracle Java, the issue is fixed & doesn’t happen.  The bug 
> is very subtle since the JSP does compile, but the data passed to our tag is 
> a String instead of a Date object.
>
> Thanks,
>
> Jeff LoBello
> Lead Software Engineer
> Cerner | www.cerner.com<http://www.cerner.com/>
>
>
>
> From: Felix Schumacher 
> Reply-To: Tomcat Users List 
> Date: Saturday, October 26, 2019 at 4:18 PM
> To: Tomcat Users List 
> Subject: Re: JSP custom tag operating different when adoptOpenJDK is used vs 
> Oracle (cross post from tomcat-taglibs-user)
>
>
>
> Am 25. Oktober 2019 19:33:19 MESZ schrieb "LoBello,Jeff" 
> mailto:jeff.lobe...@cerner.com.INVALID>>:
> We have a custom tag, FormatDateTag extends
> org.apache.taglibs.standard.tag.common.fmt.FormatDateSupport.  It’s
> been working ok for a number of years under tomcat & Oracle JVM.  Now,
> we are moving to adoptOpenJDK  & we are seeing some differences in how
> tomcat generation of JSP to Java classes happens when tomcat is doing
> the EL evaluation.  Here is an example JSP which shows the issue…
>
> Which Java versions have you used exactly? What os was this? Which tomcat 
> version have you used?
>
> Are there any other differences in the setup?
>
> Felix
>
>
> <%@ page language="java" contentType="text/html" isELIgnored="false" %>
> <%@ page import="java.util.Date" %>
> <%@ taglib uri="/WEB-INF/tld/suitags.tld" prefix="sui" %>
>
> <%
> Date chdt = new Date();
> request.setAttribute("chdt", chdt);
> %>
>
> 
>
> Looking at the compiled JSP source code under Oracle JVM, we see this…
>
> // /tagUnitTests/sui/formatDate/testCaliHDateTime1.jsp(20,0) name =
> value type = java.lang.Object reqTime = true required = true fragment =
> false deferredValue = false expectedTypeName = null deferredMethod =
> false methodSignature = null
> _jspx_th_sui_005fformatDate_005f0.setValue((java.lang.Object)
> org.apache.jasper.runtime.PageContextImpl.proprietaryEvaluate("${chdt}",
> java.lang.Object.class,
> (javax.servlet.jsp.PageContext)_jspx_page_context, null));
>
> The same source compiled using AdoptOpenJDK, we see this…
>
> // /tagUnitTests/sui/formatDate/ testCaliHDateTime1.jsp(20,0) name =
> value type = java.lang.Object reqTime = true required = true fragment =
> false deferredValue = false expectedTypeName = null deferredMethod =
> false methodSignature = null
> _jspx_th_sui_005fformatDate_005f0.setValue((java.lang.String)
> org.apache.jasper.runtime.PageContextImpl.proprietaryEvaluate("${chdt}",
> java.lang.String.class,
> (javax.servlet.jsp.PageContext)_jspx_page_context, null));
>
> As a workaround, we’re adding calls to  to convert the
> String back to a Date.  Has anyone run into this? Any ideas we can try
> to find the root cause?
>
> Thanks,
>
> Jeff LoBello
> Lead Software Engineer
> Cerner | www.cerner.com<http://www.cerner.

Re: postgresql jndi datasource with certificate authentication?

[Felix Schumacher]

Am 22.10.19 um 20:07 schrieb Magosányi Árpád:
> Thank you all for the suggestions.
>
> Based on the documentation, my setup should work: The server certificate
> is already processed and accepted (I know that because I could not get
> it right at the first try). The driver is supposed to work with a PEM
> certificate and a pkcs-8 DER encoded key, and those what I supply to it.

Is your key password protected? Have you tried to remove the password?

Felix

>
> The problem seems to be that the java installation (openjdk-11) does not
> have a cryptographic security provider understanding a specific oid.
> What I understand is that BouncyCastle have that security provider, and
> I should be able to configure it somewhere either in the java setup or
> tomcat.
> I have already tried in the java setup, but the documented way did not
> seem to work.
> I have no idea how to configure it in Tomcat datasource, this is why I
> have asked here.
> The other reason is to see whether anyone have a similar setup: if so,
> then someone already dealt with same problem, and I should like to see how.
>
> It's true that it seems to be a pgjdbc related problem: it does not work
> with directly jdbc calls. I am trying to get help from the jdbc guys,
> this is why I have an open issue there:
>
> https://github.com/pgjdbc/pgjdbc/issues/1585
>
>
> On 10/22/19 6:10 PM, Christopher Schultz wrote:
>> Arpad,
>>
>> On 10/22/19 12:19, logo wrote:
>>> I have the following in context.xml:
>>>
>>>  >>    type="javax.sql.DataSource"
>>> driverClassName="org.postgresql.Driver"
>>> url="jdbc:postgresql://infra.kodekonveyor.com:5432/users?ssl=truesslmode=verify-ca"
>>>
>>>
>>>    username="market" maxTotal="20" maxIdle="10"
>>>    maxWaitMillis="-1"/>
>>>
>>> I have this in ~tomcat/.postgresql:
>>>
>>> root@market:/var/lib/tomcat9/.postgresql# ls -lL
>>> total 11
>>> -rw-r--r-- 1 root   root 4597 Oct 21 12:49 postgresql.crt
>>> -r 1 tomcat root 1329 Oct 21 17:40 postgresql.pk8
>>> -rw-r--r-- 1 root   root 1493 Oct 21 12:49 root.crt
>> The documentation for the driver[1] is a little unclear, but it seems
>> that you can indeed specify the location of the client certificate
>> using sslcert=/path/to/cert and sslkey=/path/to/key connection
>> parameters. Their defaults are ${user.home}/.postgresql/postgresql.crt
>> and ${user.home}/.postgresql/postgresql.pk8 (and
>> ${user.home}/.postgresql/root.crt for the root certificate).
>>
>> So I think those settings should be working.
>>
>> Under the notes in [1], it says:
>>
>> "
>> If you are using Java's default mechanism (not LibPQFactory) to create
>> the SSL connection you will need to make the server certificate
>> available to Java, the first step is to convert it to a form Java
>> understands.
>> "
>>
>> I'm not sure what LibPQFactory is, but you may have to convert to
>> PKCS12/JKS and use their process to use those certificates.
>>
>> The documentation suggests that you will need to start your JVM with
>> specific system properties to make your connection. IMO this is a
>> terrible bug because it means you can't configure these things on a
>> per-connection basis. The documentation is also incomplete because
>> they only tell you how to configure a trust store (to trust the
>> server) and not how to configure the key store (which contains your
>> client certificate). The correct system properties to use for a key
>> store are:
>>
>> javax.net.ssl.keyStore  (path to keystore)
>> javax.net.ssl.keyStorePassword (password for keystore)
>> javax.net.ssl.keyStoreType (type of keystore, PKCS12, JCEKS, JKS, etc.)
>>
>> At this point, all of your questions should be directed to the
>> PostgreSQL community since it's the driver you are having trouble
>> configuring. It appears that Tomcat is working as expected and you
>> just need help with the driver configuration.
>>
>> Hope that helps,
>> -chris
>>
>> [1] https://jdbc.postgresql.org/documentation/head/ssl-client.html
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: JSP custom tag operating different when adoptOpenJDK is used vs Oracle (cross post from tomcat-taglibs-user)

[Felix Schumacher]

Am 25. Oktober 2019 19:33:19 MESZ schrieb "LoBello,Jeff" 
:
>We have a custom tag, FormatDateTag extends
>org.apache.taglibs.standard.tag.common.fmt.FormatDateSupport.  It’s
>been working ok for a number of years under tomcat & Oracle JVM.  Now,
>we are moving to adoptOpenJDK  & we are seeing some differences in how
>tomcat generation of JSP to Java classes happens when tomcat is doing
>the EL evaluation.  Here is an example JSP which shows the issue…

Which Java versions have you used exactly? What os was this? Which tomcat 
version have you used? 

Are there any other differences in the setup? 

Felix 

>
><%@ page language="java" contentType="text/html" isELIgnored="false" %>
><%@ page import="java.util.Date" %>
><%@ taglib uri="/WEB-INF/tld/suitags.tld" prefix="sui" %>
>
><%
>Date chdt = new Date();
>request.setAttribute("chdt", chdt);
>%>
>
>
>
>Looking at the compiled JSP source code under Oracle JVM, we see this…
>
>// /tagUnitTests/sui/formatDate/testCaliHDateTime1.jsp(20,0) name =
>value type = java.lang.Object reqTime = true required = true fragment =
>false deferredValue = false expectedTypeName = null deferredMethod =
>false methodSignature = null
>_jspx_th_sui_005fformatDate_005f0.setValue((java.lang.Object)
>org.apache.jasper.runtime.PageContextImpl.proprietaryEvaluate("${chdt}",
>java.lang.Object.class,
>(javax.servlet.jsp.PageContext)_jspx_page_context, null));
>
>The same source compiled using AdoptOpenJDK, we see this…
>
>// /tagUnitTests/sui/formatDate/ testCaliHDateTime1.jsp(20,0) name =
>value type = java.lang.Object reqTime = true required = true fragment =
>false deferredValue = false expectedTypeName = null deferredMethod =
>false methodSignature = null
>_jspx_th_sui_005fformatDate_005f0.setValue((java.lang.String)
>org.apache.jasper.runtime.PageContextImpl.proprietaryEvaluate("${chdt}",
>java.lang.String.class,
>(javax.servlet.jsp.PageContext)_jspx_page_context, null));
>
>As a workaround, we’re adding calls to  to convert the
>String back to a Date.  Has anyone run into this? Any ideas we can try
>to find the root cause?
>
>Thanks,
>
>Jeff LoBello
>Lead Software Engineer
>Cerner | www.cerner.com
>
>
>
>
>CONFIDENTIALITY NOTICE This message and any included attachments are
>from Cerner Corporation and are intended only for the addressee. The
>information contained in this message is confidential and may
>constitute inside or non-public information under international,
>federal, or state securities laws. Unauthorized forwarding, printing,
>copying, distribution, or use of such information is strictly
>prohibited and may be unlawful. If you are not the addressee, please
>promptly delete this message and notify the sender of the delivery
>error by e-mail or you may call Cerner's corporate offices in Kansas
>City, Missouri, U.S.A at (+1) (816)221-1024.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: efficient redirect map with embedded Tomcat

[Felix Schumacher]

Am 15. Oktober 2019 15:18:07 MESZ schrieb Christopher Schultz 
:
>-BEGIN PGP SIGNED MESSAGE-
>Hash: SHA256
>
>Mark,
>
>On 10/14/19 04:50, Mark Thomas wrote:
>> On 13/10/2019 23:46, Garret Wilson wrote:
>>> On 10/13/2019 11:52 AM, Mark Thomas wrote:
 That depends on how you define best. Simplest to implement?
 Easiest to maintain? Minimum overhead?
>>>
>>> How about, "What best follows the spirit of the Tomcat
>>> architecture?"
>>>
>>> Or alternatively, "What would be most efficient (i.e. not slowing
>>> down normal requests)?"
>>>

 It also depends on how many redirects are you talking about as
 well as what sort of % of the over all requests need to be
 redirected.
>>>
>>> Let's say 100 resources need redirecting, to pick an arbitrary
>>> number.
>>>
>>> (The use case is simply to migrate some old URLs that have
>>> probably been indexed already or even linked on the web.
>>> Theoretically the entire site would need to redirect its old
>>> URLs, but probably only the pages.)
>>
>> For that use case I'd start with the RewriteValve.
>
>RewriteValve won't be the most efficient way to do this, because
>RewriteValve has its own overhead of mapping request URIs (and
>possibly other requirements) to arbitrary things-to-do.
>
>If you want it to be as fast as possible, then you need to write your
>own Servlet (or Filter), map all URIs-to-redirect to that servlet (in
>WEB-INF/web.xml) and then write Java code to do the mapping.
>
>The fastest possible implementation wouldn't be a bunch of
>"string".equals calls or a HashMap, but something more elaborate.
>
>But all that seems like a lot of work for something that CAN be
>accomplished by using RewriteValve, where you don't have to write new
>code and then baby sit it forever.
>
>> If you notice a performance impact then we should take a look with
>> a profiler and see if there is room for improvement in the
>> RewriteValve.
>
>If someone could write Javadoc for the
>org.apache.catalina.valves.rewrite.RewriteMap interface, that would be
>very helpful. I took a quick look at the code, and it's not clear to
>me what either of the two methods in that interface should actually do
>and/or return.

I have added some doc to the rewrite user guide. I try to add some Javadoc 
later. 

One odd thing I noticed is that the method setParameters gets passed the first 
optional parameter, only. 

Felix 


>
>Also, Substitution.SubstitutionElement#evaluate(). That would help
>with the above.
>
>Rémy, is that originally your code? git blame says most of the code
>was committed by you.
>
>- -chris
>-BEGIN PGP SIGNATURE-
>Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
>iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl2lxw8ACgkQHPApP6U8
>pFjMphAAw8fHxiPzgNSMY0cIlcCrDGSYeU78c0oMj+UDfqIprj2tDDOXmeJ8i2/o
>H7ngAzcuFeAm6G965KBa3brpS4phHj2q1ZRk1Ww5IQikYX0EeeHl+6LjI3r+irR9
>cfm32Zlb8MWZ4JoqyGX2vhyzrlCokAXidlBhFLRMkP9gG6Bq1fICdTwpQ1/yTRVe
>FDqMVlbaBepB3mvZpbA2SH58+rz0wHPGZweZEo5KTFOUM0xqQ/2hxbdhJsRfAtbS
>muR1zyLBPhA8cNZYpUC88OhmNCoumI6laBdWcpZ3h9yMW/a7T5LnxeUCZNJxwdze
>MvYB8CFGC5h3a9DIcapkhAk3sebiFhWVXjQ0Icz3qK+RLoiKoDVH/YsG3RW20u+4
>XDFSAij+GrfL49gc9P4nZ0sUfAOvZt7NlzbnB3z5qK2ybAQ5wEXboNBV0vrHEVgc
>hwnv7ShW7sKyv5ywjloscFABoGPfXbn43iiFT7fE09vVJnIRZZydHpqjhXQNSJPR
>4N9lqsOnmiIVeuqC/IzY10QZoo1g3S6AnoqyX6mENuicOrWQbB1MRTgChdQdV8Xc
>w03shweUED8JW0LvJsFf089w1xlu4xJQkmoSFgU1DCCUnioKJcwXni1VQlyP3m5G
>Vfl4WKIm1HwX4fMyhaBX8JkxUBlt1/GCI8bG67IvcM0GtrV5wj8=
>=fBb1
>-END PGP SIGNATURE-
>
>-
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: efficient redirect map with embedded Tomcat

[Felix Schumacher]

Am 12.10.19 um 17:13 schrieb Garret Wilson:
> Could somebody at least point me to the best place to wire in
> site-level per-resource redirects in embedded Tomcat? I can create a
> solution, I just need to know where it is best to start.

Did you look at https://tomcat.apache.org/tomcat-9.0-doc/rewrite.html

Felix

>
> Thanks,
>
> Garret
>
> On 10/11/2019 11:06 AM, Garret Wilson wrote:
>> This is a question for Tomcat experts before I get started
>> implementing a new feature.
>>
>> Let's say I'm embedding Tomcat to serve static files. At the time of
>> creation I know that certain paths, such as `foo/bar.txt`, should
>> redirect to other paths, such as `some/other.txt`. What's the best
>> way to configure Tomcat to do those redirects? I'm comfortable with
>> extending the source code.
>>
>> Here are a couple of ideas that come to mind:
>>
>>  * I could create a redirect servlet and map different instances of it
>>    to different targets in the context when I configure everything. But
>>    in Tomcat's routing engine, is the most efficient way to do things?
>>    (I assume that the servlet mappings can be placed "over" the default
>>    servlet's path space, that is, cherry-pick paths for redirection,
>>    falling back to the default file-serving servlet for non-redirect
>>    paths.)
>>  * I thought of patching into the default file servlet, overriding
>>    `org.apache.catalina.WebResource`, and creating virtual
>>    `RedirectResource` resources that don't correspond to any physical
>>    file. However it's not obvious to me where I would create a
>>    redirect. Maybe throw some redirect exception inside
>>    `WebResource.getInputStream()`? (This is probably not correct. I'm
>>    just brainstorming. The idea is sound if I knew where to put it.)
>>  * Should I install a configured rewrite valve when I'm setting up
>>    embedded Tomcat?
>>  * Is there some other routing logic in Tomcat I could tap into most
>>    efficiently, providing a known set of redirects?
>>
>> Thanks for any guidance. I'm want to figure out the best way to
>> attack this before getting very deep in an implementation.
>>
>> Garret
>>
>>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: error 0 issue

[Felix Schumacher]

Am 24. Juni 2019 21:23:24 MESZ schrieb Kumar R :
>Hi Team,
>I am facing server 0 issue while starting tomcat 5 service after
>increase
>the heap size from 1024 to 2048.
>
>Server:-
>Windows 32
>Jre:-
>1.5.0_15-h04, mixed mode sharing

The 32 bit version of Java under windows can't use more than about 1.5 GB of 
ram. 

Note that the versions of Java and tomcat are way out of date. Please do 
yourself a favor and update them. 

Felix 


>Tomcat:-
>5.5
>Error:-
>Jakarta log:- create JavaVM failed, failed initializing java.
>Event log:-
>The Apache Tomcat service terminated with services-specific error
>0(0x0)
>Thanks
>Rajib

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: OS

[Felix Schumacher]

Sorry for the noise.

This specific list is of course the correct list to ask. The other list 
in the original addresses users-owner@ was not the correct one.


Felix

Am 18.04.19 um 07:35 schrieb Felix Schumacher:

Hello,

this is a administrative mail address and not meant for questions about the 
usage of Tomcat.

Please ask your questions on the user mailing list. You have to be subscribed 
to the mailing list in order to be able to send messages to the list.

For more information see http://tomcat.apache.org/lists.html#tomcat-users

Regards

  Felix


Am 18. April 2019 07:06:31 MESZ schrieb "liname...@outlook.com" 
:

Hello, I am doing an investigation.
Does Windows Server 2019 support the following products:

Apache Tomcat   6.0.35
Tomcat Connectors (mod_jk)   1.2.35-m1.0

Is the other version supported?
Can you tell me, thank you very much.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: OS

[Felix Schumacher]

Hello,

this is a administrative mail address and not meant for questions about the 
usage of Tomcat. 

Please ask your questions on the user mailing list. You have to be subscribed 
to the mailing list in order to be able to send messages to the list.

For more information see http://tomcat.apache.org/lists.html#tomcat-users

Regards

 Felix


Am 18. April 2019 07:06:31 MESZ schrieb "liname...@outlook.com" 
:
>Hello, I am doing an investigation.
>Does Windows Server 2019 support the following products:
>
>Apache Tomcat   6.0.35
>Tomcat Connectors (mod_jk)   1.2.35-m1.0
>
>Is the other version supported?
>Can you tell me, thank you very much.

Re: [ANN] New committer: Woonsan Ko

[Felix Schumacher]

Am Mittwoch, den 19.12.2018, 09:56 + schrieb Mark Thomas:
> On behalf of the Tomcat committers I am pleased to announce that
> Woonsan Ko (woonsan) has been voted in as a new Tomcat committer.
> 
> Please join me in welcoming him.

Congrats,
 Felix

> 
> Kind regards,
> 
> Mark
> 
> -
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: dev-h...@tomcat.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Persist authenticated sessions across tomcat restarts

[Felix Schumacher]

Am 30.07.2018 17:57, schrieb Tim K:

On Mon, Jul 30, 2018, 4:26 AM Felix Schumacher <
felix.schumac...@internetallee.de> wrote:


Am 27.07.2018 13:36, schrieb Tim K:
> Hello,
>
> I'm creating a new app under Tomcat 9.0.8 (local dev: windows, live
> servers: linux).
>
> I have successfully created a custom JAAS authentication, which works
> just
> fine.
>
> I have SSO enabled at the moment, but not sure if I really need it.
>
> I left the default StandardManager config in place, I do see
> the SESSIONS.ser get created upon a shutdown and I see it get removed
> upon
> startup, so I'm assuming it's reading it in...
>
> I'm expecting that once a user authenticates with the JAAS module one
> time,
> and has a valid session, if I restart tomcat on the backend, that user
> will
> NOT need to re-authenticate, but it appears to be kicking them back to
> the
> login screen after the restart, and it's not accepting their JSESSIONID
> cookie value, it's giving them a new one upon hitting a secured
> resource.
>
> From what I've read, I believe that JAAS can cache an authenticated
> session, but it doesn't appear to be working for me.  Is there
> something
> I'm missing?  Also, I'm using form-login.

Are your Principal classes serializable?
Do you see any Exceptions in the log files when you restart Tomcat?

Regards,
  Felix

>
> Thank you,
>
> Tim




No exceptions in log.  And it doesn't work even when I don't store
anything within the session.


I have digged deeper now and it seems that the principal object is 
removed from the session before it is persisted.


In StandardSession.java you can find the following comment:

 /**
   * The authenticated Principal associated with this session, if any.
   * IMPLEMENTATION NOTE:  This object is not saved and
   * restored across session serializations!
   */
 protected transient Principal principal = null;


This variable stores the authenticated user.

Regards,
 Felix

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Persist authenticated sessions across tomcat restarts

[Felix Schumacher]

Am 27.07.2018 13:36, schrieb Tim K:

Hello,

I'm creating a new app under Tomcat 9.0.8 (local dev: windows, live
servers: linux).

I have successfully created a custom JAAS authentication, which works 
just

fine.

I have SSO enabled at the moment, but not sure if I really need it.

I left the default StandardManager config in place, I do see
the SESSIONS.ser get created upon a shutdown and I see it get removed 
upon

startup, so I'm assuming it's reading it in...

I'm expecting that once a user authenticates with the JAAS module one 
time,
and has a valid session, if I restart tomcat on the backend, that user 
will
NOT need to re-authenticate, but it appears to be kicking them back to 
the

login screen after the restart, and it's not accepting their JSESSIONID
cookie value, it's giving them a new one upon hitting a secured 
resource.


From what I've read, I believe that JAAS can cache an authenticated
session, but it doesn't appear to be working for me.  Is there 
something

I'm missing?  Also, I'm using form-login.


Are your Principal classes serializable?
Do you see any Exceptions in the log files when you restart Tomcat?

Regards,
 Felix



Thank you,

Tim


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat JDBC Pool memory leak when using StatementFinalizer interceptor

[Felix Schumacher]

Am 11.07.2018 um 16:22 schrieb Martin Knoblauch:

Hi,

  while analyzing some heap dump for other reasons, I found that our
application is apparently aggregating a considerable amount of memory in
"org.apache.tomcat.jdbc.pool.TrapException", which is never cleaned by GC.
Digging deeper, it seems that the entries of the "statements" linked list
in the StatementFinalizer are never removed from the list, so after three
weeks of lifetime one ends up with a list of 7 million entries, each 80
bytes.

  Now it might be, that we are just using the StatementFinalizer in a wrong
manner. And what we see is expected behavior. Below is our pool
configuration. Maybe something is just missing :-)
The docs in the interceptor says one has to call close on the 
connection, that the statements created. Does your application call 
close on the connection?


Regards,
 Felix



We are at Tomcat 8.0.36 (yeah, I know, but that is the version we have to
use) and Java 8 (1.8.0_171). Underlying DB is Oracle 12.1.0.2 and we are
using the latest "ojdbc7.jar" from Oracle.


 

Thanks
Martin



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: tomcat with laptop + windows sleep

[Felix Schumacher]

Am 02.06.2018 um 20:51 schrieb Alex O'Ree:

I think I've narrowed it down to an issue specific with terracotta quartz
based jobs. I've wired it into using tomcat's jdbc connection pooling. I'm
also using a super
old version of it so that could be part of the problem. Interestingly this
didn't happen with tomcat7 but it's more than probably some other change on
my
end caused this rather strange situation.  Anyhow, it's probably not tomcat.


You copied the jdbc pool jars from tomcat 7 into tomcat 8.5? Why?



Context.xml is something like this





You could enable validation queries, so that the pool will check the 
connections validity before handing it out to your application.


Regards,
 Felix


The encrypted connection factory extends the default one and supports a
basic ciphered password




On Sat, Jun 2, 2018, 1:34 PM Felix Schumacher  wrote:



Am 24. Mai 2018 23:30:10 MESZ schrieb Alex O'Ree :

Yes it is a tomcat managed data source with postgres. The cpu usage is
my
app trying to get a managed data source. Perhaps the jdbc driver is the
issue. ..

Care to post your configuration? Maybe there are some changes missing when
you updated to the newer version.

Regards,
  Felix


On Wed, May 23, 2018, 11:28 AM Christopher Schultz <
ch...@christopherschultz.net> wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Alex,

On 5/22/18 7:39 PM, Alex O'Ree wrote:

I've noticed a behavioral difference from tomcat 7 to 8.5. In v7, I
used to be able to put a computer to "sleep" with tomcat running.
On resume, everything would be just fine. On tomcat 8.5, i'm
noticing that all database connections are basically dropped and do
not appear to to restart/resume when the computer resumes. Actually
the whole computer runs super slow until i kill the tomcat process.
I'm not entirely sure what's going on here. Has anyone else noticed
this kind of behavior?

Are you using a tomcat-configured DataSource in your application? If
so, what does the configuration look like?

I wouldn't expect any problems with sleep. I'm using Tomcat 8.5.29 on
MacOS and I haven't noticed any problems when my laptop goes to

sleep.

I'm using Oracle Java 1.8.0_131 in this particular case.

When it's running slowly, can you tell which process is taking up all
the CPU (or disk)? Try using the Process Explorer to single-out a
process. If it's Tomcat (java.exe), take a thread dump to see what
Tomcat is doing.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsFiIkACgkQHPApP6U8
pFi70g/8D9R8EkjpCeNziAUeQmWwxHwui+jbOd1rGjG7EID21mmmJJgw5IO1O8ok
F7GUWC8KloqFJ59m+Ib/3NCL5QkiuE/X++AyvDxgwuI1eqlxi86Gu7Jxw6wsfUj2
K1Ovp+jUeNEhuxPfx7zBiHXQPa1kN+B7ExxOyVEeybRalF27hlums2zF6IlC4VKm
LP2CFqMeEXMbLBEI6wXJrznxlcINwkQzYlX7EAbXzD4tOookS9wYhBeXi+3Yjugp
JbMUzIxOVKDzi2W8WYVRPhnhxSjVe5CVsQ32ghlwPEwzbMAgVcoQ7cwZ9r9l1Pg1
Z8GMiAk4Ui9m+TlKbW5N1r2RgSKLdhk4yUETgr+ykkyaMhc8Wt46vM1bdGjIgX6W
CCj/BHcM5IdLb56m1L0wiG82dftYlBNfu3hAlnoJls1GiVtRg5Ph5Dit+t2xH3Kh
GpS9r9HhzqbA3tjv4NSR6oRj5UXc/mu1qj93CFoGPf6ZwC5QiHWOMbeegLJxOXVK
yuIK1gl3ehTQhgcB+B2wK+0Id3gtcwOmzdzM3by2aSH+glfpwH3vRlYPLVUpAUf9
7oNuMVwhGHFRKL+PF5o0hVldI/jFF2TqLdiQilTe4pfsRGKslgRJce0TIZT5ZSm5
jsQ2nCm1En7b+HW2hOeh2JjRkwwLqa5XIu7pjB2TVY1vhIJkdXs=
=aQz0
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: tomcat with laptop + windows sleep

[Felix Schumacher]

Am 24. Mai 2018 23:30:10 MESZ schrieb Alex O'Ree :
>Yes it is a tomcat managed data source with postgres. The cpu usage is
>my
>app trying to get a managed data source. Perhaps the jdbc driver is the
>issue. ..

Care to post your configuration? Maybe there are some changes missing when you 
updated to the newer version. 

Regards, 
 Felix 

>
>On Wed, May 23, 2018, 11:28 AM Christopher Schultz <
>ch...@christopherschultz.net> wrote:
>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA256
>>
>> Alex,
>>
>> On 5/22/18 7:39 PM, Alex O'Ree wrote:
>> > I've noticed a behavioral difference from tomcat 7 to 8.5. In v7, I
>> > used to be able to put a computer to "sleep" with tomcat running.
>> > On resume, everything would be just fine. On tomcat 8.5, i'm
>> > noticing that all database connections are basically dropped and do
>> > not appear to to restart/resume when the computer resumes. Actually
>> > the whole computer runs super slow until i kill the tomcat process.
>> > I'm not entirely sure what's going on here. Has anyone else noticed
>> > this kind of behavior?
>>
>> Are you using a tomcat-configured DataSource in your application? If
>> so, what does the configuration look like?
>>
>> I wouldn't expect any problems with sleep. I'm using Tomcat 8.5.29 on
>> MacOS and I haven't noticed any problems when my laptop goes to
>sleep.
>> I'm using Oracle Java 1.8.0_131 in this particular case.
>>
>> When it's running slowly, can you tell which process is taking up all
>> the CPU (or disk)? Try using the Process Explorer to single-out a
>> process. If it's Tomcat (java.exe), take a thread dump to see what
>> Tomcat is doing.
>>
>> - -chris
>> -BEGIN PGP SIGNATURE-
>> Comment: GPGTools - http://gpgtools.org
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>
>> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsFiIkACgkQHPApP6U8
>> pFi70g/8D9R8EkjpCeNziAUeQmWwxHwui+jbOd1rGjG7EID21mmmJJgw5IO1O8ok
>> F7GUWC8KloqFJ59m+Ib/3NCL5QkiuE/X++AyvDxgwuI1eqlxi86Gu7Jxw6wsfUj2
>> K1Ovp+jUeNEhuxPfx7zBiHXQPa1kN+B7ExxOyVEeybRalF27hlums2zF6IlC4VKm
>> LP2CFqMeEXMbLBEI6wXJrznxlcINwkQzYlX7EAbXzD4tOookS9wYhBeXi+3Yjugp
>> JbMUzIxOVKDzi2W8WYVRPhnhxSjVe5CVsQ32ghlwPEwzbMAgVcoQ7cwZ9r9l1Pg1
>> Z8GMiAk4Ui9m+TlKbW5N1r2RgSKLdhk4yUETgr+ykkyaMhc8Wt46vM1bdGjIgX6W
>> CCj/BHcM5IdLb56m1L0wiG82dftYlBNfu3hAlnoJls1GiVtRg5Ph5Dit+t2xH3Kh
>> GpS9r9HhzqbA3tjv4NSR6oRj5UXc/mu1qj93CFoGPf6ZwC5QiHWOMbeegLJxOXVK
>> yuIK1gl3ehTQhgcB+B2wK+0Id3gtcwOmzdzM3by2aSH+glfpwH3vRlYPLVUpAUf9
>> 7oNuMVwhGHFRKL+PF5o0hVldI/jFF2TqLdiQilTe4pfsRGKslgRJce0TIZT5ZSm5
>> jsQ2nCm1En7b+HW2hOeh2JjRkwwLqa5XIu7pjB2TVY1vhIJkdXs=
>> =aQz0
>> -END PGP SIGNATURE-
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [ANN] New committer: Igal Sapir

[Felix Schumacher]

Congrats,
 Felix 

Am 24. Mai 2018 21:09:06 MESZ schrieb Mark Thomas :
>On behalf of the Tomcat committers I am pleased to announce that
>Igal Sapir (isapir) has been voted in as a new Tomcat committer.
>
>Please join me in welcoming him.
>
>Regards,
>
>Mark
>
>-
>To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: CrawlerSessionManagerValve only working with default host

[Felix Schumacher]

Am 12.04.2018 um 09:27 schrieb Mark Thomas:

On 12/04/18 00:10, Matt Cosentino wrote:

I first noticed it by the large number of sessions in the manager webapp, but 
then I verified it in my logs. Both of my sites are polled every minute by the 
UptimeRobot service. These requests are logged and I can see what session is 
being used. For the default host site, they reuse the same session. For the 
non-default host sites, they create new sessions.

It is a limitation of the CrawlerSessionManagerValve. It only supports
one session per client IP as it maps client IP to session ID internally.
Moving the Valve to the Context (if you want it to apply to every
Context you can define it in CATALINA_BASE/conf/context.xml) is a
workaround.

The proper fix is to change the valve so it maps context+client IP to
session ID. There are several ways to do this. Please open a Bugzilla
enhancement request for this and someone will take a look.


https://bz.apache.org/bugzilla/show_bug.cgi?id=62297

Regards,
 Feli


Mark



04-11 00:00:14 INFO  LogRequest   >  HEAD: https www.defaulthost.com /, 
FROM: 69.162.124.237, D21FE7FD2B82B776AB194C278244D79E, Mozilla/5.0+(compatible; 
UptimeRobot/2.0; http://www.uptimerobot.com/), REFERER: https://www.defaulthost.com
04-11 00:01:14 INFO  LogRequest   >  HEAD: https www.defaulthost.com /, 
FROM: 69.162.124.237, D21FE7FD2B82B776AB194C278244D79E, Mozilla/5.0+(compatible; 
UptimeRobot/2.0; http://www.uptimerobot.com/), REFERER: https://www.defaulthost.com
04-11 00:02:14 INFO  LogRequest   >  HEAD: https www.defaulthost.com /, 
FROM: 69.162.124.237, D21FE7FD2B82B776AB194C278244D79E, Mozilla/5.0+(compatible; 
UptimeRobot/2.0; http://www.uptimerobot.com/), REFERER: https://www.defaulthost.com
04-11 00:03:13 INFO  LogRequest   >  HEAD: https www.defaulthost.com /, 
FROM: 69.162.124.237, D21FE7FD2B82B776AB194C278244D79E, Mozilla/5.0+(compatible; 
UptimeRobot/2.0; http://www.uptimerobot.com/), REFERER: https://www.defaulthost.com

04-11 00:00:32 INFO  LogRequest   >  HEAD: https www.anotherhost.com /, 
FROM: 69.162.124.237, C62DCA4E9DC39884E3E82EE19AAEAB4A, Mozilla/5.0+(compatible; 
UptimeRobot/2.0; http://www.uptimerobot.com/), REFERER: https://www.anotherhost.com
04-11 00:01:32 INFO  LogRequest   >  HEAD: https www.anotherhost.com /, 
FROM: 69.162.124.237, 542027513FD08CD82C8BEFF3C4E75F8C, Mozilla/5.0+(compatible; 
UptimeRobot/2.0; http://www.uptimerobot.com/), REFERER: https://www.anotherhost.com
04-11 00:02:32 INFO  LogRequest   >  HEAD: https www.anotherhost.com /, 
FROM: 69.162.124.237, F93C1929D880DDD446D13E36413544DF, Mozilla/5.0+(compatible; 
UptimeRobot/2.0; http://www.uptimerobot.com/), REFERER: https://www.anotherhost.com
04-11 00:03:32 INFO  LogRequest   >  HEAD: https www.anotherhost.com /, 
FROM: 69.162.124.237, 82C3BB415817B8C4761EFEF7EE7591DD, Mozilla/5.0+(compatible; 
UptimeRobot/2.0; http://www.uptimerobot.com/), REFERER: https://www.anotherhost.com

This is with the valve at the engine level, which I assumed meant that it would apply to 
all hosts within that engine. The documentation states "Normally, this Valve would 
be used at the Engine level.", so that's what I did.

https://tomcat.apache.org/tomcat-8.5-doc/config/valve.html#Crawler_Session_Manager_Valve

- Matt

-Original Message-
From: Christopher Schultz 
Sent: Wednesday, April 11, 2018 1:46 PM
To: users@tomcat.apache.org
Subject: Re: CrawlerSessionManagerValve only working with default host

Matt,

On 4/11/18 2:03 PM, Matt Cosentino wrote:

I have CrawlerSessionManagerValve set up at the Engine level, but it only seems 
to be working for the default host and not any other host. Is this expected 
behavior? Should I put it at the host level for each host?

Here is an example of how I have it set up:

 
   
 
   
   
   
   


Tomcat 8.5.24

I don't see anything in the code that suggests it wouldn't work when used at the 
 level, but it also looks like it makes the most sense at the  
level.

Can you describe your testing and the results you got?

When you say "only [...] working for the default host", do you mean that it works for the default host 
within an  (when configured at the  level) or that it doesn't even work with a 
non-default  when configured at the  level?

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Is LDAP connection failing?

[Felix Schumacher]

Hi Luis,


Am 05.04.2018 18:50, schrieb Luis Rodríguez Fernández:

Hello Suvendu,

May I ask you to share your JNDIRealm configuration?

For me something like this works:

  
roleBase="OU=BASE_ORGANIZATION_UNIT_FOR_MY_GROUPS,OU=Workgroups,DC=cern,DC=ch"

 roleSubtree="1"
 roleName="cn"
 roleSearch="((member={0})(objectclass=group))"
/>


you are using userPattern to find users. In that case the userSubtree 
configuration

will be ignored. roleSubtree should be either "true" or "false".

Regards,
 Felix



Hope it helps,

Luis








2018-04-05 15:32 GMT+02:00 Suvendu Sekhar Mondal :


Hello Everyone,

Recently in one of our environments I am seeing following log in
Catalina.out. It seems that LDAP connection is failing. This issue is
sporadic and goes away with Tomcat recycle.

One interesting thing is "localhost:389" part. I could not find out
any configuration related to that. It could happen that I am not
looking at the correct place.

We have 200+ JVMs out there which were starting up simultaneously but
this happens for some of them sporadically. I suspect that some race
condition might be causing this failure but could not found any
evidence so far. Can someone please suggest how can I identify what is
failing? and why it is failing?

Thanks!
Suvendu

Stack trace:
2018-04-02 20:34:27,293 INFO org.apache.catalina.startup.HostConfig -
Deploying web application directory D:\xxx\webapps\ROOT
2018-04-02 20:34:33,341 SEVERE org.apache.catalina.realm.CombinedRealm
- Failed to start "org.apache.catalina.realm.JNDIRealm/1.0" realm
org.apache.catalina.LifecycleException: Failed to start component
[Realm[JNDIRealm]]
 at org.apache.catalina.util.LifecycleBase.start(
LifecycleBase.java:154)
 at org.apache.catalina.realm.CombinedRealm.startInternal(
CombinedRealm.java:201)
 at org.apache.catalina.util.LifecycleBase.start(
LifecycleBase.java:150)
 at org.apache.catalina.core.StandardContext.startInternal(
StandardContext.java:5373)
 at org.apache.catalina.util.LifecycleBase.start(
LifecycleBase.java:150)
 at org.apache.catalina.core.ContainerBase.addChildInternal(
ContainerBase.java:901)
 at org.apache.catalina.core.ContainerBase.addChild(
ContainerBase.java:877)
 at org.apache.catalina.core.StandardHost.addChild(
StandardHost.java:649)
 at org.apache.catalina.startup.HostConfig.deployDirectory(
HostConfig.java:1247)
 at org.apache.catalina.startup.HostConfig$DeployDirectory.
run(HostConfig.java:1898)
 at java.util.concurrent.Executors$RunnableAdapter.
call(Executors.java:511)
 at java.util.concurrent.FutureTask.run(FutureTask.java:266)
 at java.util.concurrent.ThreadPoolExecutor.runWorker(
ThreadPoolExecutor.java:1142)
 at java.util.concurrent.ThreadPoolExecutor$Worker.run(
ThreadPoolExecutor.java:617)
 at java.lang.Thread.run(Thread.java:745)
Caused by: org.apache.catalina.LifecycleException: Exception opening
directory server connection
 at org.apache.catalina.realm.JNDIRealm.startInternal(
JNDIRealm.java:2191)
 at org.apache.catalina.util.LifecycleBase.start(
LifecycleBase.java:150)
 ... 14 more
Caused by: javax.naming.CommunicationException: localhost:389 [Root
exception is java.net.ConnectException: Connection refused: connect]
 at com.sun.jndi.ldap.Connection.(Connection.java:216)
 at com.sun.jndi.ldap.LdapClient.(LdapClient.java:137)
 at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1614)
 at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2746)
 at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:319)
 at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(
LdapCtxFactory.java:70)
 at javax.naming.spi.NamingManager.getInitialContext(
NamingManager.java:684)
 at javax.naming.InitialContext.getDefaultInitCtx(
InitialContext.java:313)
 at javax.naming.InitialContext.init(InitialContext.java:244)
 at javax.naming.InitialContext.(InitialContext.java:216)
 at javax.naming.directory.InitialDirContext.(
InitialDirContext.java:101)
 at org.apache.catalina.realm.JNDIRealm.open(JNDIRealm.java:2108)
 at org.apache.catalina.realm.JNDIRealm.startInternal(
JNDIRealm.java:2189)
 ... 15 more
Caused by: java.net.ConnectException: Connection refused: connect
 at java.net.TwoStacksPlainSocketImpl.socketConnect(Native Method)
 at java.net.AbstractPlainSocketImpl.doConnect(
AbstractPlainSocketImpl.java:350)
 at java.net.AbstractPlainSocketImpl.connectToAddress(
AbstractPlainSocketImpl.java:206)
 at java.net.AbstractPlainSocketImpl.connect(
AbstractPlainSocketImpl.java:188)
 at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:172)
 at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
 at java.net.Socket.connect(Socket.java:589)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(
NativeMethodAccessorImpl.java:62)
 at 

Re: Is LDAP connection failing?

[Felix Schumacher]

Am 05.04.2018 15:32, schrieb Suvendu Sekhar Mondal:

Hello Everyone,

Recently in one of our environments I am seeing following log in
Catalina.out. It seems that LDAP connection is failing. This issue is
sporadic and goes away with Tomcat recycle.

One interesting thing is "localhost:389" part. I could not find out
any configuration related to that. It could happen that I am not
looking at the correct place.

We have 200+ JVMs out there which were starting up simultaneously but
this happens for some of them sporadically. I suspect that some race
condition might be causing this failure but could not found any
evidence so far. Can someone please suggest how can I identify what is
failing? and why it is failing?


It would be nice to include the version of tomcat you are using.
(I am guessing it is something like 7.0.55 as the source code matches 
the line

numbers in the stacktrace)

If it is this version, then the message will be generated, when your 
ldap server
configured by connectionURL is not reachable on startup. Tomcat will try 
to
connect to the ldap server configured by alternateURL. It seems to me, 
that
you have not configured one (again guessing, as you didn't give 
configuration

details). In that case the jre is using localhost:389 and as there is no
LDAP server listening you get the exception.

Regards,
 Felix



Thanks!
Suvendu

Stack trace:
2018-04-02 20:34:27,293 INFO org.apache.catalina.startup.HostConfig -
Deploying web application directory D:\xxx\webapps\ROOT
2018-04-02 20:34:33,341 SEVERE org.apache.catalina.realm.CombinedRealm
- Failed to start "org.apache.catalina.realm.JNDIRealm/1.0" realm
org.apache.catalina.LifecycleException: Failed to start component
[Realm[JNDIRealm]]
 at 
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:154)

 at
org.apache.catalina.realm.CombinedRealm.startInternal(CombinedRealm.java:201)
 at 
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)

 at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5373)
 at 
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)

 at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
 at 
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:877)
 at 
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:649)

 at
org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1247)
 at
org.apache.catalina.startup.HostConfig$DeployDirectory.run(HostConfig.java:1898)
 at 
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)

 at java.util.concurrent.FutureTask.run(FutureTask.java:266)
 at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
 at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
 at java.lang.Thread.run(Thread.java:745)
Caused by: org.apache.catalina.LifecycleException: Exception opening
directory server connection
 at 
org.apache.catalina.realm.JNDIRealm.startInternal(JNDIRealm.java:2191)
 at 
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)

 ... 14 more
Caused by: javax.naming.CommunicationException: localhost:389 [Root
exception is java.net.ConnectException: Connection refused: connect]
 at com.sun.jndi.ldap.Connection.(Connection.java:216)
 at com.sun.jndi.ldap.LdapClient.(LdapClient.java:137)
 at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1614)
 at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2746)
 at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:319)
 at
com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:70)
 at 
javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
 at 
javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)

 at javax.naming.InitialContext.init(InitialContext.java:244)
 at javax.naming.InitialContext.(InitialContext.java:216)
 at
javax.naming.directory.InitialDirContext.(InitialDirContext.java:101)
 at org.apache.catalina.realm.JNDIRealm.open(JNDIRealm.java:2108)
 at 
org.apache.catalina.realm.JNDIRealm.startInternal(JNDIRealm.java:2189)

 ... 15 more
Caused by: java.net.ConnectException: Connection refused: connect
 at java.net.TwoStacksPlainSocketImpl.socketConnect(Native Method)
 at
java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
 at
java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
 at
java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
 at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:172)
 at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
 at java.net.Socket.connect(Socket.java:589)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at

Re: How to offer a link correction for the Tomcat docs?

[Felix Schumacher]

Am Donnerstag, den 29.03.2018, 18:21 -0500 schrieb charlie arehart:
> > 
> > From: Christopher Schultz  
> > 
> > Mark,
> > 
> > On 3/29/18 6:07 PM, Mark Thomas wrote:
> > > 
> > > On 29/03/18 21:38, charlie arehart wrote:
> > > > 
> > > > Thanks. I'm guessing someone fixed it before you looked, as I
> > > > see now 
> > > > that it is fixed as well. (And same for the 7 doc.)
> > > > 
> > > > Now, if you may be tempted to say that you don’t think anyone
> > > > had 
> > > > changed it recently,
> > > That is what version control is for: 
> > > http://svn.apache.org/viewvc?rev=1827860=rev
> > > 
> > > Felix made a bunch of changes to fix this of which the above
> > > change is 
> > > just the first.
> > Aha. I even knew "where" I was looking and I still missed it.
> > 
> > - -chris
> Well, FWIW, I will say that I did not know, Chris. :-) 
> 
> And to Mark, I would ask: how would I have known to look there? I
> don't mean to sound snarky, but I said in my very first post on the
> subject that I was new to the list (though not new to Tomcat, as a
> user at least).
> 
> So mine is a sincere question: is there some way that I, as a mere
> use of the docs, would have even known that they were in that version
> control resource? Let alone what specific one? Are you thinking that
> there is some resource that readily tells us that, as users? If I
> missed it, I do apologize.
> 
> Or might you just have thought that this was discussed often enough
> here that one should have known? Again, I admitted I was a new user,
> but perhaps you did not read that very first message. (No one replied
> for a few days, which is why I pinged about it again today.)
> 
> And to that point, and indeed your observation that this was changed
> by Felix...well, he never said so here. Again, that's why I pinged
> the list on this. I do appreciate that it was done, of course!  And
> also that (like Andre said in another thread today) doing doc changes
> is a thankless enough task. :-) I'm just saying a lot of back and
> forth could have been saved. Browser caching of the page clearly kept
> me from seeing the change on my own.

All changes to sources are send to the dev list, so I didn't feel the
need to announce it independently. But as a small defence on my side,
in my last mail to you on the user-owners, I wrote that I would
probably have a look at it and thought that would be enough to inform
you about it. Sorry, that I didn't send a follow up and didn't answer
earlier to your follow-up on this list.

> 
> And again, I am trying to learn the ins and outs here, so as not to
> be a burden to the list. I hope ultimately to "give" far more than
> "take", over time, if I can (as I've done for many years in other
> forums and lists).

That is the reason, why I thought it a good idea to discuss this on the
public users list.

I still believe that your real concern is not about these few b's
missing from links in the documentation, but rather how to report those
mistakes in general, how to submit fixes in an easy way and most
importantly: where is this written on the tomcat home page.

And to address these things, I found it important, that you started
this discussion on the mailing list. Those on the dev list mostly know
how to contribute changes, but we also want newcomers to become
contributors. Thus it is important, that we have a clearly described
way on how to contribute at a prominent place on the home page.

Best regards,
 Felix

> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [External] RE: Tomcat 8.5.23

[Felix Schumacher]

Am Freitag, den 23.02.2018, 15:26 + schrieb Lawrence Lim:
> I installed tomcat via untar, something tar -zxf apache-tomcat-
> 8.5.23.tar.gz. 

Any reason for not using the latest available tomcat?

> 
> I am running Java 8 and no security manager I know of. 

OK

> 
> I already did a chmod 777 in the tomcat directory.  

It is probably not a good idea to set any directory to word-writable,
especially if it contains server software.

The permissions on the directories of the unpacked tar should be
correct for the user that unpacked it.


What have you done after unpacking tomcat?

Did you configure the Realm (for example by having a look at
conf/tomcat-users.xml and adding the required users, roles and
passwords)?

There is quite some documentation available under http://tomcat.apache.
org/tomcat-8.5-doc/manager-howto.html

Have you looked at all log files in the logs dir?

Regards,
 Felix

> 
> Regards,
> 
> Lawrence Lim  
> Software Developer
> —
> 
> ENBRIDGE
> TEL: 780-969-6208
> 10175 101 St NW,  Edmonton, Alberta T5J 0H3
> 
> enbridge.com
> Integrity. Safety. Respect.
> 
> 
> -Original Message-
> From: Felix Schumacher [mailto:felix.schumac...@internetallee.de] 
> Sent: Thursday, February 22, 2018 11:45 PM
> To: Tomcat Users List
> Subject: [External] RE: Tomcat 8.5.23
> 
> 
> 
> Am 15. Februar 2018 19:25:24 MEZ schrieb Lawrence Lim <Lawrence.Lim@e
> nbridge.com>:
> > 
> > Red Hat Enterprise Linux Server release 6.9 (Santiago)
> How did you install tomcat? 
> Are you running tomcat with some kind of security manager enabled
> (Java or system wide)? 
> Can the tomcat user (running the process) write to the filesystem?
> 
> Regards,
> Felix 
> 
> > 
> > 
> > Yes. I did check the logs. It does not log anything when I deploy.
> > But, 
> > it logs something when I undeploy.
> > 
> > Lawrence Lim
> > Software Developer
> > -
> > 
> > ENBRIDGE
> > TEL: 780-969-6208
> > 10175 101 St NW,  Edmonton, Alberta T5J 0H3
> > 
> > enbridge.com
> > Integrity. Safety. Respect.
> > 
> > -Original Message-
> > From: Satish Chhatpar 02 [mailto:chhatp...@cpwplc.com]
> > Sent: Thursday, February 15, 2018 10:58 AM
> > To: users@tomcat.apache.org
> > Subject: [External] Re: Tomcat 8.5.23
> > 
> > Which operating system?
> > Did you check the logs?
> > 
> > Sent using OWA for iPhone
> > 
> > From: Lawrence Lim <lawrence@enbridge.com>
> > Sent: Thursday, February 15, 2018 11:09:54 PM
> > To: users@tomcat.apache.org
> > Subject: Tomcat 8.5.23
> > 
> > Hi,
> > 
> > 
> > 
> > I just installed tomcat 8.5.23. I am having problems deploying web
> > apps 
> > via manager. To reproduce:
> > 
> > 
> > 
> > 1.   Login to tomcat manager
> > 
> > 
> > 
> > 2.   Go to " WAR file to deploy"
> > 
> > 
> > 
> > 3.   Pick a war file
> > 
> > 
> > 
> > 
> > 
> > Error message: FAIL - File upload failed, no file
> > 
> > 
> > 
> > 
> > 
> > Workaround: Copy war file to the tomcat webapps directory
> > 
> > 
> > 
> > 
> > 
> > I also tried using localhost:8080, same result. So, it's not some
> > weird 
> > networking constraint.
> > 
> > 
> > Lawrence Lim
> > Software Developer
> > -
> > 
> > ENBRIDGE
> > TEL: 780-969-6208
> > 10175 101 St NW,  Edmonton, Alberta T5J 0H3
> > 
> > enbridge.com
> > Integrity. Safety. Respect.
> > 
> > ::DISCLAIMER::
> > ___
> > 
> > _
> > Confidentiality Notice from Dixons Carphone plc (registered in
> > England 
> > & Wales No.07105905) of 1 Portal Way, London, W3 6RS ("Dixons 
> > Carphone"). The information contained in this e-mail and any 
> > attachments may be legally privileged, proprietary and/or
> > confidential.
> > If you received this e-mail in error, please notify the sender by 
> > return, permanently delete the e-mail and destroy all hard copies 
> > immediately. No warranty is made as to the completeness or accuracy
> > of 
> > the information contained in this e-mail. Opinions, conclusions
> > and 
> &

RE: Tomcat 8.5.23

[Felix Schumacher]

Am 15. Februar 2018 19:25:24 MEZ schrieb Lawrence Lim 
:
>Red Hat Enterprise Linux Server release 6.9 (Santiago)

How did you install tomcat? 
Are you running tomcat with some kind of security manager enabled (Java or 
system wide)? 
Can the tomcat user (running the process) write to the filesystem?

Regards, 
Felix 

>
>Yes. I did check the logs. It does not log anything when I deploy. But,
>it logs something when I undeploy. 
>
>Lawrence Lim  
>Software Developer
>-
>
>ENBRIDGE
>TEL: 780-969-6208
>10175 101 St NW,  Edmonton, Alberta T5J 0H3
>
>enbridge.com
>Integrity. Safety. Respect.
>
>-Original Message-
>From: Satish Chhatpar 02 [mailto:chhatp...@cpwplc.com] 
>Sent: Thursday, February 15, 2018 10:58 AM
>To: users@tomcat.apache.org
>Subject: [External] Re: Tomcat 8.5.23
>
>Which operating system?
>Did you check the logs?
>
>Sent using OWA for iPhone
>
>From: Lawrence Lim 
>Sent: Thursday, February 15, 2018 11:09:54 PM
>To: users@tomcat.apache.org
>Subject: Tomcat 8.5.23
>
>Hi,
>
>
>
>I just installed tomcat 8.5.23. I am having problems deploying web apps
>via manager. To reproduce:
>
>
>
>1.   Login to tomcat manager
>
>
>
>2.   Go to " WAR file to deploy"
>
>
>
>3.   Pick a war file
>
>
>
>
>
>Error message: FAIL - File upload failed, no file
>
>
>
>
>
>Workaround: Copy war file to the tomcat webapps directory
>
>
>
>
>
>I also tried using localhost:8080, same result. So, it's not some weird
>networking constraint.
>
>
>Lawrence Lim
>Software Developer
>-
>
>ENBRIDGE
>TEL: 780-969-6208
>10175 101 St NW,  Edmonton, Alberta T5J 0H3
>
>enbridge.com
>Integrity. Safety. Respect.
>
>::DISCLAIMER::
>
>Confidentiality Notice from Dixons Carphone plc (registered in England
>& Wales No.07105905) of 1 Portal Way, London, W3 6RS ("Dixons
>Carphone"). The information contained in this e-mail and any
>attachments may be legally privileged, proprietary and/or confidential.
>If you received this e-mail in error, please notify the sender by
>return, permanently delete the e-mail and destroy all hard copies
>immediately. No warranty is made as to the completeness or accuracy of
>the information contained in this e-mail. Opinions, conclusions and
>statements of intent in this e-mail are those of the sender and will
>not bind any Dixons Carphone group company (Dixons Carphone Group)
>unless confirmed by an authorised representative independently of this
>e-mail. We do not accept responsibility for viruses; you must scan for
>these. E-mails sent to and from Dixons Carphone Group are routinely
>monitored for record keeping, quality control, training purposes, to
>ensure regulatory compliance and to prevent viruses and unauthorised
>use of our computer systems. The Carphone Warehouse Limited (registered
>in England & Wales No.02142673) is a member of the Dixons Carphone
>Group and is authorised and regulated by the Financial Conduct
>Authority.
>
>
>-
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: error creating connection pool

[Felix Schumacher]

Am 13. Februar 2018 15:20:00 MEZ schrieb "Bruce L. Riddle" 
:
>We are running a CDC Application PHIN MS that uses Tomcat 8.5.11.
>
>As the application starts, we are getting a message that says
>
>'error creating connection pool for dbid.'
>
>
>Our assumption is that the message is coming from TomCat.  Please,
>
>what does the message mean and how to we research a possible
>
>resolution?

Have you looked in other log files for error messages? I can only guess some 
possible misinformed from the given one (which I believe is a message generated 
by the app and not tomcat) 

Check that
 * you have configured a database resource
 * the DB resource has the correct name (equal to the one configured in your 
app) 
 * you have placed the db driver jar in a directory the app or rather tomcat 
expects it

Regards, 
Felix 
>
>
>Thanks.
>
>
>A segment from the LOG:
>
>
>ocalhost-startStop-1|02/13|08:28:35|Processing folderMap:
>C:\PHINMS3.0/config/sender/foldermap.xml|
>localhost-startStop-1|02/13|08:28:35|Loading decryption keystore|
>localhost-startStop-1|02/13|08:28:35|=== Spawning queue 0 |
>Thread-6|02/13|08:28:35|Initializing requeue cachepath from
>C:\PHINMS3.0/\shared\requeueCache|
>Thread-6|02/13|08:28:35|Spawning multi database poller 1...|
>Thread-7|02/13|08:28:35|Connection established|
>Thread-7|02/13|08:28:35|Waiting for records ...|
>localhost-startStop-1|02/13|08:28:35|Error creating connection pool for
>dbid: NHSCR_DB|
>localhost-startStop-1|02/13|08:28:35||
>
>Bruce
>
>
>
>Bruce Riddle
>NHSCR / Dartmouth College
>Phone: 603-653-6620
>PO Box 186, Hanover NH 03755
>
>STATEMENT OF CONFIDENTIALITY: This email may contain
>privileged and confidential information and is intended for use only by
>the
>individual(s) to whom it is addressed.  You are hereby notified
>that any unauthorized distribution or copying of this
>transmission is prohibited. If you have received this message
>in error, please contact the sender immediately and
>delete this electronic message
>and any attachments from your system.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: internalProxies regex

[Felix Schumacher]

Am 08.01.2018 um 16:44 schrieb Harrie Robins:

Thanks for the update

  


I enabled logging for remoteIpFilter like:


I thought you were using the remoteIpValve.



  


org.apache.catalina.filters.RemoteIpFilter.level = ALL

For the valve it should be

org.apache.catalina.valves.RemoteIpValve = FINE

Regards,
 Felix



  


I do get matches when visiting. Is it also possible to print the list of IP’s? 
I have no clue how to do that.

  


Regards,

Harrie

  


On 5 January 2018 at 16:32, Felix Schumacher <felix.schumac...@internetallee.de 
<mailto:felix.schumac...@internetallee.de> > wrote:

Am 05.01.2018 um 15:43 schrieb Harrie Robins:

All clear.
I apologize, I was in fact not masking the backslashes, I did a wrong copy
paste from the pattern I was using in my test

I tested the following 2 patterns:

^103\.21\.(2(4[4-7]))\.([0-
9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|^103\.22
\.(2(0[0-3]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$

103\.21\.(2(4[4-7]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))|103\.22\.(2(0[0-3]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))


The regex can be "simplified" to

103\.21\.24[4-7]\.(1?[1-9]?[0-9]|2([0-4][0-9]|5[0-5]))|103\.22\.20[0-3]\.(1?[1-9]?[0-9]|2([0-4][0-9]|5[0-5]))

or even

103\.(21\.24[4-7]|22\.20[0-3])\.(1?[1-9]?[0-9]|2([0-4][0-9]|5[0-5]))

But it looks OK, if you want to match IPs from 103.21.244.x-103.21.247.x and 
103.22.200.x-103.22.203.x

Have you enabled debug-logs for the RemoteIpValve? It should print out the IP 
it tries to match.

Regards,
  Felix

  



Regards,

Harrie



On 5 January 2018 at 14:46, Felix Schumacher <
felix.schumac...@internetallee.de <mailto:felix.schumac...@internetallee.de> > 
wrote:

Am 05.01.2018 um 09:47 schrieb Harrie Robins:

Hi Mark,

our tomcat application server are fronted by 1. cloudflare, and 2. amazon
load balancer.
In apache there is mod_remote IP and I can simply put in CIDR range:
https://www.cloudflare.com/ips/ that will swallow all those IP and will
get
the correct IP to tomcat.

In Tomcat I need
https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/cata
lina/valves/RemoteIpValve.html
which does not accept CIDR range however. I wrote a regex to match all the
addresses and it works, it's matching way to many addresses however so I
rewrote the pattern. My new pattern is not functioning however, so I
tested
then pattern in a small application.

In my test I made a list of all addresses  in this range:
^103\\.21\\.(2(4[4-7]))\\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2(
[0-4][0-9]|5[0-5]))$|^103\\.22\\.(2(0[0-3]))\\.([0-9]|[1-
9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$

If you configure the valve through the internalProxies attribute, you are
using 'real' strings and don't need to mask the backslashes as you would
have to do with java strings.

When you look at the documentation, you will find no double backslashes
there.

And  regarding the usage of the anchors '^' and '$'. They are not needed,
either. Tomcat will use match instead of find and thus they are implicitly
added.

Regards,
   Felix

||

I matched all these addresses and it works. When I set in tomcat however
it
does not, I have no understanding why not?

Hope you understand what I am trying to do.

thanks





On 2 January 2018 at 19:33, Mark Thomas <ma...@apache.org 
<mailto:ma...@apache.org> > wrote:

On 02/01/18 09:50, Harrie Robins wrote:

I'm still having problems with matching my pattern.

Right now I'm feeding the following to internalProxies:

^103\\.21\\.(2(4[4-7]))\\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2(

[0-4][0-9]|5[0-5]))$|^103\\.22\\.(2(0[0-3]))\\.([0-9]|[1-
9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$

I created a list of all involved IP addresses and matched those IP

addresses:

java.util.regex.Matcher / java.util.regex.Pattern, please see

https://pastebin.com/Lija7n9k

All addresses from the list I created are matching, just not in tomcat.

What is the value of the remote IP address that is failing to match? You
might want to look at writing a short custom Valve to log that and
insert it into the Pipeline ahead of the RemoteIpValve.

Another option would be to simply remove the RemoteIpValve and write a
simple servlet that logs the remote IP.

Mark

Regards,

Harrie

-Oorspronkelijk bericht-
Van: Harrie Robins [mailto:har...@eyequestion.nl <mailto:har...@eyequestion.nl> 
]
Verzonden: 21 December 2017 09:55
Aan: 'Tomcat Users List' <users@tomcat.apache.org <mailto:users@tomcat.apache.org> 
>
Onderwerp: RE: internalProxies regex

This makes perfect sense.
I tested my regex, just against wrong engine.

Thanks for pointing me in the right direction

-Oorspronkelijk bericht-
Van: Konstantin Kolinko [mailto:knst.koli...@gmail.com 
<mailto:knst.koli...@gmail.com> ]
Verzonden: 20 December 2017 15:19
Aan: Tomcat Users List <users@tomcat.apache.org <mailto:users@tomcat.apache.org> 
>
O

Re: internalProxies regex

[Felix Schumacher]

Am 05.01.2018 um 15:43 schrieb Harrie Robins:

All clear.
I apologize, I was in fact not masking the backslashes, I did a wrong copy
paste from the pattern I was using in my test

I tested the following 2 patterns:

^103\.21\.(2(4[4-7]))\.([0-
9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|^103\.22
\.(2(0[0-3]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$

103\.21\.(2(4[4-7]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))|103\.22\.(2(0[0-3]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))


The regex can be "simplified" to

103\.21\.24[4-7]\.(1?[1-9]?[0-9]|2([0-4][0-9]|5[0-5]))|103\.22\.20[0-3]\.(1?[1-9]?[0-9]|2([0-4][0-9]|5[0-5]))

or even

103\.(21\.24[4-7]|22\.20[0-3])\.(1?[1-9]?[0-9]|2([0-4][0-9]|5[0-5]))

But it looks OK, if you want to match IPs from 103.21.244.x-103.21.247.x 
and 103.22.200.x-103.22.203.x


Have you enabled debug-logs for the RemoteIpValve? It should print out 
the IP it tries to match.


Regards,
 Felix



Regards,

Harrie



On 5 January 2018 at 14:46, Felix Schumacher <
felix.schumac...@internetallee.de> wrote:


Am 05.01.2018 um 09:47 schrieb Harrie Robins:


Hi Mark,

our tomcat application server are fronted by 1. cloudflare, and 2. amazon
load balancer.
In apache there is mod_remote IP and I can simply put in CIDR range:
https://www.cloudflare.com/ips/ that will swallow all those IP and will
get
the correct IP to tomcat.

In Tomcat I need
https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/cata
lina/valves/RemoteIpValve.html
which does not accept CIDR range however. I wrote a regex to match all the
addresses and it works, it's matching way to many addresses however so I
rewrote the pattern. My new pattern is not functioning however, so I
tested
then pattern in a small application.

In my test I made a list of all addresses  in this range:
^103\\.21\\.(2(4[4-7]))\\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2(
[0-4][0-9]|5[0-5]))$|^103\\.22\\.(2(0[0-3]))\\.([0-9]|[1-
9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$


If you configure the valve through the internalProxies attribute, you are
using 'real' strings and don't need to mask the backslashes as you would
have to do with java strings.

When you look at the documentation, you will find no double backslashes
there.

And  regarding the usage of the anchors '^' and '$'. They are not needed,
either. Tomcat will use match instead of find and thus they are implicitly
added.

Regards,
  Felix

||


I matched all these addresses and it works. When I set in tomcat however
it
does not, I have no understanding why not?

Hope you understand what I am trying to do.

thanks





On 2 January 2018 at 19:33, Mark Thomas <ma...@apache.org> wrote:

On 02/01/18 09:50, Harrie Robins wrote:

I'm still having problems with matching my pattern.

Right now I'm feeding the following to internalProxies:

^103\\.21\\.(2(4[4-7]))\\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2(


[0-4][0-9]|5[0-5]))$|^103\\.22\\.(2(0[0-3]))\\.([0-9]|[1-
9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$


I created a list of all involved IP addresses and matched those IP


addresses:


java.util.regex.Matcher / java.util.regex.Pattern, please see


https://pastebin.com/Lija7n9k


All addresses from the list I created are matching, just not in tomcat.


What is the value of the remote IP address that is failing to match? You
might want to look at writing a short custom Valve to log that and
insert it into the Pipeline ahead of the RemoteIpValve.

Another option would be to simply remove the RemoteIpValve and write a
simple servlet that logs the remote IP.

Mark

Regards,

Harrie

-Oorspronkelijk bericht-
Van: Harrie Robins [mailto:har...@eyequestion.nl]
Verzonden: 21 December 2017 09:55
Aan: 'Tomcat Users List' <users@tomcat.apache.org>
Onderwerp: RE: internalProxies regex

This makes perfect sense.
I tested my regex, just against wrong engine.

Thanks for pointing me in the right direction

-Oorspronkelijk bericht-
Van: Konstantin Kolinko [mailto:knst.koli...@gmail.com]
Verzonden: 20 December 2017 15:19
Aan: Tomcat Users List <users@tomcat.apache.org>
Onderwerp: Re: internalProxies regex

2017-12-20 11:37 GMT+03:00 Harrie Robins <har...@eyequestion.nl>:


Hello everyone,



I have a question about the remoteipvalve in tomcat 8.5:
https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valve
s/Remo
teIpValve.html




internalProxies

Regular expression that matches the IP addresses of internal proxies.
If they appear in the remoteIpHeader value, they will be trusted and
will not appear in the proxiesHeader value

RemoteIPInternalProxy

Regular expression (in the syntax supported by java.util.regex)

10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|
169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|
172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|
172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}
By default, 10/8, 192.168/16, 169.254/16, 127/8 and 172.16/12 are


allowed.

I n

Re: internalProxies regex

[Felix Schumacher]

Am 05.01.2018 um 09:47 schrieb Harrie Robins:

Hi Mark,

our tomcat application server are fronted by 1. cloudflare, and 2. amazon
load balancer.
In apache there is mod_remote IP and I can simply put in CIDR range:
https://www.cloudflare.com/ips/ that will swallow all those IP and will get
the correct IP to tomcat.

In Tomcat I need
https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valves/RemoteIpValve.html
which does not accept CIDR range however. I wrote a regex to match all the
addresses and it works, it's matching way to many addresses however so I
rewrote the pattern. My new pattern is not functioning however, so I tested
then pattern in a small application.

In my test I made a list of all addresses  in this range:
^103\\.21\\.(2(4[4-7]))\\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2(
[0-4][0-9]|5[0-5]))$|^103\\.22\\.(2(0[0-3]))\\.([0-9]|[1-
9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$


If you configure the valve through the internalProxies attribute, you 
are using 'real' strings and don't need to mask the backslashes as you 
would have to do with java strings.


When you look at the documentation, you will find no double backslashes 
there.


And  regarding the usage of the anchors '^' and '$'. They are not 
needed, either. Tomcat will use match instead of find and thus they are 
implicitly added.


Regards,
 Felix
||

I matched all these addresses and it works. When I set in tomcat however it
does not, I have no understanding why not?

Hope you understand what I am trying to do.

thanks





On 2 January 2018 at 19:33, Mark Thomas  wrote:


On 02/01/18 09:50, Harrie Robins wrote:

I'm still having problems with matching my pattern.

Right now I'm feeding the following to internalProxies:

^103\\.21\\.(2(4[4-7]))\\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2(

[0-4][0-9]|5[0-5]))$|^103\\.22\\.(2(0[0-3]))\\.([0-9]|[1-
9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$

I created a list of all involved IP addresses and matched those IP

addresses:

java.util.regex.Matcher / java.util.regex.Pattern, please see

https://pastebin.com/Lija7n9k

All addresses from the list I created are matching, just not in tomcat.

What is the value of the remote IP address that is failing to match? You
might want to look at writing a short custom Valve to log that and
insert it into the Pipeline ahead of the RemoteIpValve.

Another option would be to simply remove the RemoteIpValve and write a
simple servlet that logs the remote IP.

Mark


Regards,

Harrie

-Oorspronkelijk bericht-
Van: Harrie Robins [mailto:har...@eyequestion.nl]
Verzonden: 21 December 2017 09:55
Aan: 'Tomcat Users List' 
Onderwerp: RE: internalProxies regex

This makes perfect sense.
I tested my regex, just against wrong engine.

Thanks for pointing me in the right direction

-Oorspronkelijk bericht-
Van: Konstantin Kolinko [mailto:knst.koli...@gmail.com]
Verzonden: 20 December 2017 15:19
Aan: Tomcat Users List 
Onderwerp: Re: internalProxies regex

2017-12-20 11:37 GMT+03:00 Harrie Robins :

Hello everyone,



I have a question about the remoteipvalve in tomcat 8.5:
https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valve
s/Remo
teIpValve.html




internalProxies

Regular expression that matches the IP addresses of internal proxies.
If they appear in the remoteIpHeader value, they will be trusted and
will not appear in the proxiesHeader value

RemoteIPInternalProxy

Regular expression (in the syntax supported by java.util.regex)

10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|
169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|
172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|
172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}
By default, 10/8, 192.168/16, 169.254/16, 127/8 and 172.16/12 are

allowed.



I need to convert some CIDR ranges to regex:


my concern is that /d{1,3} wil match too many (non exist) addresses

103\.21\.24\d[4-7]\.\d[0-9]\d{1,3}|103\.22\.20\d[0-3]\.\d[0-9]\d{1,3}|
103\.3
1\.\d[4-7]\.\d[0-9]\d{1,3}



So I re-wrote using capture groups, below does not function however,
and I assume it is due to OR (|) which tomcat will affectively see as a

new entry?

So I tried escaping, but I cannot get it to work:

103\.21\.(2(4[4-7]))\.([0-9]\|[1-9][0-9]\|1([0-9][0-9])\|2([0-4][0-9]\
|5[0-5
]))|103\.22\.(2(0[0-3]))\.([0-9]\|[1-9][0-9]\|1([0-9][0-9])\|2([0-4][0
-9]\|5
[0-5]))

Your assumption that "tomcat will affectively see as a new entry" is

wrong.

The string is used as whole to initialize a java.util.regex.Pattern().
Tomcat does not split it.

You may write a simple program / junit test to test how
java.util.regex.Pattern() processes your value.  Or you may run Tomcat

with debugger,

https://wiki.apache.org/tomcat/FAQ/Developing#Debugging
https://wiki.apache.org/tomcat/FAQ/Troubleshooting_

and_Diagnostics#Common_Troubleshooting_Scenario

AFAIK, '\|' in a regular expression will be interpreted as 

Re: Tomcat 8.5.16 cuts end of body after 10485761 bytes

[Felix Schumacher]

Am 29.08.2017 um 04:44 schrieb Simon De Uvarow:

Hi, I have to respond a big json file:

return Response.status(Status.OK).entity(new
SimpleDataMessageResponse("TASK_FINISH",
str)).build();

The tomcat logs correctly the size in the access log file:

127.0.0.1 - - [29/Aug/2017:02:26:07 +] "GET /./interactiveTask/
1076dde0-b199-4043-9047-e897050eb7fa HTTP/1.1" 200 *12815716 *748 .

*But the browser receives only 10485761 bytes (10 MB).*

I tested with Chrome, Firefox and finally with JMeter, and it's the same in
all cases:
The following is the result of the JMeter:

Size in bytes: *12815830*
Sent bytes:564
Headers size in bytes: 114
Body size in bytes: *12815716<- but if I run the JMeter script , copy
the response and check the size, it's **10485761 bytes, not 12815716 bytes*
Data type ("text"|"bin"|""): text
Response code: 200
Response message:

Response headers:
HTTP/1.1 200
Content-Type: application/json
Transfer-Encoding: chunked
Date: Tue, 29 Aug 2017 02:26:07 GMT

GET http://... /interactiveTask/1076dde0-b199-4043-9047-e897050eb7fa

Request Headers:
Connection: keep-alive
Referer: -
Accept-Language: es-ES,es;q=0.8,en;q=0.6,gl;q=0.4,en-US;q=0.2
Accept-Encoding: gzip, deflate, br
Accept: application/json, text/plain, */*
User-Agent: 
Host: localhost:8080



Any idea of what could be happening ?
Is there any max size to configure and fix this?


Well, JMeter has a default max size for storing body contents. It is 10 
MB and can be configured with a property in bin/jmeter.properties:



# Max size of bytes stored in memory per SampleResult
# Ensure you don't exceed max capacity of a Java Array and remember.
# that the higher it is, the higher JMeter will consume heap
# Defaults to 10MB
#httpsampler.max_bytes_to_store_per_request=10485760

Do you have any other signs for the truncation apart from JMeter? How 
did you measure the size in the browsers?


Regards,
 Felix



thanks !


"No olvides, no traiciones, lo que llevas bien dentro de ti. No olvides, no
traiciones, lo que siempre te ha hecho vivir."




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Issue with static file in Tomcat 8.5.17

[Felix Schumacher]

Am 20.07.2017 22:33, schrieb George Stanchev:

The problem is related to the new code that handles the case when a
file is stored in one encoding but served in another. Since changing
encodings can change the value and number of bytes served (for 
example

serving £ in UTF-8 requires two bytes but only one in ISO-8859-1).
This code did not handle requests that use accept-ranges correctly.


While the above is true, the actual problem looking more closely is 
that the content length can change when conversion is used.



Mark



Hi Mark,

I hate to do this, but the issue is still around in another form.
After upgrading to the TC 8.5.18 which is currently under vote, Chrome
fails to parse the jquery file with "SyntaxError: Unexpected Token ?"
error. The response contains some data prior to the jQuery payload (it
is probably encoding stuff) that throws Chrome off.

Unfortunately I cannot pinpoint exactly what is going on.

The original jQuery - the one I sent you with the testapp trying to
reproduce the problem starts with "EF BB BF" before the actual


The EF BB BF is called a Byte Order Mark (BOM) and is a marker to 
identify utf-8

coded files. A normal editor won't show those bytes.


payload. When I run it through wget, the file on disk starts with just
"3F". The response in Chrome looks like this: "0x62, 0x36, 0x65, 0x33,
0x0D, 0x0A, 0x3F" - so there is extra "b6e3\r\n" leading prior to the


This looks like the length value that is needed for the chunked 
transfer.

It is not part of the request content.

Do you have set the fileEncoding property?

Felix


"3F". Below [1] is the request/response headers of the Chrome request.
I've got also a HAR if this helps and I can send it to you email
address as it will probably get stripped on the user-mailing list



George


Request Headers:
GET http://hostname:8085/idp/javascript/jquery-1.8.3.min.js HTTP/1.1
Pragma: no-cache
DNT: 1
Accept-Encoding: gzip, deflate
Host: hostname:8085
Accept-Language: en-US,en;q=0.8,bg;q=0.6,und;q=0.4
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115
Safari/537.36
Accept: */*
Cookie: JSESSIONID=blahblah
Connection: keep-alive
Cache-Control: no-cache


Response headers:

HTTP/1.1 200
Date: Thu, 20 Jul 2017 19:59:05 GMT
X-Content-Type-Options: nosniff
Last-Modified: Wed, 07 Jun 2017 08:59:54 GMT
ETag: W/"93640-1496825994000"
X-Frame-Options: DENY
Content-Type: application/javascript
Transfer-Encoding: chunked
Accept-Ranges: bytes
X-XSS-Protection: 1; mode=block


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Thread.sleep CPU time

[Felix Schumacher]

Am 10. Mai 2017 09:44:13 MESZ schrieb Oliver Fernandez 
:
>While profiling my Tomcat app using YourKit, I noticed two Threads,
>consuming 57% of total CPU, in the method Thread.sleep()
>
>[image: Inline images 1]

The image was removed by the mailing list. Could you post the details as text?

Regards,
 Felix

>
>What's this Thread.sleep() about?

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Fwd: Custom JNDIRealm with Configuration

[Felix Schumacher]

Am 13.04.2017 um 12:58 schrieb Lucas S. Silva:

Hi All,

I am implementing a custom JNDIRealm and I need to pass some
configurations to it.

I tried to pass the configuration via Real configuration



and in my code I define the setter and getter for
*configurationPattern* but when I debug it doesn't seems to
be set? I also need to add more parameters that may
not fit Realm.
Can I access Tomcat configuration from code?
Are you sure, that you are editing the correct file? What happens, when 
you add a log statement in your constructor?


And by the way, the debug parameter is not used anymore.

Regards,
 Felix



Thanks for the help in advance.

Cheers,
Lucas




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat Hangs up and doesn't start

[Felix Schumacher]

Am 19.03.2017 um 14:09 schrieb Mahmoud Ramadan:

But whenever i use the command
  [root@localhost ~]# service tomcat status
tomcat dead but subsys locked

I see the service dead , i tried to remove the /var/lock/subsys/tomcat and
restarting the service again or rebooting the system but still get " tomcat
dead but subsys locked " and can not get anything when browsing
http://10.1.1.25:8080
You showed us, that you were running tomcat as a normal console app 
(which seemed to work, as Andre pointed out). Now you are expecting it 
to have been somehow magically transformed into a unix service?


That will probably not work.

What happens, when you stop the console app (the catalina.sh run) and 
start tomcat as a service alone (with service tomcat start)?


Note, that I haven't used CentOS before and don't know, what init system 
it uses. I always found it easier, to download an unmodified version of 
tomcat from the apache tomcat homepage and start from there.


Felix


Best Regards,

Mahmoud Ramadan Ali

Network and VOIP Specialist.

Mobil: (+2) 01276877112

Blog | Website
| LinkedIn


On Sun, Mar 19, 2017 at 3:30 PM, André Warnier (tomcat) 
wrote:


On 19.03.2017 12:59, Mahmoud Ramadan wrote:


Hi all,
I've installed Tomcat on Centos 6.2 and when i try to start the service it
hangs up at " INFO: Server startup in 6935 ms " and stays forever , below
the debugs , thanks


What do you expect it to "do" after starting up ?
It's a HTTP server, so when it's done with starting up, it waits for HTTP
requests, to process them. The logfile (or the console, if that is where
you are running it) won't show anything else, unless there are errors
processing requests (or until you stop tomcat).

In other words : there is nothing abnormal in the log which you show
below. To me, it looks like a perfectly healthy tomcat, just waiting for
something to do.



[root@localhost ~]# sh /opt/tomcat7/bin/catalina.sh run
Using CATALINA_BASE:   /opt/tomcat7
Using CATALINA_HOME:   /opt/tomcat7
Using CATALINA_TMPDIR: /opt/tomcat7/temp
Using JRE_HOME:/opt/java/jre1.7.0_04
Using CLASSPATH:
/opt/tomcat7/bin/bootstrap.jar:/opt/tomcat7/bin/tomcat-juli.jar
Mar 19, 2017 11:22:15 AM org.apache.catalina.core.AprLifecycleListener
init
INFO: The APR based Apache Tomcat Native library which allows optimal
performance in production environments was not found on the
java.library.path:
/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
Mar 19, 2017 11:22:15 AM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-bio-8080"]
Mar 19, 2017 11:22:15 AM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-bio-8443"]
Mar 19, 2017 11:22:15 AM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["ajp-bio-8009"]
Mar 19, 2017 11:22:15 AM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 1234 ms
Mar 19, 2017 11:22:15 AM org.apache.catalina.core.StandardService
startInternal
INFO: Starting service Catalina
Mar 19, 2017 11:22:15 AM org.apache.catalina.core.StandardEngine
startInternal
INFO: Starting Servlet Engine: Apache Tomcat/7.0.23
Mar 19, 2017 11:22:19 AM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /opt/tomcat7/webapps/examples
Mar 19, 2017 11:22:19 AM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /opt/tomcat7/webapps/orktrack
0 [pool-2-thread-1] INFO context  - OrkTrack ContextInitialized()
log4jConfigFile is logging.properties
0 [pool-2-thread-1] INFO context  - OrkTrack ContextInitialized()
configFile is orktrack.config.xml
1 [pool-2-thread-1] INFO context  - OrkTrack ContextInitialized()
HibernateConfigFile is database.hbm.xml
2 [pool-2-thread-1] INFO context  - OrkTrack ContextInitialized():
TomcatHome is set to /opt/tomcat7
2017-03-19 11:22:19,440 net.sf.oreka.orktrack.OrkTrack  INFO -

2017-03-19 11:22:19,453 net.sf.oreka.orktrack.OrkTrack  INFO - OrkTrack
starting ...
2017-03-19 11:22:19,472 config  WARN - ConfigManager.load: config file
/etc/orkweb//orktrack.config.xml is empty or does not exist.
2017-03-19 11:22:20,956 net.sf.oreka.orktrack.OrkTrack  INFO - OrkTrack
started successfully.
2017-03-19 11:22:20,956 net.sf.oreka.orktrack.OrkTrack  INFO -

Mar 19, 2017 11:22:20 AM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /opt/tomcat7/webapps/manager
Mar 19, 2017 11:22:21 AM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /opt/tomcat7/webapps/host-mana
ger
Mar 19, 2017 11:22:21 AM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /opt/tomcat7/webapps/orkweb
2017-03-19 

Re: Help On Tomcat Process which is utilizing more than 300%

[Felix Schumacher]

Am 04.12.2016 um 07:37 schrieb Jayaram Ponnusamy:

Dear All,

I am new to Tomcat We are using Tomcat 7.0.42 with JVM 1.7.0_40-b43 on Rhel
6 (8 Core CPU).
Suddenly tomcat process start utilizing more than 300% and our website
performance went down.

I couldn't find anything in the Log. Kindly please help me to resolve this
issue.
One approach would be to take a couple of thread dumps, when this 
happens and look for threads that are doing work at that time. (Look for 
"Thread Dump" on https://wiki.apache.org/tomcat/HowTo)
Another problem could be garbage collections, that are using too much 
cpu. (You could look at 
http://www.tomcatexpert.com/blog/2011/11/16/setting-measurement-garbage-collection-apache-tomcat 
or google yourself a bit)


If you want to get a better picture of the threads that are running, I 
would recommend to use the jdk tools jconsole, jvisualvm or the newer jmc.


Regards,
 Felix





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat Realm/LDAP - userRoles and Organization Unit name for authenticated users

[Felix Schumacher]

Am 04.12.2016 um 08:04 schrieb Taylor, Larry:

Hello,

For  Users that have authenticated  from the Web Login page through Tomcat 
Realm LDAP configuration is it possible to get the authenticated user's 
ou=Organizational Unit or Department name?   and also what their role names 
are?   I need this information to pass to a servlet or jsp page.

I saw documentation about the java.security.Principal class but could not find 
any documentation or examples on how to get this type of information after 
users are authenticated.

I am able to get the username with  ${pageContext.request.userPrincipal.name} & 
 request.getRemoteUser(); but nothing about how to get the user's member 
affiliations and roles.
The standard way to get the roles is to iterate over your expected roles 
and ask for request.isUserInRole(role). The servlet spec has no API to 
get directly a list of roles.


If you are willing to bind yourself to the implementation of JNDIRealm 
you could get the list of roles. But I don't recommend it, as that 
implementation is not guaranteed to stay stable.


Do you really need to get the list, or is isUserInRole enough?

Regards,
 Felix


Any information or pointers on this is appreciated.



Larry Taylor





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: 自动: SuTing Chen 已离开办公室 (返回日期 2016-11-12)

[Felix Schumacher]

Am 31. August 2016 21:15:22 MESZ, schrieb Christopher Schultz 
<ch...@christopherschultz.net>:
>-BEGIN PGP SIGNED MESSAGE-
>Hash: SHA256
>
>Felix,
>
>On 8/31/16 3:51 AM, Felix Schumacher wrote:
>> 
>> 
>> Am 29. August 2016 11:44:50 MESZ, schrieb Mark Thomas
>> <ma...@apache.org>:
>>> On 29/08/2016 02:05, Christopher Schultz wrote:
>>>> Mark,
>>>> 
>>>> On 8/27/16 2:13 PM, Mark Thomas wrote:
>>>>> On 27/08/2016 13:48, Christopher Schultz wrote:
>>>>>> All,
>>>>>> 
>>>>>> CC'ing markt, since he's both Tomcat PMC and INFRA.
>>>> 
>>>>> 
>>>> 
>>>>>> This is an out-of-office reply. Isn't there a way to have
>>>>>> the mailing list reject (or ignore) messages with the
>>>>>> following SMTP headers?
>>>>>> 
>>>>>> Auto-Submitted: auto-generated Auto-Submitted:
>>>>>> auto-repllied
>>>> 
>>>>> The message was sent to you personally, not the mailing
>>>>> list.
>>>> 
>>>> In the headers of the original message, the "To" field says:
>>>> 
>>>> To: "Tomcat Users List" <users@tomcat.apache.org>
>>>> 
>>>> Other interesting headers are:
>>>> 
>>>> List-Help: <mailto:users-h...@tomcat.apache.org> 
>>>> List-Unsubscribe: <mailto:users-unsubscr...@tomcat.apache.org> 
>>>> List-Post: <mailto:users@tomcat.apache.org> List-Id:
>>>>  Reply-To: "Tomcat Users List"
>>>> <users@tomcat.apache.org> Delivered-To: mailing list
>>>> users@tomcat.apache.org X-Virus-Scanned: Debian amavisd-new at
>>>> spamd3-us-west.apache.org Received: from mx2-lw-eu.apache.org
>>>> ([10.40.0.8]) by localhost (spamd3-us-west.apache.org
>>>> [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id
>>>> YHQOnyUbgpPC for <users@tomcat.apache.org>; Fri, 26 Aug 2016
>>>> 14:02:41 + (UTC)
>>>> 
>>>> 
>>>> I'm pretty sure that message came through the ASF mailing
>>>> list.
>>> 
>>> Sorry. You are correct. I must have deleted it as spam.
>>> 
>>>>> You'd need to configure and appropriate filter on your client
>>>>> / mail server depending on your personal config.
>>>> 
>>>>> These responses do occasionally make it to the list but not
>>>>> often enough (yet) that I've felt the need to do anything
>>>>> about it.
>>>> 
>>>> Ok.
>>> 
>>> We can reject all messages that contain a given header. I've
>>> added "Auto-Submitted" to the list for the users mailing list and
>>> we'll see what impact that has.
>> 
>> All "Auto-Submited"? Or just those that have not the value "no"?
>
>I'd expect the list to ignore anything with either of:
>
>Auto-Submitted: auto-generated
>Auto-Submitted: auto-replied
>
>"Auto-Submitted: no" is probably fairly rare, and those are actually
>the messages we'd probably want to RETAIN.

That is exactly what I was trying to say. I read Mark's answer so, that he 
wants to throw away every message that has the header, regardless of its value. 

Felix
>
>- -chris
>-BEGIN PGP SIGNATURE-
>Comment: GPGTools - http://gpgtools.org
>Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
>iQIcBAEBCAAGBQJXxyzKAAoJEBzwKT+lPKRYsdEP/jkW+LfcKMl+7w6AWp9rGw3z
>tZjxFzQc7w6AlSYpUV6YKHjrws7oUoG8IEHLcen9at6lgQvz2xw6hbZwZwGHCkWx
>pQWGvdh1kDMug6o+RX0E/5k/sPfm1eUyRjRR7M9Qfrbxy0W9aQQXGYT0r2RQjb9F
>wV6kNi4IfHTy9r5FbNbT4epKYkt8gONWvCuBv7TVWE6RX9NTT1+a/swLDxqaCMQ+
>+wBCf4ZRUg2UFm+X2+gXKEOn2hMeOYaWzICtZt7hqwFZt5pDZMHf03G7DWB1oNKQ
>IGL1YONIwt/zPy5Wua2GrgNA2dTnzeaBUyewGHh3bPFGLPDMWNIpTYb9de/1ORaf
>ZJyi20g5lyJAiJL4OPwI/YYtfEoJ+WNi8lehTTUOeIlBWOgHaLXUKE0KZgLYTVMo
>KJFAWMDB86BKf28B3y0bouVcm7V7kDjixgFfK/E8vI5P7CKaKAo1TJSL3QuD+XeE
>dY9mJDNMyOOT2xm8hPsMWZb/3uOQS1MFN77gJjITxSTPTmIG/kICh4h9oP3wUjQD
>GM6HndweOrkQ6AqQOeS3dCSgRjxc7q6SYl6yYnNoUOZ+Swg5UtVrVCGzXv888z1F
>Tnywprr0HCPx1T4Dc/6O4djBYXIkrYwgadRYsOO5NoJW3a/klaq6N+F6jJRwELe0
>tBV/czVEWJgO1em5Sj9e
>=wBu5
>-END PGP SIGNATURE-
>
>-
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: 自动: SuTing Chen 已离开办公室 (返回日期 2016-11-12)

[Felix Schumacher]

Am 29. August 2016 11:44:50 MESZ, schrieb Mark Thomas :
>On 29/08/2016 02:05, Christopher Schultz wrote:
>> Mark,
>> 
>> On 8/27/16 2:13 PM, Mark Thomas wrote:
>>> On 27/08/2016 13:48, Christopher Schultz wrote:
 All,

 CC'ing markt, since he's both Tomcat PMC and INFRA.
>> 
>>> 
>> 
 This is an out-of-office reply. Isn't there a way to have the
 mailing list reject (or ignore) messages with the following SMTP
 headers?

 Auto-Submitted: auto-generated Auto-Submitted: auto-repllied
>> 
>>> The message was sent to you personally, not the mailing list.
>> 
>> In the headers of the original message, the "To" field says:
>> 
>> To: "Tomcat Users List" 
>> 
>> Other interesting headers are:
>> 
>> List-Help: 
>> List-Unsubscribe: 
>> List-Post: 
>> List-Id: 
>> Reply-To: "Tomcat Users List" 
>> Delivered-To: mailing list users@tomcat.apache.org
>> X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org
>> Received: from mx2-lw-eu.apache.org ([10.40.0.8])
>>  by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new,
>> port 10024)
>>  with ESMTP id YHQOnyUbgpPC for ;
>>  Fri, 26 Aug 2016 14:02:41 + (UTC)
>> 
>> 
>> I'm pretty sure that message came through the ASF mailing list.
>
>Sorry. You are correct. I must have deleted it as spam.
>
>>> You'd need to configure and appropriate filter on your client /
>>> mail server depending on your personal config.
>> 
>>> These responses do occasionally make it to the list but not often 
>>> enough (yet) that I've felt the need to do anything about it.
>> 
>> Ok.
>
>We can reject all messages that contain a given header. I've added
>"Auto-Submitted" to the list for the users mailing list and we'll see
>what impact that has.

All "Auto-Submited"? Or just those that have not the value "no"?

Regards, 
Felix 

>
>Mark
>
>-
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: CONFIRM unsubscribe from users@tomcat.apache.org

[Felix Schumacher]

Am 07.07.2016 um 20:01 schrieb users-h...@tomcat.apache.org:

Hi! This is the ezmlm program. I'm managing the
users@tomcat.apache.org mailing list.

I'm working for my owner, who can be reached
at users-ow...@tomcat.apache.org.

A request has been made to remove

hughhols...@yahoo.com

from the users mailing list. If you agree, please send
a short reply to this address:


users-wc.1467914473.kkhfblfnmljllpmlpdnb-hughholston=yahoo@tomcat.apache.org

Usually, this happens when you just hit the "reply" button.
If this does not work, simply copy the address and paste it into
the "To:" field of a new message.

or click here:

mailto:users-wc.1467914473.kkhfblfnmljllpmlpdnb-hughholston=yahoo@tomcat.apache.org

If you don't approve, simply ignore this message.

Thank you for your help!


--- Administrative commands for the users list ---

I can handle administrative requests automatically. Please
do not send them to the list address! Instead, send
your message to the correct command address:

To subscribe to the list, send a message to:


To remove your address from the list, send a message to:


Send mail to the following for info and FAQ for this list:



Similar addresses exist for the digest list:



To get messages 123 through 145 (a maximum of 100 per request), mail:


To get an index with subject and author for messages 123-456 , mail:


They are always returned as sets of 100, max 2000 per request,
so you'll actually get 100-499.

To receive all messages with the same subject as message 12345,
send a short message to:


The messages should contain one line or word of text to avoid being
treated as sp@m, but I will ignore their content.
Only the ADDRESS you send to is important.

You can start a subscription for an alternate address,
for example "john@host.domain", just add a hyphen and your
address (with '=' instead of '@') after the command word:

Re: SSL/TLS 8.5.3 upgrade from 8.0.32 using NIO2 url encoding issues

[Felix Schumacher]

Am 07.07.2016 um 18:32 schrieb Mekkelsen Madden, Steve:

Every request, making the environment virtually unstable and unusable since 
everything we do is using xml.
The second logs showed json :) In any case, can you reproduce the issue 
in a dev environment? It would be superb, if you could make a minimal 
case, where this happens.


Regards,
 Felix


Regards,

Steve Mekkelsen Madden  |  Systems Engineer Fellow / DBA / Certified Scrum 
Master  | GCS |  Pegasystems Inc.
Office: (617) 866.6023 | Mobile: (828) 729.9948 | Email: 
steve.mekkelsen.mad...@pega.com | www.pega.com


-Original Message-
From: Felix Schumacher [mailto:felix.schumac...@internetallee.de]
Sent: Thursday, July 07, 2016 12:30 PM
To: users@tomcat.apache.org
Subject: Re: SSL/TLS 8.5.3 upgrade from 8.0.32 using NIO2 url encoding issues

Am 07.07.2016 um 15:04 schrieb Mekkelsen Madden, Steve:

Hi, sorry for delay and misinformation of the screenshot.  The screenshot shows 
Fiddler seeing the correct xml using both NIO and NIO2 protocols.  Fiddler does 
not see anything wrong with the requests themselves.  However, when we enable 
more debugging on our server, the logs are showing this: 
http://pastebin.com/ShYzr92e

Note that, this is the same test case run with NIO (which works fine and no 
errors) but fails in NIO2.  Also, that we have been using NIO2 for many months 
without any issues under Tomcat 8.0.32.  It wasn't until the upgrade to 8.5.3 
that NIO2 just stopped working.  Hope this helps.

Can you print out the data on the server side when it fails to parse?

Is this happening on every request or randomly?

Regards,
   Felix

Regards,

Steve Mekkelsen Madden  |  Systems Engineer Fellow / DBA / Certified Scrum 
Master  | GCS |  Pegasystems Inc.
Office: (617) 866.6023 | Mobile: (828) 729.9948 | Email: 
steve.mekkelsen.mad...@pega.com | www.pega.com


-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: Wednesday, July 06, 2016 4:45 PM
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: SSL/TLS 8.5.3 upgrade from 8.0.32 using NIO2 url encoding issues

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Steve,

On 7/6/16 4:22 PM, Mekkelsen Madden, Steve wrote:

Here is the image I tried attaching.  Sorry about that.
[redacted... my SMTP server really doesn't like that URL]

So... what are we looking at, here?

I see a POST URL that looks perfectly fine. I also see XML in the POST request. 
Is this a shot of Fiddler? Where is the problem?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJXfW3LAAoJEBzwKT+lPKRYGsMP/3h+wQNIHoC/95G0VxQY75Kh
ClI+ny5Z5NeyVsA8iCrZ1rIr/fBEzE/nnHWlX16yPhkaCBQ8PwJ+i2MV11rYArU9
yUIhL2xyAxVAqyBUZGrNidzz6gydvJd2MPNGrtHg6shaIA7XtflX9gMUV16J+3m+
7VC+E+lLBwOEcrYbpxJNni36Cn4QQ6f6sHMgLKsbGZZ6PSl7MGVPts6oz6SUkt6T
rwwPF6QLuovnndWlqt9HDaJtTD9/a9emSZgXKPQYACp8poSZ8xM7SxPn9f1XnX6l
iyOEc9RYJ3bvKocC8iMKCpSn41/XAGpiS3dwpYbNrN15sd2emRze2seDfJVI4Xtm
1d7GRqXUadjCjq/PzDSihrFjHBU+6+7BKd/hdqn6raci6HbtQPizkUTkPDWPXUTg
T9Y7TOvi9zZNro9jLxErluN/A/niY8so53DFqT2kxV9wr2COf3dRu8UTyFM/4Mul
6bcGpno5CjvpfwVltlB8BTwRUctGEWe3kYcUfUBOTMNFFAMUYq+/4saL/gOATD8P
LMcNXqbkex5fPrARU+vGgQvanFGeZMR7w9UXJbd9ACEWJUgRAnr18/5RtbVzWVjO
gd4uPaLFgyFV573Hpe4Luzg7OngDu7BXZqThKXXaiG4cZSKmdjyjJVb4709GMOWc
ARZb7MipIot/KGBBJhNd
=bPg7
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSL/TLS 8.5.3 upgrade from 8.0.32 using NIO2 url encoding issues

[Felix Schumacher]

Am 07.07.2016 um 15:04 schrieb Mekkelsen Madden, Steve:

Hi, sorry for delay and misinformation of the screenshot.  The screenshot shows 
Fiddler seeing the correct xml using both NIO and NIO2 protocols.  Fiddler does 
not see anything wrong with the requests themselves.  However, when we enable 
more debugging on our server, the logs are showing this: 
http://pastebin.com/ShYzr92e

Note that, this is the same test case run with NIO (which works fine and no 
errors) but fails in NIO2.  Also, that we have been using NIO2 for many months 
without any issues under Tomcat 8.0.32.  It wasn't until the upgrade to 8.5.3 
that NIO2 just stopped working.  Hope this helps.

Can you print out the data on the server side when it fails to parse?

Is this happening on every request or randomly?

Regards,
 Felix


Regards,

Steve Mekkelsen Madden  |  Systems Engineer Fellow / DBA / Certified Scrum 
Master  | GCS |  Pegasystems Inc.
Office: (617) 866.6023 | Mobile: (828) 729.9948 | Email: 
steve.mekkelsen.mad...@pega.com | www.pega.com


-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: Wednesday, July 06, 2016 4:45 PM
To: Tomcat Users List 
Subject: Re: SSL/TLS 8.5.3 upgrade from 8.0.32 using NIO2 url encoding issues

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Steve,

On 7/6/16 4:22 PM, Mekkelsen Madden, Steve wrote:

Here is the image I tried attaching.  Sorry about that.
[redacted... my SMTP server really doesn't like that URL]

So... what are we looking at, here?

I see a POST URL that looks perfectly fine. I also see XML in the POST request. 
Is this a shot of Fiddler? Where is the problem?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJXfW3LAAoJEBzwKT+lPKRYGsMP/3h+wQNIHoC/95G0VxQY75Kh
ClI+ny5Z5NeyVsA8iCrZ1rIr/fBEzE/nnHWlX16yPhkaCBQ8PwJ+i2MV11rYArU9
yUIhL2xyAxVAqyBUZGrNidzz6gydvJd2MPNGrtHg6shaIA7XtflX9gMUV16J+3m+
7VC+E+lLBwOEcrYbpxJNni36Cn4QQ6f6sHMgLKsbGZZ6PSl7MGVPts6oz6SUkt6T
rwwPF6QLuovnndWlqt9HDaJtTD9/a9emSZgXKPQYACp8poSZ8xM7SxPn9f1XnX6l
iyOEc9RYJ3bvKocC8iMKCpSn41/XAGpiS3dwpYbNrN15sd2emRze2seDfJVI4Xtm
1d7GRqXUadjCjq/PzDSihrFjHBU+6+7BKd/hdqn6raci6HbtQPizkUTkPDWPXUTg
T9Y7TOvi9zZNro9jLxErluN/A/niY8so53DFqT2kxV9wr2COf3dRu8UTyFM/4Mul
6bcGpno5CjvpfwVltlB8BTwRUctGEWe3kYcUfUBOTMNFFAMUYq+/4saL/gOATD8P
LMcNXqbkex5fPrARU+vGgQvanFGeZMR7w9UXJbd9ACEWJUgRAnr18/5RtbVzWVjO
gd4uPaLFgyFV573Hpe4Luzg7OngDu7BXZqThKXXaiG4cZSKmdjyjJVb4709GMOWc
ARZb7MipIot/KGBBJhNd
=bPg7
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSL/TLS 8.5.3 upgrade from 8.0.32 using NIO2 url encoding issues

[Felix Schumacher]

Am 06.07.2016 um 19:14 schrieb Mekkelsen Madden, Steve:

This particular issue has raised a lot of issues in-house and we would greatly 
appreciate a response from someone having more details on why NIO2 no longer 
works.

Thanks!


-Original Message-
From: Mekkelsen Madden, Steve
Sent: Friday, July 01, 2016 12:56 PM
To: Tomcat Users List 
Subject: SSL/TLS 8.5.3 upgrade from 8.0.32 using NIO2 url encoding issues

Hi all,

Is anyone aware of why after upgrading from Tomcat 8.0.32x64 (Windows) to 8.5.3x64 using the 
connector protocol of: protocol="org.apache.coyote.http11.Http11Nio2Protocol"  fails with 
url encoding errors?  Once it was changed back to 
protocol="org.apache.coyote.http11.Http11NioProtocol" all the errors stopped.  This 
completely broke the application and made it unusable as the xml being returned was not decoded and 
resulted in sax parse exceptions with our AJAX connections.   I haven't found anything related to 
the protocol changing, only the parameters for the SSL/TLS attributes which are in place and work.  
It's almost like it's blocking the requests when it should be unblocking the requests?  Thanks!!
Have you tried to compare the responses, that you get through the two 
connectors? Especially the characters before the xml prolog would be 
interesting.

Do you get the same errors, when you are requesting the url without tls?

Regards,
 Felix


Database Type: Oracle 12c Linux x64
Driver used: ojdbc7.jar
Connector attribute:

 

 

An example of the error looks like the below:
23 Jun 2016 01:28:39,731 [sl-nio2-8443-exec-11] 
(ngineinterface.service.HttpAPI) ERROR: Error adopting XML from post data 
com.pega.pegarules.pub.clipboard.InvalidStreamError: InvalidStream
com.pega.pegarules.data.internal.clipboard.XMLStream.newStream(String, 
StorageStream)   sax parse error: Content is not allowed in prolog.
From: (H64E3757ED751A9AEE78817056219F4F9:10.224.243.66)
at 
com.pega.pegarules.data.internal.clipboard.XMLStream.newStream(XMLStream.java:477)
at 
com.pega.pegarules.data.internal.clipboard.XMLStream.newStream(XMLStream.java:432)
at 
com.pega.pegarules.data.internal.clipboard.ClipboardPageImpl.adoptXMLForm(ClipboardPageImpl.java:818)
at 
com.pega.pegarules.session.internal.engineinterface.service.HttpAPI.mapInputData(HttpAPI.java:2481)
at 
com.pega.pegarules.session.external.engineinterface.service.EngineAPI.activityExecutionProlog(EngineAPI.java:554)
at 
com.pega.pegarules.session.external.engineinterface.service.EngineAPI.processRequestInner(EngineAPI.java:388)
at sun.reflect.GeneratedMethodAccessor90.invoke(Unknown Source)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at 
com.pega.pegarules.session.internal.PRSessionProviderImpl.performTargetActionWithLock(PRSessionProviderImpl.java:1277)
at 
com.pega.pegarules.session.internal.PRSessionProviderImpl.doWithRequestorLocked(PRSessionProviderImpl.java:1015)
at 
com.pega.pegarules.session.internal.PRSessionProviderImpl.doWithRequestorLocked(PRSessionProviderImpl.java:848)
at 
com.pega.pegarules.session.external.engineinterface.service.EngineAPI.processRequest(EngineAPI.java:331)
at 
com.pega.pegarules.session.internal.engineinterface.service.HttpAPI.invoke(HttpAPI.java:817)
at 
com.pega.pegarules.session.internal.engineinterface.etier.impl.EngineImpl._invokeEngine_privact(EngineImpl.java:327)
at 
com.pega.pegarules.session.internal.engineinterface.etier.impl.EngineImpl.invokeEngine(EngineImpl.java:270)
at 
com.pega.pegarules.session.internal.engineinterface.etier.impl.EngineImpl.invokeEngine(EngineImpl.java:247)
at 
com.pega.pegarules.priv.context.JNDIEnvironment.invokeEngineInner(JNDIEnvironment.java:278)
at 
com.pega.pegarules.priv.context.JNDIEnvironment.invokeEngine(JNDIEnvironment.java:223)
at 
com.pega.pegarules.web.impl.WebStandardImpl.makeEtierRequest(WebStandardImpl.java:574)
at 
com.pega.pegarules.web.impl.WebStandardImpl.doPost(WebStandardImpl.java:374)
at sun.reflect.GeneratedMethodAccessor89.invoke(Unknown Source)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at 
com.pega.pegarules.internal.bootstrap.PRBootstrap.invokeMethod(PRBootstrap.java:338)
at 
com.pega.pegarules.internal.bootstrap.PRBootstrap.invokeMethodPropagatingThrowable(PRBootstrap.java:379)
at 
com.pega.pegarules.boot.internal.extbridge.AppServerBridgeToPega.invokeMethodPropagatingThrowable(AppServerBridgeToPega.java:216)
at 
com.pega.pegarules.boot.internal.extbridge.AppServerBridgeToPega.invokeMethod(AppServerBridgeToPega.java:265)
at 

Re: Memory Leak

[Felix Schumacher]

Am 29. Juni 2016 02:26:57 MESZ, schrieb Leo Donahue :
>On Jun 28, 2016 4:57 PM, "Roman Gelfand"  wrote:
>>
>> I am running a middleware application in .. tomcat...
>
>Ok.  This is something you wrote and deployed or it is a third party
>war
>file?
>
>>
>> catalina.out.prob:SEVERE: The web application [] appears to have
>started a
>> thread named [cluster-ClusterId{value='5745ebcecdb2e06579174645',
>> description='null'}-devnymongodb01.meridiancapital.com:27017] but has
>> failed to stop it. This is very likely to create a memory leak.
>>
>
>Basically that says either you intentionally created a thread local
>variable that you did not close, or the third party war file did.

To be pedantic, the warning is about a thread not being closed.

Regards, 
Felix 

>
>If not you then ask your vendor to fix their app.
>
>>
>> --
>> Thanks,
>> R. Gelfand


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: FW: Tomcat 6.0.45 - Problem in creating the socket.

[Felix Schumacher]

Am 13. Juni 2016 08:01:51 MESZ, schrieb "Radha Krishna Meduri -X (radmedur - 
HCL TECHNOLOGIES LIMITED at Cisco)" <radme...@cisco.com>:
>Thanks Felix for your reply. Yes the connect has defined properly.
>
>  port="443" protocol="HTTP/1.1" SSLEnabled="true"
>  maxSavePostSize="-1"
>  maxPostSize="20971520"
>  maxThreads="150" scheme="https" secure="true"
>  minSpareThreads="25" maxSpareThreads="75"
>  enableLookups="false" disableUploadTimeout="true"
>  acceptCount="100" URIEncoding="UTF-8"
>  sslProtocol="TLS" server=" "
>  clientAuth="false"
>  keystoreType="PKCS11"
>SSLImplementation="org.apache.tomcat.util.net.jsse.XXXSSLImplementation"
>  ciphers="TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
>TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
>SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" />
>
>Above SSL Implementation is custom implantation based on NSS/JSS. As I
>said same implementation works fine with 6.0.37.

Have you tried to recompile your own implementation with the current tomcat 
source code? The class JSSEImplementation was changed between 6.0.37 and 6.0.45 
(the overridden method getServerSocketFactory has been added. )

What is the reason for your own implementation, why can't you use the tomcat 
ones? 

Regards, 
Felix 

>
>Thanks
>Radhakrishna
>
>-Original Message-
>From: Felix Schumacher [mailto:felix.schumac...@internetallee.de] 
>Sent: Monday, June 13, 2016 11:07 AM
>To: Tomcat Users List
>Subject: Re: FW: Tomcat 6.0.45 - Problem in creating the socket.
>
>
>
>Am 13. Juni 2016 07:25:54 MESZ, schrieb "Radha Krishna Meduri -X
>(radmedur - HCL TECHNOLOGIES LIMITED at Cisco)" <radme...@cisco.com>:
>>Anyone can help on this?
>
>Could you explain a bit more, how you configured the connector/ssl
>implementation?
>
>Perhaps post a snippet of the server.xml, or where you got the nss/jss?
>
>Thanks,
>Felix
>
>>
>>-Original Message-
>>From: Radha Krishna Meduri -X (radmedur - HCL TECHNOLOGIES LIMITED at
>>Cisco)
>>Sent: Friday, June 10, 2016 7:12 PM
>>To: users@tomcat.apache.org
>>Subject: Tomcat 6.0.45 - Problem in creating the socket.
>>
>>Hi,
>>We are trying to upgrade to 6.0.45 from 6.0.37.
>>Tomcat starting fine, but while creating the socket we are getting 
>>following exception.
>>
>>For SSL implementation, we are using NSS/JSS from Mozilla.
>>The SSL implementation works fine with 6.037, but failing with 45.
>>Do you have any idea whether we have to modify SSL implementation to 
>>reflect new Tomcat changes?
>>
>>org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler
>process
>>SEVERE: Error reading request, ignored
>>java.lang.ClassCastException:
>>com.sun.net.ssl.internal.ssl.SSLSocketImpl cannot be cast to 
>>org.mozilla.jss.ssl.SSLSocket at
>>org.apache.tomcat.util.net.jsse.XXXSSLImplementation.getSSLSupport(XXXS
>>SLImplementation.java:51)
>>at
>>org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process
>>(Http11Protocol.java:606)
>>at
>>org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:504)
>>at java.lang.Thread.run(Unknown Source)
>>
>>Thanks
>>Radhakrishna
>>
>>-
>>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
>-
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
>-
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org
>>


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: FW: Tomcat 6.0.45 - Problem in creating the socket.

[Felix Schumacher]

Am 13. Juni 2016 07:25:54 MESZ, schrieb "Radha Krishna Meduri -X (radmedur - 
HCL TECHNOLOGIES LIMITED at Cisco)" :
>Anyone can help on this?

Could you explain a bit more, how you configured the connector/ssl 
implementation?

Perhaps post a snippet of the server.xml, or where you got the nss/jss?

Thanks, 
Felix

>
>-Original Message-
>From: Radha Krishna Meduri -X (radmedur - HCL TECHNOLOGIES LIMITED at
>Cisco) 
>Sent: Friday, June 10, 2016 7:12 PM
>To: users@tomcat.apache.org
>Subject: Tomcat 6.0.45 - Problem in creating the socket.
>
>Hi,
>We are trying to upgrade to 6.0.45 from 6.0.37.
>Tomcat starting fine, but while creating the socket we are getting
>following exception.
>
>For SSL implementation, we are using NSS/JSS from Mozilla.
>The SSL implementation works fine with 6.037, but failing with 45.
>Do you have any idea whether we have to modify SSL implementation to
>reflect new Tomcat changes?
>
>org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler process
>SEVERE: Error reading request, ignored
>java.lang.ClassCastException:
>com.sun.net.ssl.internal.ssl.SSLSocketImpl cannot be cast to
>org.mozilla.jss.ssl.SSLSocket
>at
>org.apache.tomcat.util.net.jsse.XXXSSLImplementation.getSSLSupport(XXXSSLImplementation.java:51)
>at
>org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:606)
>at
>org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:504)
>at java.lang.Thread.run(Unknown Source)
>
>Thanks
>Radhakrishna
>
>-
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 9 realm datasource digest attribute

[Felix Schumacher]

Am 10. Juni 2016 22:12:02 MESZ, schrieb Hardibo Pierre-Jean 
:
>Hello, it seems realm's digest attribute is depreciated in tomcat9, how
>
>can i replace it ? (MD5) thanks

I think you are looking for the nested component CredentialHandler ( 
http://tomcat.apache.org/tomcat-9.0-doc/config/credentialhandler.html ).

Chris gave a talk about them at the last apache con.

Regards, 
Felix 

>
>-
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: performance of tomcat 8 is less than tomcat 6

[Felix Schumacher]

Am 20.04.2016 um 12:55 schrieb Ravi Chandra Suryavanshi:

Yes I tried the NIO and NIO2 but not seen much difference. The TPS only 
increased 3K  with NIO2.
Can you try it with nio enabled in tomcat 6 and see, if that is slower, 
too? Same with bio and tomcat 8 and see if it is better?


Regards,
 Felix


-Original Message-
From: Igor Cicimov [mailto:icici...@gmail.com]
Sent: Wednesday, April 20, 2016 4:21 PM
To: Tomcat Users List
Subject: RE: performance of tomcat 8 is less than tomcat 6

On 20 Apr 2016 1:30 pm, "Ravi Chandra Suryavanshi" < 
ravi.chandra.suryavan...@ericsson.com> wrote:

Hi Christopher,
PFA, the requested XMLs. Just want to highlight that tomcat 8  is not

able to use the CPU usage. I have tried maxThread 200,300,400 but result is 
same sometimes even less TPS.

Regards,
Ravi

-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: Tuesday, April 19, 2016 7:38 PM
To: Tomcat Users List
Subject: Re: performance of tomcat 8 is less than tomcat 6

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Ravi,

On 4/19/16 1:04 AM, Ravi Chandra Suryavanshi wrote:

Hi, I am using tomcat 6 in my product. I am planning to upgrade to
tomcat 8 as tomcat is going to EoS in Dec-2016. I have just taken
the performance of Tomcat 8 and found the 70% less performance
compared to tomcat 6. See the below results Tomcat 6 is giving
167473.2/s whereas tomcat 8 is giving 100436.6/s I have just
compared with two standalone tomcat which is just hitting the
HelloWorld servlet available in example.

Kindly let me know what need to configure to boost the performance.

Following are my setup: Java=Java 8 HttpClient=HttpClient4 Benchmark
tool=jmeter

testserver:~# uname -a Linux testserver 3.10.0-229.el7.x86_64 #1 SMP
Thu Jan 29 18:37:38 EST 2015 x86_64 x86_64 x86_64 GNU/Linux



testserver:~# lscpu Architecture:  x86_64 CPU op-mode(s):
32-bit, 64-bit Byte Order:Little Endian CPU(s):
32 On-line CPU(s) list:   0-31 Thread(s) per core:2 Core(s) per
socket:8 Socket(s): 2 NUMA node(s):  2
Vendor ID: GenuineIntel CPU family:6 Model:
63 Model name:Intel(R) Xeon(R) CPU E5-2640 v3 @
2.60GHz Stepping:  2 CPU MHz:   2600.000
BogoMIPS:  5210.53 Virtualization:VT-x L1d
cache: 32K L1i cache: 32K L2 cache:
256K L3 cache:  20480K NUMA node0 CPU(s):
0-7,16-23 NUMA node1 CPU(s): 8-15,24-31

testserver:~# vmstat -s 131730840 K total memory 5931052 K used
memory
7126352 K active memory 5511616 K inactive memory 116069376 K free
memory 20888 K buffer memory 9709520 K swap cache 11681788 K total
swap 0 K used swap 11681788 K free swap 54069797 non-nice user cpu
ticks 997 nice user cpu ticks 9712353 system cpu ticks
15112937897 idle cpu ticks 37101 IO-wait cpu ticks 73 IRQ cpu ticks
21245 softirq cpu ticks 0 stolen cpu ticks 8918100 pages paged in
267868897 pages paged out 0 pages swapped in 0 pages swapped out
4281536287 interrupts 4185543972 CPU context switches
1456296771 boot time 84815522 forks



Tomcat 6 performance

Linux 3.10.0-229.el7.x86_64 (testserver) 04/19/2016
_x86_64_(32 CPU) 05:36:33 PM CPU %user %nice
%system   %iowait%steal %idle 05:36:38 PM all 37.66
0.00 14.69  0.10  0.00 47.55 05:36:43 PM all
37.61  0.00 14.50  0.01  0.00 47.89 05:36:48 PM
all 38.31  0.00 14.48  0.03  0.00 47.19
05:36:53 PM all 37.45  0.00 14.53  0.01
0.00 48.01 05:36:58 PM all 37.97  0.00 14.67
0.02  0.00 47.34 05:37:03 PM all 37.68  0.00
14.62  0.01  0.00 47.69

Created the tree successfully using HTTPRequest.jmx Starting the
test @ Wed Apr 13 17:34:58 CEST 2016 (1460561698701) Waiting for
possible shutdown message on port 4445 summary +  16181 in   1.3s =
12893.2/s Avg: 0 Min: 0 Max:67 Err: 0 (0.00%)
Active: 3 Started: 3 Finished: 0 summary + 5187350 in30s =
172911.7/s Avg: 0 Min: 0 Max:31 Err: 0 (0.00%)
Active: 24 Started: 24 Finished: 0 summary = 5203531 in  31.3s =
166486.4/s Avg: 0 Min: 0 Max:67 Err: 0 (0.00%)
summary + 5207210 in30s = 173573.7/s Avg: 0 Min: 0 Max:
26 Err: 0 (0.00%) Active: 24 Started: 24 Finished: 0 summary =
10410741 in  61.3s = 169957.4/s Avg: 0 Min: 0 Max:67
Err: 0 (0.00%) summary + 5039715 in30s = 167990.5/s Avg:
0 Min: 0 Max:13 Err: 0 (0.00%) Active: 24 Started: 24
Finished: 0 summary = 15450456 in  91.3s = 169310.8/s Avg: 0
Min: 0 Max:67 Err: 0 (0.00%) summary + 5024196 in
30s = 167473.2/s Avg: 0 Min: 0 Max:22 Err: 0
(0.00%) Active: 24 Started: 24 Finished: 0 summary = 20474652 in
121s = 168856.1/s Avg: 0 Min: 0 Max:67 Err: 0
(0.00%)

Re: JSESSIONID changed without notice

[Felix Schumacher]

Am Montag, den 11.04.2016, 10:22 + schrieb Arno Schäfer:
> Hi Felix,
> 
> thank you very much for that hint.
> 
> > When a session gets 'authenticated' its id will change to prevent 
> > session fixation attacks. If you are interested in the events telling 
> > you the change you have two possibilities:
> ok, that explain, what I see :-)
>  
> > 1. Use servlet api 3.1 and use a HttpSessionIdListener (which means 
> > upgrading to tomcat 8 or newer)
> That's an option for the next release, not for now.
> 
> > 2. Use a ContainerListener.
> I took the 'org.apache.catalina.ContainerListener' and implement
> the interface in my own SessionListener, but I got no container event
> there. Is this the interface and the right place for the implementation?

You will have to register the ContainerListener yourself with the
context. You might want to try using a LifecycleListener to do this.

The SessionListener is from servlet API, the Container- and
LifecycleListener are tomcat internal classes. They will not mix that
perfectly, as they are kept apart on purpose.

Regards,
 Felix

> 
> 
> best regards
> Arno
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: JNDIRealm random authentication issue

[Felix Schumacher]

Am 06.04.2016 um 11:10 schrieb Arnaud Mergey:

Hello,

I have a tomcat 8.0.23 configured to authenticate against and Active 
Directory with LDAP realm.


Randomly I have authentication failures with stack trace above.
I didn not find anything except an old post mentionning same issue I 
am facing, with tomcat 6 but with no answers.


I am not yet able to understand what's and why this is happening so 
far (as it is random and unfrequent, but still enoying )


Any idea ?
It might be that your application is messing with the jndi environment. 
(Closing Contexts which it should not close, or setting entries in the 
environment it should not set.)


You might want to look at the requests, that are issued shortly before 
the exception starts to show up and inspect your webapp.


Regards,
 Felix



SEVERE [http-nio-443-exec-27] 
org.apache.catalina.realm.JNDIRealm.authenticate Exception performing 
authentication
 javax.naming.NoInitialContextException: Need to specify class name in 
environment or system property, or as an applet parameter, or in an 
application resource file:  java.naming.factory.initial

at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
at javax.naming.InitialContext.getURLOrDefaultInitCtx(Unknown Source)
at javax.naming.InitialContext.getNameParser(Unknown Source)
at 
org.apache.catalina.realm.JNDIRealm.getDistinguishedName(JNDIRealm.java:2683)
at 
org.apache.catalina.realm.JNDIRealm.getUserBySearch(JNDIRealm.java:1712)

at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:1517)
at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:1465)
at 
org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1406)
at 
org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1264)
at 
org.apache.catalina.realm.CombinedRealm.authenticate(CombinedRealm.java:192)
at 
org.apache.catalina.authenticator.AuthenticatorBase.doLogin(AuthenticatorBase.java:948)
at 
org.apache.catalina.authenticator.AuthenticatorBase.login(AuthenticatorBase.java:930)

at org.apache.catalina.connector.Request.login(Request.java:2623)
at 
org.apache.catalina.connector.RequestFacade.login(RequestFacade.java:1072)
at 
javax.servlet.http.HttpServletRequestWrapper.login(HttpServletRequestWrapper.java:318)








-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: JSESSIONID changed without notice

[Felix Schumacher]

Am 07.04.2016 um 17:40 schrieb Arno Schäfer:

Hi all,

I have the following Problem: we have a very old, some kind of complex webapp, 
that run under tomcat 7.0.54 on Windows.
I have to maintain some functionality and came to a point, what I can't 
understand. Some requests have to have an authentification
and this is bound at the JSESSIONID. So the idea is, to canalize these request 
to a filter and handle the necessary things, when a new
session is created or destroyed. So during a create event I put the ID in a map 
and do some things and after the destroy I remove it
from the map. So far, so boring.


When a session gets 'authenticated' its id will change to prevent 
session fixation attacks. If you are interested in the events telling 
you the change you have two possibilities:


1. Use servlet api 3.1 and use a HttpSessionIdListener (which means 
upgrading to tomcat 8 or newer)

2. Use a ContainerListener.

Regards,
 Felix



After I recognize, that the map wouldn't become empty, if also the session 
timeout was over, I look a little bit deeper in that and I
found out, that the ID of one session changed during startup one or two times, 
depending on the situation, without activating the
sessions listener. So only the first ID was put in the map, but was never get 
the destroy event, because the value of the ID was changed
in between and the destroy event goes to the new ID!

I make some output in our session filter, who get all requests, what should 
illustrate my problem. Here it is:

: ===
: Start Tomcat in debug mode on port '8000'...
: ===
Using CATALINA_BASE:   "C:\SQSProfessional\10.8.000_BL13\wl\10.8.0\108000_BL13"
Using CATALINA_HOME:   "C:\SQSProfessional\10.8.000_BL13\wl\10.8.0\tomcat"
Using CATALINA_TMPDIR: 
"C:\SQSProfessional\10.8.000_BL13\wl\10.8.0\108000_BL13\temp"
Using JRE_HOME:"C:\SQSPRO~1\103299~1.000\jre\x64\1.8.0"
Using CLASSPATH:   
"C:\SQSProfessional\10.8.000_BL13\wl\10.8.0\tomcat\bin\bootstrap.jar;
C:\SQSProfessional\10.8.000_BL13\wl\10.8.0\tomcat\bin\tomcat-juli.jar;C:\SQSProfessional\
10.8.000_BL13\corba\asp\6.3\lib\tomcat-corba.jar;C:\SQSProfessional\10.8.000_BL13\nl\10.8.0\
bin\PPMClient.jar;C:\SQSProfessional\10.8.000_BL13\wl\10.8.0\tomcat\bin\bootstrap.jar;C:\
SQSProfessional\10.8.000_BL13\wl\10.8.0\tomcat\bin\tomcat-juli.jar"
:
Apr 07, 2016 4:25:22 PM org.apache.catalina.startup.Catalina start
INFORMATION: Server startup in 8439 ms
:

# This is the output from my session filter, who show you the JSESSIONID from 
every incomming request,
# the servlet path and if the session is new or old
# this protocol is only from one request to 
'http://n61l44x1:9452/ppm/index.jsp' waiting a while and close
# the browsers tab and wait again for the session timeout.
# 

Session: 'UNKNOWN' in servlet path '/index.jsp'
Session: 'D815B22EC5680EE5F3760D58E33BBF39' created (MaxInactiveInterval = 
60)<-- output from the 'create' event from the listener after my 'getSession()'
Session: 'D815B22EC5680EE5F3760D58E33BBF39' in servlet path '/index.jsp' was 
created. (NEW)
Session: 'D815B22EC5680EE5F3760D58E33BBF39' in servlet path '/index.jsp' was 
authenticated by 'sra' (NEW)
Apr 07, 2016 4:26:18 PM de.sqs.tomcat.realm.BITRealm authenticate<-- here are 
two calls to our realm for our authentification in the tomcat, why???
INFORMATION: (tomcat): Try authentification of 'sra'...
Apr 07, 2016 4:26:18 PM de.sqs.tomcat.realm.BITRealm authenticate
INFORMATION: (tomcat): Try authentification of 'sra'...
Session: 'F742E60445E91DED73C64FD6D9A8E38A' in servlet path '/applet.jsp' 
(OLD)<-- now you see here in output that the JSESSIONID is changed, but no call 
to destroy/create was made
Session: 'F742E60445E91DED73C64FD6D9A8E38A' in servlet path 
'/selectworkspace.jsp' (OLD)
Session: 'F742E60445E91DED73C64FD6D9A8E38A' in servlet path '/alive' (OLD)
Session: 'F742E60445E91DED73C64FD6D9A8E38A' in servlet path 
'/selectWorkspaceAction.do' (OLD)
Session: 'F742E60445E91DED73C64FD6D9A8E38A' in servlet path '/alive' (OLD)
Session: 'F742E60445E91DED73C64FD6D9A8E38A' in servlet path 
'/images/icons/up.gif' (OLD)
Session: 'F742E60445E91DED73C64FD6D9A8E38A' in servlet path 
'/images/folder.gif' (OLD)
Session: 'F742E60445E91DED73C64FD6D9A8E38A' in servlet path 
'/images/icons/project.gif' (OLD)
Session: 'F742E60445E91DED73C64FD6D9A8E38A' in servlet path 
'/images/icons/filterreset.gif' (OLD)
Session: 'F742E60445E91DED73C64FD6D9A8E38A' in servlet path '/images/doc.gif' 
(OLD)
Session: 'F742E60445E91DED73C64FD6D9A8E38A' in servlet path 
'/images/icons/filteredit.gif' (OLD)
Session: 'F742E60445E91DED73C64FD6D9A8E38A' in servlet path 
'/images/icons/clock.gif' (OLD)
Session: 'F742E60445E91DED73C64FD6D9A8E38A' in servlet path 
'/images/icons/backupws.gif' (OLD)
Session: 'F742E60445E91DED73C64FD6D9A8E38A' in servlet path 

Re: Performance regression from 7 to 8

[Felix Schumacher]

Am 09.03.2016 um 10:12 schrieb Tullio Bettinazzi:

I tested with http11.Http11Protocol, http11.Http11NioProtocol and 
http11.Http11Nio2Protocol and the problem reproduces only with 
http11.Http11NioProtocol.
It seems to be a bug of the Nio protocol.
It's better to use Nio2 or standard ? What's the difference ?
Maybe Marks webinar will help you: 
https://www.youtube.com/watch?v=LBSWixIwMmU


On the other hand, now that you can switch the problems on and off on 
the server side, can you try to dig deeper into the problem? Maybe take 
a tcpdump from one client that has problems with the nio connector and 
compare that to a tcpdump from the same client to the nio2 or bio connector?


Have you identified any other commonalities between clients that expose 
problems with the nio connector? Browser, OS, network topology?


Regards,
 Felix


Tks
Tullio



Date: Mon, 7 Mar 2016 16:26:24 +0100
Subject: Re: Performance regression from 7 to 8
From: aterrest...@gmail.com
To: users@tomcat.apache.org

Tullio,

as suggested before by Felix, maybe you should try different connector
configurations (defaults for HTTP connector are different between T7
(blocking) and T8 (non-blocking)) and see if this changes anything.

For example in the server.xml file :

 

and

 


Your code is simple, only buffering and writing to an OutputStream. Don't
know how, but I believe that only the buffering can introduce some delay.

best regards






2016-03-07 15:43 GMT+01:00 Tullio Bettinazzi :


As I already explained is not a reproductable problem.
I tested the testcase in my environment and I reproduced the problem on
some clients but not on all clients : the same clients where I noticed the
problem in the real application.
I'm not able to understand what's the relevant difference among them (not
OS version, not network, not browser).
The problem disappears using tomcat 7.
Tks
Tullio


Subject: Re: Performance regression from 7 to 8
To: users@tomcat.apache.org
From: ma...@apache.org
Date: Mon, 7 Mar 2016 11:52:40 +

On 06/03/2016 08:45, Tullio Bettinazzi wrote:

I tested with 8.20 and 8.32
With nothing changed I meant simply that results didn't change.

I can't repeat the problem you are describing with your provided test

case.

I ran:
- ab -k -n 1000 -c 1 localhost:8080/user002/Test
- latest 8.0.x code
- your test case with and without setting the content length (as an
   HTTP/1.0 client ab needs the content length to use keep-alive with
   large response bodies

I saw average response times of 6ms with a maximum of 9ms.
The content length header made no difference (apart from keep-alive
being used as expected).

If the problem you are describing was widespread I'd expect to see other
users reporting this on the mailing list.

Given that:
- I can't repeat this
- Other users aren't reporting it
- Only you are seeing the issue

this looks like an issue with your environment rather than with Tomcat.
I'd recommend using tools like Wireshark and YourKit to find out exactly
what is going on.

Mark



Tks
Tullio


Subject: Re: Performance regression from 7 to 8
To: users@tomcat.apache.org
From: ma...@apache.org
Date: Sat, 5 Mar 2016 18:40:36 +

On 04/03/2016 13:19, Tullio Bettinazzi wrote:

Done and nothing changed.

What has changed is that you have now provided a test case that

someone

else can run easily and confirm, or not, your findings.


Any suggestion ?

Before anyone spends time looking at this the other question I don't

see

answered in this thread is "Exactly which Tomcat 8 version were you
testing?". If it isn't the the latest then you'll need to retest to
confirm the issue hasn't already been fixed.

Mark


Here the code.

package axioma.rubik.engine.web.servlet;

import java.io.*;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.*;

@WebServlet(name="Test8", description="Direct update of data",

urlPatterns={"/Test8"})

public class Test8Servlet extends HttpServlet {

 private static final long serialVersionUID = 1L;

 @Override
 protected void doGet(HttpServletRequest request,

HttpServletResponse response) throws ServletException, IOException {

 try {
 fai(response);
 } catch (Exception ex) {
 ex.printStackTrace();
 }
 }

 public void fai(HttpServletResponse response) throws IOException

{

 ByteArrayOutputStream bbs = new ByteArrayOutputStream();
 BufferedOutputStream bos = new BufferedOutputStream(bbs);
 for(int i = 0; i < 40; i++) {
 bos.write(96);
 }
 bos.flush();
 bbs.writeTo(response.getOutputStream());
 }
}


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org





-
To unsubscribe, 

RE: Performance regression from 7 to 8

[Felix Schumacher]

Am 6. März 2016 13:07:39 MEZ, schrieb Tullio Bettinazzi :
>What do you mean with :
>Have you tried switching the connectors on the tomcat side?

The http connector has different implementations. See
http://tomcat.apache.org/tomcat-8.0-doc/config/http.html

Felix

> ???
>Tks
>
>
>> Subject: Re: Performance regression from 7 to 8
>> To: users@tomcat.apache.org
>> From: felix.schumac...@internetallee.de
>> Date: Sat, 5 Mar 2016 14:00:11 +0100
>> 
>> Am 05.03.2016 um 12:34 schrieb Tullio Bettinazzi:
>> > This is not a memory problem because, otherwise, I'll have the same
>problem on all client systems.
>> > It's a communication related problem between server and clients but
>not strictly a network problem because, otherwise, two clients,
>connected to the same cable would perform in the same way.
>> If it is stable slow on one client, then you could take threaddumps
>on 
>> the tomcat side and look what it is doing. On the network side, you 
>> could look at a tcpdump.
>> 
>> Have you tried switching the connectors on the tomcat side?
>> 
>> Felix
>> > Tks
>> > Tullio
>> >
>> >> Subject: Re: Performance regression from 7 to 8
>> >> To: users@tomcat.apache.org
>> >> From: felix.schumac...@internetallee.de
>> >> Date: Sat, 5 Mar 2016 11:13:58 +0100
>> >>
>> >> Am 04.03.2016 um 14:19 schrieb Tullio Bettinazzi:
>> >>> Done and nothing changed.
>> >>> Any suggestion ?
>> >> It could be related to memory usage.
>> >>
>> >> Tomcat 8 can use more memory than tomcat 7 (See
>> >>
>https://mail-archives.apache.org/mod_mbox/tomcat-users/201602.mbox/%3ccacbju2wmw7mntevb6hwjqdfzsjpmfiuw6k_dn1u0ufh0haj...@mail.gmail.com%3E)
>> >>
>> >> So try to look at your memory consumption and adjust the limits
>for the
>> >> jvm accordingly. For monitoring, you can enable gc logging, or use
>> >> something like jstat, jconsole, jvisualvm, jmc or any other
>monitoring tool.
>> >>
>> >> Mark has worked on the memory issue and lowered consumption for
>newer
>> >> versions. I think they will be in the next release.
>> >>
>> >> Regards,
>> >>Felix
>> >>> Here the code.
>> >>>
>> >>> package axioma.rubik.engine.web.servlet;
>> >>>
>> >>> import java.io.*;
>> >>> import javax.servlet.ServletException;
>> >>> import javax.servlet.annotation.WebServlet;
>> >>> import javax.servlet.http.*;
>> >>>
>> >>> @WebServlet(name="Test8", description="Direct update of data",
>urlPatterns={"/Test8"})
>> >>> public class Test8Servlet extends HttpServlet {
>> >>>   
>> >>>   private static final long serialVersionUID = 1L;
>> >>>
>> >>>   @Override
>> >>>   protected void doGet(HttpServletRequest request,
>HttpServletResponse response) throws ServletException, IOException {
>> >>>   try {
>> >>>   fai(response);
>> >>>   } catch (Exception ex) {
>> >>>   ex.printStackTrace();
>> >>>   }
>> >>>   }
>> >>>
>> >>>   public void fai(HttpServletResponse response) throws
>IOException {
>> >>>   ByteArrayOutputStream bbs = new
>ByteArrayOutputStream();
>> >>>   BufferedOutputStream bos = new
>BufferedOutputStream(bbs);
>> >>>   for(int i = 0; i < 40; i++) {
>> >>>   bos.write(96);
>> >>>   }
>> >>>   bos.flush();
>> >>>   bbs.writeTo(response.getOutputStream());
>> >>>   }
>> >>> }
>> >>>
>>  Date: Fri, 4 Mar 2016 12:58:02 +0100
>>  Subject: Re: Performance regression from 7 to 8
>>  From: r...@apache.org
>>  To: users@tomcat.apache.org
>> 
>>  2016-03-04 12:42 GMT+01:00 Mark Thomas :
>> 
>> > On 04/03/2016 11:17, Tullio Bettinazzi wrote:
>> >> This servlet reproduces the problem perfectly.
>> > Getting better but still some room for improvement.
>> > - You don't need to implement doPost()
>> > - You don't need to call System.gc() (or if you do look there
>for
>> > the problem)
>> >
>>  Yes, it's on every get and will cause a major concurrency issue.
>> 
>> 
>> > - You do need to remove the use of the ComunicationChannelHttp
>and
>> > Cronometro classes (and if that fixes the problem look
>there
>> > for the root cause)
>> > - The try/catch in doGet() should not be necessary either
>> >
>>  Also writing individual bytes is more costly even if there's
>some buffering.
>> 
>>  Rémy
>> 
>> > Mark
>> >
>> >> package axioma.rubik.engine.web.servlet;
>> >>
>> >> import java.io.*;
>> >> import javax.servlet.ServletException;
>> >> import javax.servlet.annotation.WebServlet;
>> >> import javax.servlet.http.*;
>> >> import axioma.rubik.engine.web.ComunicationChannelHttp;
>> >> import it.axioma.rubik.engine.Cronometro;
>> >>
>> >> @WebServlet(name="Test8", description="Direct update of data",
>> > urlPatterns={"/Test8"})
>> >> public class Test8Servlet extends HttpServlet {
>> >>
>> >>   private static final long 

Re: Performance regression from 7 to 8

[Felix Schumacher]

Am 05.03.2016 um 12:34 schrieb Tullio Bettinazzi:

This is not a memory problem because, otherwise, I'll have the same problem on 
all client systems.
It's a communication related problem between server and clients but not 
strictly a network problem because, otherwise, two clients, connected to the 
same cable would perform in the same way.
If it is stable slow on one client, then you could take threaddumps on 
the tomcat side and look what it is doing. On the network side, you 
could look at a tcpdump.


Have you tried switching the connectors on the tomcat side?

Felix

Tks
Tullio


Subject: Re: Performance regression from 7 to 8
To: users@tomcat.apache.org
From: felix.schumac...@internetallee.de
Date: Sat, 5 Mar 2016 11:13:58 +0100

Am 04.03.2016 um 14:19 schrieb Tullio Bettinazzi:

Done and nothing changed.
Any suggestion ?

It could be related to memory usage.

Tomcat 8 can use more memory than tomcat 7 (See
https://mail-archives.apache.org/mod_mbox/tomcat-users/201602.mbox/%3ccacbju2wmw7mntevb6hwjqdfzsjpmfiuw6k_dn1u0ufh0haj...@mail.gmail.com%3E)

So try to look at your memory consumption and adjust the limits for the
jvm accordingly. For monitoring, you can enable gc logging, or use
something like jstat, jconsole, jvisualvm, jmc or any other monitoring tool.

Mark has worked on the memory issue and lowered consumption for newer
versions. I think they will be in the next release.

Regards,
   Felix

Here the code.

package axioma.rubik.engine.web.servlet;

import java.io.*;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.*;

@WebServlet(name="Test8", description="Direct update of data", 
urlPatterns={"/Test8"})
public class Test8Servlet extends HttpServlet {
  
  private static final long serialVersionUID = 1L;


  @Override
  protected void doGet(HttpServletRequest request, HttpServletResponse 
response) throws ServletException, IOException {
  try {
  fai(response);
  } catch (Exception ex) {
  ex.printStackTrace();
  }
  }

  public void fai(HttpServletResponse response) throws IOException {
  ByteArrayOutputStream bbs = new ByteArrayOutputStream();
  BufferedOutputStream bos = new BufferedOutputStream(bbs);
  for(int i = 0; i < 40; i++) {
  bos.write(96);
  }
  bos.flush();
  bbs.writeTo(response.getOutputStream());
  }
}


Date: Fri, 4 Mar 2016 12:58:02 +0100
Subject: Re: Performance regression from 7 to 8
From: r...@apache.org
To: users@tomcat.apache.org

2016-03-04 12:42 GMT+01:00 Mark Thomas :


On 04/03/2016 11:17, Tullio Bettinazzi wrote:

This servlet reproduces the problem perfectly.

Getting better but still some room for improvement.
- You don't need to implement doPost()
- You don't need to call System.gc() (or if you do look there for
the problem)


Yes, it's on every get and will cause a major concurrency issue.



- You do need to remove the use of the ComunicationChannelHttp and
Cronometro classes (and if that fixes the problem look there
for the root cause)
- The try/catch in doGet() should not be necessary either


Also writing individual bytes is more costly even if there's some buffering.

Rémy


Mark


package axioma.rubik.engine.web.servlet;

import java.io.*;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.*;
import axioma.rubik.engine.web.ComunicationChannelHttp;
import it.axioma.rubik.engine.Cronometro;

@WebServlet(name="Test8", description="Direct update of data",

urlPatterns={"/Test8"})

public class Test8Servlet extends HttpServlet {

  private static final long serialVersionUID = 1L;

  @Override
  protected void doPost(HttpServletRequest request,

HttpServletResponse response) throws ServletException, IOException {

  this.doGet(request,response);
  }

  @Override
  protected void doGet(HttpServletRequest request, HttpServletResponse

response) throws ServletException, IOException {

  try {
  fai(response);
  System.gc();
  } catch (Exception ex) {
  ex.printStackTrace();
  }
  ComunicationChannelHttp.CONTEXT_MANAGER.clean();
  }

  public void fai(HttpServletResponse response) {
  Cronometro crono = new Cronometro();
  ByteArrayOutputStream bbs = new ByteArrayOutputStream();
  BufferedOutputStream bos = new BufferedOutputStream(bbs);
  try {
  for(int i = 0; i < 40; i++) {
  bos.write(96);
  }
  bos.flush();
  System.out.println("Step 1 : "+crono.elapsed());
  bbs.writeTo(response.getOutputStream());
  System.out.println("Step 1 : "+crono.elapsed());
  } catch (IOException ex) {
  ex.printStackTrace();
  }
  }

}

Re: Windows Authentication

[Felix Schumacher]

Am 04.03.2016 um 10:11 schrieb Chanchal Kariwala:

I tries what you asked and I have observed the following

1. Browser sends a request for the resource
Server replies with HTTP 401 and WWW-Authenticate: Negotiate in Response
Headers

2. Browser sends a new request with the following in Request Headers
Authorization: Negotiate YHkGBisGAQUFAqBvMG2gMDAuBgorBg

Server replies again with HTTP 401 and WWW-Authenticate: Negotiate in
Response Headers

3. At this point the browser shows HTTP Basic Auth form and sends the
following in Headers
Authorization: Negotiate
YIIK1QYGKwYBBQUCoIIKyTCCCsWgMDAuBgkqhkiC9xIBAgIGCSqGS (*Really huge
value, much much longer than the first one*)

Now the Server replies with HTTP 200 and the following in headers
WWW-Authenticate: Negotiate oYHzMIHwoAMKAQChCwYJKoZIhvcSAQICom0
Set-Cookie: JSESSIONID=541FE2EDD35690BBDE99..; Path=/webapp/; HttpOnly

So yes WIA is failing..
Can you help me out with the next step in debugging?
You can enable debugging for kerberos in the jvm and you can enable 
debug logs for the SpnegoAuthenticator in tomcat to get more information.


To enable debug log messages in the jvm add

-Dsun.security.krb5.debug=true

to CATALINA_OPTS. The log messages will appear in catalina.out and are 
quite verbose.


To enable debug log messages for SpnegoAuthenticator, add

org.apache.catalina.authenticator.SpnegoAuthenticator.level = FINE

to conf/logging.properties in your CATALINA_BASE directory.

Regards,
 Felix






Thanks,
Chanchal R. Kariwala
Product Engineer
Seclore Technology
chanchal.kariw...@seclore.com
www.seclore.com



On Fri, Mar 4, 2016 at 1:20 PM, André Warnier (tomcat) 
wrote:


On 04.03.2016 07:16, Chanchal Kariwala wrote:


I am using Tomcat 8.0.32 and I have followed the guide given at

 -

https://tomcat.apache.org/tomcat-8.0-doc/windows-auth-howto.html#Tomcat_instance_(Windows_server)
 -

https://dzone.com/articles/do-not-publish-configuring-tomcat-single-sign-on-w

Windows AD Auth is working i.e. when I access the site, I am asked for
credentials and when I enter the correct credentials, the restricted
resource is displayed.

However my question is why the browser is asking for credentials? Why
isn't
it accessing TGT Cache in the OS to fetch the user's credentials?

I have enabled Integrated Windows Auth in IE Settings. I have added the
site in Intranet Sites and set "Logon by Current User" in Custom Level
setting for Intranet.




Hi.

The real *key* to debugging such issues, is to use some plugin or add-on
to the browser, to enable the capture and visualisation of the HTTP dialog
back and forth between the browser and the server.
Since you are using IE, I suggest "Fiddler2".
Install it, close your browser, re-open the browser, start Fiddler2 in
capture mode, and then do an access to the webserver.  When prompted for an
id/pw, enter them.
Then stop Fiddler2 and examine the HTTP exchanges, starting with your
initial request to the webserver.

You are correct in thinking that, normally, the login should happen
automatically in the background, and you should never see this browser
login dialog.
WIA authentication is a multiple-step process between the browser and the
webserver, and in the background between the webserver and a Domain
Controller.
That the login dialog appears in your case, means :
1) that the integrated WIA failed
2) that the Domain is configured to allow HTTP Basic authentication in a
second step, after WIA fails.  That is the login dialog that you see.

So, something is not working as it should in the WIA step.
But to know exactly what, requires examining the HTTP exchanges.



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Performance regression from 7 to 8

[Felix Schumacher]

Am 04.03.2016 um 14:19 schrieb Tullio Bettinazzi:

Done and nothing changed.
Any suggestion ?

It could be related to memory usage.

Tomcat 8 can use more memory than tomcat 7 (See 
https://mail-archives.apache.org/mod_mbox/tomcat-users/201602.mbox/%3ccacbju2wmw7mntevb6hwjqdfzsjpmfiuw6k_dn1u0ufh0haj...@mail.gmail.com%3E)


So try to look at your memory consumption and adjust the limits for the 
jvm accordingly. For monitoring, you can enable gc logging, or use 
something like jstat, jconsole, jvisualvm, jmc or any other monitoring tool.


Mark has worked on the memory issue and lowered consumption for newer 
versions. I think they will be in the next release.


Regards,
 Felix

Here the code.

package axioma.rubik.engine.web.servlet;

import java.io.*;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.*;

@WebServlet(name="Test8", description="Direct update of data", 
urlPatterns={"/Test8"})
public class Test8Servlet extends HttpServlet {
 
 private static final long serialVersionUID = 1L;


 @Override
 protected void doGet(HttpServletRequest request, HttpServletResponse 
response) throws ServletException, IOException {
 try {
 fai(response);
 } catch (Exception ex) {
 ex.printStackTrace();
 }
 }

 public void fai(HttpServletResponse response) throws IOException {
 ByteArrayOutputStream bbs = new ByteArrayOutputStream();
 BufferedOutputStream bos = new BufferedOutputStream(bbs);
 for(int i = 0; i < 40; i++) {
 bos.write(96);
 }
 bos.flush();
 bbs.writeTo(response.getOutputStream());
 }
}


Date: Fri, 4 Mar 2016 12:58:02 +0100
Subject: Re: Performance regression from 7 to 8
From: r...@apache.org
To: users@tomcat.apache.org

2016-03-04 12:42 GMT+01:00 Mark Thomas :


On 04/03/2016 11:17, Tullio Bettinazzi wrote:

This servlet reproduces the problem perfectly.

Getting better but still some room for improvement.
- You don't need to implement doPost()
- You don't need to call System.gc() (or if you do look there for
   the problem)


Yes, it's on every get and will cause a major concurrency issue.



- You do need to remove the use of the ComunicationChannelHttp and
   Cronometro classes (and if that fixes the problem look there
   for the root cause)
- The try/catch in doGet() should not be necessary either


Also writing individual bytes is more costly even if there's some buffering.

Rémy


Mark


package axioma.rubik.engine.web.servlet;

import java.io.*;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.*;
import axioma.rubik.engine.web.ComunicationChannelHttp;
import it.axioma.rubik.engine.Cronometro;

@WebServlet(name="Test8", description="Direct update of data",

urlPatterns={"/Test8"})

public class Test8Servlet extends HttpServlet {

 private static final long serialVersionUID = 1L;

 @Override
 protected void doPost(HttpServletRequest request,

HttpServletResponse response) throws ServletException, IOException {

 this.doGet(request,response);
 }

 @Override
 protected void doGet(HttpServletRequest request, HttpServletResponse

response) throws ServletException, IOException {

 try {
 fai(response);
 System.gc();
 } catch (Exception ex) {
 ex.printStackTrace();
 }
 ComunicationChannelHttp.CONTEXT_MANAGER.clean();
 }

 public void fai(HttpServletResponse response) {
 Cronometro crono = new Cronometro();
 ByteArrayOutputStream bbs = new ByteArrayOutputStream();
 BufferedOutputStream bos = new BufferedOutputStream(bbs);
 try {
 for(int i = 0; i < 40; i++) {
 bos.write(96);
 }
 bos.flush();
 System.out.println("Step 1 : "+crono.elapsed());
 bbs.writeTo(response.getOutputStream());
 System.out.println("Step 1 : "+crono.elapsed());
 } catch (IOException ex) {
 ex.printStackTrace();
 }
 }

}



Subject: Re: Performance regression from 7 to 8
To: users@tomcat.apache.org
From: ma...@apache.org
Date: Fri, 4 Mar 2016 10:38:30 +

On 04/03/2016 10:24, Tullio Bettinazzi wrote:

The problem is all in this small piece of code
 ByteArrayOutputStream bbs = new ByteArrayOutputStream();
 BufferedOutputStream bos = new BufferedOutputStream(bbs);
 trans.eseguiTrasformazioneOut(bos);
 try {
 bos.flush();
 initReponse(xpFileTypeOut.getMimeType(), xpFilename);
 bbs.writeTo(getOutputStream());
 } catch (IOException ex) {
 Messaggi.getErrori().getLogger().error("Errore in

emettiFile ", ex);

 }
The yellow instruction take 100 ms in Tomcat7, quite stable on all

clients, in Tomcat8 it takes from 

Re: [PossibleSpam] Re: Tomcat Rewrite Valve

[Felix Schumacher]

Am 10.02.2016 um 15:23 schrieb Rémy Maucherat:

2016-02-10 15:06 GMT+01:00 Joe Aldrich :


Am 29.01.2016 15:34, schrieb Joe Aldrich:

Hello,

I am using Tomcat 8.0.28 on Windows 10 and am having a problem with
the Rewrite Value. I must include the escaped form of an ampersand
'%26' in the output URL.

My rewrite.config has the following:

RewriteCond %{QUERY_STRING} ^(.*&)?SCID=8(&.*)?$ RewriteRule
^/(product|specs|avail-options|avail-category)\.php$
/Product.action?select=Model+4+\%26+4C [R=301,L,NE]

I am escaping the percent sign with a backslash, and I have tried
using the NE flag. However, Tomcat always is treating the percent
symbol as a back reference to the above RewriteCond. If I don't have a
second capture group, then I get a 500 error from a
NullPointerException.

The current tomcat code does not allow escaping of percent or dollar sign.

The parser just looks for percent (or dollar) and applies it either as a

backreference (when it is followed by a digit), or a map.

I have not found any indication, that escaping is possible with httpd.
Could you provide a link to the doc, that states it is possible?

In Apache mod_rewrite it is possible per this documentation:
https://httpd.apache.org/docs/2.2/mod/mod_rewrite.html#quoting


Ok, I added an item for that since the mod_rewrite behavior should be
implemented:
https://bz.apache.org/bugzilla/show_bug.cgi?id=58988
The fix will be included in 9.0.0.M4 and 8.0.33. The syntax will be the 
same as with httpd 2.2 using a backslash to quota a percent sign.


@Joe, could you test the current trunk for 8 or 9?

Regards,
 Felix

Rémy




If you are willing to build tomcat yourself, you could try the attached

patch, which will allow escaping of percent signs by specifying them as %%.

Your example would thus look like
"/Product.action?select=Model+4+%%26+4C".

Regards,
  Felix

I will look into applying the patch as I need to be able to redirect to
URLs that contain %26 in the query string.
Much thanks,
Joe


I was working with the documentation on this page:

http://tomcat.apache.org/tomcat-8.0-doc/rewrite.html

The desired output URL would be:

http://www.domain.com/Product.html?select=Model+4+%26+4C

In the example given for the NE flag on the page reference above, the
percent sign is escaped by a backslash to prevent it from being
treated as a back-reference. This is not working for me. Instead I
get:

http://www.domain.com/Product.action?select=Model+4+\null6+4C

Where the "null" is due to an empty second back-reference.  I believe
this is a bug in that it is not escaping the percent sign (making it
impossible to create the %26 in the redirect URL). Or am I
misunderstanding something here?

As a side question, shouldn't an empty back-reference be blank instead
of adding 'null' to the URL?

Joseph B Aldrich


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat Rewrite Valve

[Felix Schumacher]

Am 29.01.2016 15:34, schrieb Joe Aldrich:

Hello,

I am using Tomcat 8.0.28 on Windows 10 and am having a problem with
the Rewrite Value. I must include the escaped form of an ampersand
'%26' in the output URL.

My rewrite.config has the following:

RewriteCond %{QUERY_STRING} ^(.*&)?SCID=8(&.*)?$
RewriteRule ^/(product|specs|avail-options|avail-category)\.php$
/Product.action?select=Model+4+\%26+4C [R=301,L,NE]

I am escaping the percent sign with a backslash, and I have tried
using the NE flag. However, Tomcat always is treating the percent
symbol as a back reference to the above RewriteCond. If I don't have a
second capture group, then I get a 500 error from a
NullPointerException.


The current tomcat code does not allow escaping of percent or dollar 
sign.


The parser just looks for percent (or dollar) and applies it either as a 
backreference (when it is followed by a digit), or a map.


I have not found any indication, that escaping is possible with httpd. 
Could you provide a link to the doc, that states it is possible?


If you are willing to build tomcat yourself, you could try the attached 
patch, which will allow escaping of percent signs by specifying them as 
%%.


Your example would thus look like 
"/Product.action?select=Model+4+%%26+4C".


Regards,
 Felix



I was working with the documentation on this page:

http://tomcat.apache.org/tomcat-8.0-doc/rewrite.html

The desired output URL would be:

http://www.domain.com/Product.html?select=Model+4+%26+4C

In the example given for the NE flag on the page reference above, the
percent sign is escaped by a backslash to prevent it from being
treated as a back-reference. This is not working for me. Instead I
get:

http://www.domain.com/Product.action?select=Model+4+\null6+4C

Where the "null" is due to an empty second back-reference.  I believe
this is a bug in that it is not escaping the percent sign (making it
impossible to create the %26 in the redirect URL). Or am I
misunderstanding something here?

As a side question, shouldn't an empty back-reference be blank instead
of adding 'null' to the URL?

Joseph B Aldrich
Junior Java Developer
P: 800.981.1540 | F: 715.254.0996
4848 Industrial Park Rd. Stevens Point. 54481


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
diff --git a/java/org/apache/catalina/valves/rewrite/Substitution.java 
b/java/org/apache/catalina/valves/rewrite/Substitution.java
index 0f84792..fc23b92 100644
--- a/java/org/apache/catalina/valves/rewrite/Substitution.java
+++ b/java/org/apache/catalina/valves/rewrite/Substitution.java
@@ -186,7 +186,7 @@ public class Substitution {
 newElement.n = Character.digit(sub.charAt(percentPos + 1), 
10);
 pos = percentPos + 2;
 elements.add(newElement);
-} else {
+} else if (sub.charAt(percentPos + 1) == '{'){
 // %: server variable as %{variable}
 SubstitutionElement newElement = null;
 int open = sub.indexOf('{', percentPos);
@@ -218,6 +218,13 @@ public class Substitution {
 }
 pos = close + 1;
 elements.add(newElement);
+} else if (sub.charAt(percentPos + 1) == '%') {
+StaticElement percentSign = new StaticElement();
+percentSign.value = "%";
+elements.add(percentSign);
+pos = percentPos + 2;
+} else {
+throw new IllegalArgumentException(sub + ": Missing digit, 
curly brace or percent sign.");
 }
 }
 }
diff --git a/test/org/apache/catalina/valves/rewrite/TestRewriteValve.java 
b/test/org/apache/catalina/valves/rewrite/TestRewriteValve.java
index 47f9440..070519c 100644
--- a/test/org/apache/catalina/valves/rewrite/TestRewriteValve.java
+++ b/test/org/apache/catalina/valves/rewrite/TestRewriteValve.java
@@ -33,6 +33,11 @@ public class TestRewriteValve extends TomcatBaseTest {
 }
 
 @Test
+public void testPercentSign() throws Exception {
+doTestRewrite("RewriteRule ^(.*) /a/%%5A", "/", "/a/%255A");
+}
+
+@Test
 public void testNoopRewrite() throws Exception {
 doTestRewrite("RewriteRule ^(.*) $1", "/a/%255A", "/a/%255A");
 }

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: JDBC Connection pooling

[Felix Schumacher]

Am 22.01.2016 um 12:35 schrieb R. Sriram:

Hello I am trying to establish connection pooling.
Should I be using dbcp?
If you want to use db connection pooling, it is probably a good idea to 
use the pooling method the container gives you, as it will be used by a 
lot of people and therefore has gotten a lot of testing.


In the case of tomcat that would be a copy of commons dbcp(2).

Regards,
 Felix



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [ANN] Apache Tomcat 8.0.29 available

[Felix Schumacher]

Am 25. November 2015 20:24:17 MEZ, schrieb Violeta Georgieva 
:
>Hi,
>
>2015-11-25 20:42 GMT+02:00 David Balažic :
>>
>> Typo on http://tomcat.apache.org/tomcat-8.0-doc/changelog.html
>>
>> "TLSv1.0 is no an alias"
>>
>> Should probably be "TLSv1.0 is not an alias"
>
>I fixed it.

I believe it should have been "TLSv1.0 is no(w) an alias ... and will no(t) 
work ..."

Regards, 
Felix

>Thanks,
>Violeta
>
>> Regards,
>> David Balažic
>>
>> > -Original Message-
>> > From: Mark Thomas [mailto:ma...@apache.org]
>> > Sent: 25. November 2015 17:22
>> > To: users@tomcat.apache.org
>> > Cc: d...@tomcat.apache.org; annou...@apache.org;
>> > annou...@tomcat.apache.org
>> > Subject: [ANN] Apache Tomcat 8.0.29 available
>> > Importance: Low
>> >
>> > The Apache Tomcat team announces the immediate availability of
>Apache
>> > Tomcat 8.0.29.
>> >
>> > Apache Tomcat 8 is an open source software implementation of the
>Java
>> > Servlet, JavaServer Pages, Java Unified Expression Language and
>Java
>> > WebSocket technologies.
>> >
>> > Apache Tomcat 8.0.29 includes fixes for issues identified in 8.0.28
>as
>> > well as other enhancements and changes. The notable changes since
>8.0.28
>> > include:
>> >
>> > - Add an option to control (per context) quoting of EL expressions
>in
>> >   JSP attributes
>> >
>> > - Correct a regression in the fix for 56777 that added support for
>> >   URIs in config file locations
>> >
>> > - Add a new RestCsrfPreventionFilter that provides basic CSRF
>> >   protection for REST APIs
>> >
>> > -  Use instance manager for WebSocket server endpoint instances
>> >
>> >
>> > Please refer to the change log for the complete list of changes:
>> > http://tomcat.apache.org/tomcat-8.0-doc/changelog.html
>> >
>> > Downloads:
>> > http://tomcat.apache.org/download-80.cgi
>> >
>> > Migration guides from Apache Tomcat 5.5.x, 6.0.x and 7.0.x:
>> > http://tomcat.apache.org/migration.html
>> >
>> > Enjoy!
>> >
>> > - The Apache Tomcat team
>> >
>> >
>-
>> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> > For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Cannot load JDBC driver class 'oracle.jdbc.driver.OracleDriver '"

[Felix Schumacher]

Am 10. November 2015 15:06:09 MEZ, schrieb Simon Kepp Nielsen :
>Hi all,
>
>I've tried following the instructions in
>https://tomcat.apache.org/tomcat-7.0-doc/jndi-datasource-examples-howto.html
>to add an Oracle DataSource to my Tomcat 7.0.65 installation. The
>relevant contents of my $CATALINA_HOME\conf\context.xml is:

You probably don't want to change the context of all your webapps. 
conf/catalina/localhost/YOURWEBAPP.xml is a better place. 

>type="javax.sql.DataSource" maxActive="10" maxIdle="5" maxWait="1"
>username="sin" password="hidden"
>driverClassName="oracle.jdbc.driver.OracleDriver " logAbandoned="true"
>url="jdbc:oracle:thin:@pfacddbora01:1521:TESTDB"/>
>
>I have added ojdbc6.jar to $CATALINA_HOME\lib, but when I acces the
>test jsp page, I get the following error:
>javax.servlet.ServletException: javax.servlet.jsp.JspException: Unable
>to get connection, DataSource invalid:
>"org.apache.tomcat.dbcp.dbcp.SQLNestedException: Cannot load JDBC
>driver class 'oracle.jdbc.driver.OracleDriver '"

It is probably the space after OracleDriver.

Try to remove it and seewhat happens. 

Regards, 
Felix 
>
>Full error page attached for details. Can anybody explain, what is
>wrong, and how to fix this. I am quite baffled by this error, as the
>Jar-file containing the JDBC driver, including the class it complains
>about is in the tomcat lib dir, which is also, where the dbcp jars are
>found.
>
>Platform info:
>Tomcat 7.0.65
>Java 1.8.0_45
>Windows 7 x64
>
>
>
>
>Simon Kepp Nielsen
>IT Infrastructure Manager - IT Operations
>M: 30 52 77 07 - E: s...@pfa.dk
>
>[PFA Pension]
>Sundkrogsgade 4, DK-2100København Ø, T: 39 17 50 00,
>www.pfa.dk
>
>Tænk på miljøet - print med omtanke
>
>Disclaimer
>This message is for a specific individual and purpose and may contain
>confidential information. If you are not the intended recipient, please
>let us know and delete it from your system. You are also hereby
>notified that any disclosure, copying, or distribution of the
>information is strictly prohibited.
>
>
>
>
>
>-
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Apache Giving HTTP 505 Error While Contacting it through Oracle database

[Felix Schumacher]

Am 08.10.2015 um 10:38 schrieb Ankur Gupta:

This is my SMS sending procedure where mobile number and body of msg is
passed.

Then concatenating all these values a URL is formed .

URL hit to apache server where .jsp page is made to send SMS via third
vendor.

This apache server is just a mediator between database and third vendor

Problem is that when the same URL is accessed through browser then page
runs but when same thing is accessed by the procedure then
*DBMS_OUTPUT.PUT_LINE*('HTTP response status CODE: ' || resp.status_code);
gives ‘505’ error and UTL_HTTP.READ_TEXT(resp,v_msg,null);

Gives end of body reached.
So you are basically asking, how to connect from your pl/sql procedure 
within oracle to tomcat via a proxy?


I have never done such a thing, but I would look at a few things.

Do the requests reach tomcat at all?
If so, are there any errors logged?

Can you find the requests in your proxy logs?

And since http status 505 points to a http-version mismatch, I would try 
to omit it from BEGIN_REQUEST (defaults to null).


Regards,
 Felix




Ex of url :-
http://10.xxx.xx.xx:/examples/trysms.jsp?mobileNumber=99=HELLO

WORLD



CREATE OR REPLACE Procedure CHANNELG.SMS_headers_V1

(

mob in varchar2,

msgg in varchar2

)

AS

req UTL_HTTP.REQ;

resp UTL_HTTP.RESP;

name varchar2(256);

value varchar2(5000);

value1 varchar2(1024);

v_msg varchar2(32767);

output_table *DBMS_OUTPUT.CHARARR*;

num_lines number := 500;

URL varchar2(500):='http://10.xxx.xx.xx:
/examples/.jsp?mobileNumber='||mob||'='||msgg;

l_clob clob;

id number;

BEGIN

  select nvl(max(ID),0)+1 into id from SMS_STATUS;

  insert into SMS_STATUS(ID,MOBILE_NUMBER,SENT_STATUS) values(id,mob,'Y'
);

 *DBMS_LOB.CREATETEMPORARY*(l_clob,false);

 UTL_HTTP.SET_PROXY('http://10.xxx.xx.xx:);

 req := UTL_HTTP.BEGIN_REQUEST(URL,'POST','HTTP/1.1');


*--UTL_HTTP.SET_HEADER(req,'Content-Type','text/html;charset=ISO-8859-1');*

 UTL_HTTP.SET_HEADER(req,'User-Agent', 'Mozilla/4.76');

  UTL_HTTP.SET_HEADER(req,'Content-Length','0');

 resp:= UTL_HTTP.GET_RESPONSE(req);

 *DBMS_OUTPUT.PUT_LINE*('HTTP response status CODE: ' || resp.status_code
);

 *DBMS_OUTPUT.PUT_LINE*('HTTP RESPONSE reason Pharse: ' || resp.
reason_phrase);

for i in 1..UTL_HTTP.GET_HEADER_COUNT(resp)

  LOOP

UTL_HTTP.GET_HEADER(resp,i,name,value);

*DBMS_OUTPUT.PUT_LINE*(name || ':' || value);

END LOOP;

UTL_HTTP.READ_TEXT(resp,v_msg,null);

*DBMS_OUTPUT.PUT_LINE*('v_msg-' || v_msg);

*DBMS_LOB.WRITEAPPEND*(l_clob,length(v_msg),v_msg);

*DBMS_OUTPUT.GET_LINES*(output_table,num_lines);

DELETE FROM CLOB_TEST;

insert into clob_test values(l_clob);

select regexp_substr(substr(data,108,35),'[^,]+',1,3) INTO value1 from
clob_test;

update SMS_STATUS set DELIVERY_STATUS= value1 where ID=id and mobile_number
= mob  ;

*--DBMS_OUTPUT.PUT_LINE('LENGTH OF MSG ' || length(v_msg));*

*--value1 := UTL_HTTP.REQUEST(URL);*

*--DBMS_OUTPUT.PUT_LINE('value' || value1);*

UTL_HTTP.END_RESPONSE(resp);

END;

/




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat access log customization

[Felix Schumacher]

Am 08.09.2015 um 12:31 schrieb Eric Tang:

Dear Tomcat support,

I am a developer working on Java applications and have been using different
containers and deployment platforms. I would like to have a question on the
access logs.

The access logs of Tomcat is configured in $TOMCAT_HOME/conf/server.xml,
the "Valve" attribute
with className="org.apache.catalina.valves.AccessLogValve". The format of
log is governed by the pattern expression, referenced in the documentation
of Tomcat (TOMCAT_URI/config/valve.html).

Is it possible to format the log with customized field name and string
contents? I've been looking for answer in the web but no clear answer is
found.

Could you provide samples of such customized fields you want to add?

Regards,
 Felix

I read through the usage / developer docs and source codes of Tomcat and
find some clues. Would such require modifications of Tomcat source codes:

Editing "protected AccessLogElement createAccessLogElement()" to add new
pattern items in the switch-case flow for any new field-value pairs, and
implement new element class(es) for AccessLogValue.

Could you please kindly help to advise?
Thank you.

Eric




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org