Re: manager app, Complete Server Status, not shown list of NIO threads
Hi, Dne 05.12.2018 v 16:39 Christopher Schultz napsal(a): -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jan, On 12/5/18 06:59, Jan Vávra wrote: Hi, Dne 04.12.2018 v 17:49 Christopher Schultz napsal(a): Jan, On 12/4/18 10:10, Jan Vávra wrote: Hello, I'm using Apache Tomcat/8.5.35, jvm 1.8.0_192-b12, Windows Server 2012 R2 and at Complete Server Status page I can see list of all http-nio threads and I can see a header of ajp-nio threads. But there is displayed only a label Max threads: and nothing more. In the localhost.log is an exception: 04-Dec-2018 10:31:38.109 SEVERE [96] org.apache.catalina.core.StandardHostValve.invoke Exception Processing null java.lang.NullPointerException at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrappe rVa lve.java:236) at org.apache.catalina.core.StandardContextValve.invoke(StandardContex tVa lve.java:96) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authenti cat orBase.java:493) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve .ja va:140) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve .ja va:81) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAc ces sLogValve.java:650) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineV alv e.java:87) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.j ava :342) at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:479) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorL igh t.java:66) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(Abstra ctP rotocol.java:806) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEnd poi nt.java:1498) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorB ase .java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecuto r.j ava:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecut or. java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(Task Thr ead.java:61) at java.lang.Thread.run(Thread.java:748) At the version Apache Tomcat/8.5.34 this problem doesn't occur. Did I found a bug? Something looks seriously broken if you got an NPE on that line of code. Either the Valve doesn't have a Container or the Container doesn't have a logger, neither of which should ever happen. What's your use-case? Is this embedded, or using Tomcat "normally" like starting-up from a script/service and deploying web applications to it? The tomcat is started as a Windows service tomcat7.exe. The services was installed using service.bat install. User connections are received in Apache Server and reverse proxied using mod_ajp. The manager app I've opened locally at RDP at url http://localhost:8080/manager/html. Did you upgrade from 8.5.34 and then it broke? How did you perform the upgrade? I upgraded from 8.5.9 to 8.5.35 just copying from apache-tomcat-8.5.35-windows-x64.zip. I didn't copy only the conf/server.xml If I copied files from 8.5.34 the problem didn't occur. So you took files from the ZIP file and dropped them on top of your existing Tomcat installation? Yes. Before that I've made a directory synchronization to view what files are new, modified and same. Which files? All of them? And then I've copied all of them except server.xml where I have my customizations. Generally, conf/server.xml is customized for a particular environment. If you copied everything, you will probably have lost something important. I do not understand how I can lost something important, if I've copied everything. There could be a jar hell when in the zip would be jar with newer version numbers in name. But this is not this issue for upgrade from 8.5.9 to 8.5.39. No new jar is in the zip. I've also text compared source a my server.xml to inspect some new sections in source server.xml and have nothing found. - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlwH8UUACgkQHPApP6U8 pFgD+BAAwoP66vzrt5yMgiEPW9h8iUc3c8C7TXVTBLcPB1zGhjlE0r+OEhpDv2u/ nvtlLOHMJKfqDKmDsRL8CN/qjdieZaGS4jGgDmISgBlUAMskzKf0KO5IFTqME/1p VKd74+cPaEZTOBqS0iwJ3iEuUczy5ArxyHeCwe7gtKLecUJot9p8MmAZ3vbVZfs+ wKHYvz2TgI4DW6LHYlVVkzE5fxsJcJXMZj0DoDIjvzy1IGfMbsIYgnUpPtqh4neC uGBc1GaOIjH4uK81jr6A9CxtFaSpsek+1cZzXKDZwn0LKaY6hzAieXc+EH+22Cp3 DjPqOzwJA2fBW5ZuOUpSnCpxvtZtz8HhuouzZA8HgsgZdXhfGiBv980CigMUoOoh 71gXSi5AgOcsarD3R+mwu5UAgmYKEtIcslfrpQEE7CziRCLJhyuEZvSt6Yz48v/B q5Jpd2/FT/qf91C/X/l1Ndd21kApQYZw6C4AAOIuxP7ZLdtUjlme2dKIB46w88pq zwluTi3Rnk2qFBYfTlaK5TCINj3d1r0kguzMwxoEyDbK86FOOqX9qlEKnty3JdBw ieOpQ4+t+O1/ogLfqFwX2Tce9MdWtDFMkWS/FLW1O4LdLklvKElb6Q75ZUmRqrrQ FS4IvMfXaMWkOr53MM/G7Zs37kp7F5k4MF7yyafNTjFP3yK8/Og= =R5+S -END PGP SIGNATURE- --
Re: manager app, Complete Server Status, not shown list of NIO threads
Hi, Dne 04.12.2018 v 17:49 Christopher Schultz napsal(a): -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jan, On 12/4/18 10:10, Jan Vávra wrote: Hello, I'm using Apache Tomcat/8.5.35, jvm 1.8.0_192-b12, Windows Server 2012 R2 and at Complete Server Status page I can see list of all http-nio threads and I can see a header of ajp-nio threads. But there is displayed only a label Max threads: and nothing more. In the localhost.log is an exception: 04-Dec-2018 10:31:38.109 SEVERE [96] org.apache.catalina.core.StandardHostValve.invoke Exception Processing null java.lang.NullPointerException at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperVa lve.java:236) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextVa lve.java:96) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authenticat orBase.java:493) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.ja va:140) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.ja va:81) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAcces sLogValve.java:650) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValv e.java:87) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java :342) at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:479) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLigh t.java:66) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractP rotocol.java:806) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoi nt.java:1498) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase .java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.j ava:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor. java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThr ead.java:61) at java.lang.Thread.run(Thread.java:748) At the version Apache Tomcat/8.5.34 this problem doesn't occur. Did I found a bug? Something looks seriously broken if you got an NPE on that line of code. Either the Valve doesn't have a Container or the Container doesn't have a logger, neither of which should ever happen. What's your use-case? Is this embedded, or using Tomcat "normally" like starting-up from a script/service and deploying web applications to it? The tomcat is started as a Windows service tomcat7.exe. The services was installed using service.bat install. User connections are received in Apache Server and reverse proxied using mod_ajp. The manager app I've opened locally at RDP at url http://localhost:8080/manager/html. Did you upgrade from 8.5.34 and then it broke? How did you perform the upgrade? I upgraded from 8.5.9 to 8.5.35 just copying from apache-tomcat-8.5.35-windows-x64.zip. I didn't copy only the conf/server.xml If I copied files from 8.5.34 the problem didn't occur. - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlwGsBUACgkQHPApP6U8 pFg7RxAAvmaaNGfOSGut8l5xHktCpf7B8Uy4/nChr/gAeGuY6Vk0vKcB88cdecGU q70+atyU6r03sUWuIbfM9OQc7DhPS5mZHifCOM8Yn77ZK6pJERYg+tz4m/f7M979 Cj7QUIHl8/i21qULL6Y5OQyV/N5U9lAnKzGRJrVcDghcl+pYrEBE3P+VyOXduTvr rOjYxNq2NP+D0B4JTy1D+Wa7+BFsqrAwm3TjQ7vxCg3wW4OWwDUM7SKYCCDMCYHV kLHIgJFRSwoZIGhDI4HYGjssY1H1q4DCTJPduQi0RZI/IcvrHNjRff3S9HXnzs5n 86efvPHh8SUmp42dFwWzlXq6E7O9tzoCOTbAn+SEr3EQG8H2m2cQ8Y66zaoXZGMY hN+cPtMfimwCpI3bO46yEB6YipZbf4fjn6MXIbJk+GWEafuviEg0t/uIUGRslBpl CpzJb1lgZZUIdmn3xvdPsCzo1Ot5saC2lEJbzCnBjjR8d9RqlrGZKBn5L6h43zxV QlEK8YfF11YckXKSM/Kr8/AorYzmifcd6aAQJJtCPkQWE49YDzbCOIAqy6ooR7Br fCpfs1cUsemNn0nfUYWMN/4X/NDfrsFhdxLveI8/bjMCFfYCxyH0V5wYN69oZaWL N8Vt74TrJ4gqukQTwvq85xdgVdLj9zQgTtVci5+AamjDe6ydTjI= =Wtha -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Jan. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
manager app, Complete Server Status, not shown list of NIO threads
Hello, I'm using Apache Tomcat/8.5.35, jvm 1.8.0_192-b12, Windows Server 2012 R2 and at Complete Server Status page I can see list of all http-nio threads and I can see a header of ajp-nio threads. But there is displayed only a label Max threads: and nothing more. In the localhost.log is an exception: 04-Dec-2018 10:31:38.109 SEVERE [96] org.apache.catalina.core.StandardHostValve.invoke Exception Processing null java.lang.NullPointerException at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:236) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:479) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:806) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748) At the version Apache Tomcat/8.5.34 this problem doesn't occur. Did I found a bug? Jan.
how to access HTTPServletRequest in RealmBase
Hello, I have written a custom Realm and I need to access to the request headers. The authentication should be computed from client certificate + id from custom http header X-IdUser. Can I somehow access to the HTTPServletRequest instance ? Jan. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: RFE: read keystorePass from file
Hello, Hi, I'd like to suggest the addition of an option that would allow reading the keystore password (the password protecting the private key used by secure connectors) from file. for such things I use java define for tomcat process: -Dorg.apache.tomcat.util.digester.PROPERTY_SOURCE=MyPropertySource MyPropertySource is my class from a jar in tomcat/lib: public class MyPropertySource implements org.apache.tomcat.util.IntrospectionUtils.PropertySource { @Override public String getProperty(String key) { return some_value; } } So I'm capable to read eg. database connection string, password from /etc/myapp.config and even in this class I decrypt passwords. So passwords can be encrypted in my config. In context.xml I do write: My use case: I manage tomcat configuration including server.xml with a Configuration System (Ansible). This allows me to template and store tomcat configuration in a Source Control System (as I do for other services). The problem is that I need a secure tomcat connector and the only way to provide a password to protect private keys seems to be to write it in server.xml. Which means that the password end up being committed to SCM ( defeating the purpose of protecting the keystore with a password). If tomcat could read the password from a file than I could generate it randomly on the target host and store it on a file only tomcat can read. I hope my suggestion could be considered and I'm ready to further discuss my use case if further information are required. Regards, Luca PS: this has nothing to do with obfuscating the password (which has already been discussed on this list) Jan. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
tomcat7.exe windows service crash
Hello, I'm facing a problem of tomcat7.exe crash (from win64 Tomcat 7.0.54 distribution) installed as a Windows service on Windows 2012 x64, x64 jdk 1.7.0.65. In the Widows event log is message (translated from Czech) :"Windows service Apache Tomcat 7 was unexpectedly ended." Interresting is that in my webapp in registered context listener the contextDestroyed method was called and my log command in contextDestroyed (.) was succesfully written. So it seems that my app is gracefully going to shutdown. But why? In the tomcat log I do not see any error messages that leads tomcat to stop. The tomcat7.exe process exited. In my app we transfer through a windows pipe a 300 MB big file to newly created subprocess written in c for an analysis. jvm opts changed: Xmx=6116MB. Eg. in one case was the server started at 10:34:55 and crashed at 10:43:13 (according the Windows event log) --- tomcat7-stderr.log: --- VII 29, 2014 10:34:55 DOP. org.apache.catalina.startup.Catalina start INFO: Server startup in 6323 ms VII 29, 2014 10:43:07 DOP. org.apache.coyote.AbstractProtocol pause INFO: Pausing ProtocolHandler ["http-apr-8080"] VII 29, 2014 10:43:07 DOP. org.apache.coyote.AbstractProtocol pause INFO: Pausing ProtocolHandler ["ajp-apr-8009"] VII 29, 2014 10:43:07 DOP. org.apache.catalina.core.StandardService stopInternal INFO: Stopping service Catalina VII 29, 2014 10:43:11 DOP. org.apache.catalina.loader.WebappClassLoader clearReferencesThreads SEVERE: The web application [/jasw] is still processing a request that has yet to finish. This is very likely to create a memory leak. You can control the time allowed for requests to finish by using the unloadDelay attribute of the standard Context implementation. VII 29, 2014 10:43:11 DOP. org.apache.catalina.loader.WebappClassLoader clearReferencesThreads SEVERE: The web application [/jasw] is still processing a request that has yet to finish. This is very likely to create a memory leak. You can control the time allowed for requests to finish by using the unloadDelay attribute of the standard Context implementation. VII 29, 2014 10:43:11 DOP. org.apache.catalina.loader.WebappClassLoader checkThreadLocalMapForLeaks SEVERE: The web application [/jasw] created a ThreadLocal with key of type [com.sun.xml.bind.v2.ClassFactory$1] (value [com.sun.xml.bind.v2.ClassFactory$1@6be8e70]) and a value of type [java.util.WeakHashMap] (value [{class cz.software602.sdar.tsl.CertTypeResponseItem=java.lang.ref.WeakReference@48795e85, class cz.software602.sdar.tsl.GetCertPathResponse=java.lang.ref.WeakReference@182c92ef, class cz.software602.sdar.tsl.CertPathResponse=java.lang.ref.WeakReference@1662954f, class cz.software602.sdar.tsl.Cert=java.lang.ref.WeakReference@22388104, class javax.xml.bind.annotation.W3CDomHandler=java.lang.ref.WeakReference@2b9e3f29, class cz.software602.sdar.pdf.TRevocations=java.lang.ref.WeakReference@2244b31e, class cz.software602.sdar.tsl.CertPath=java.lang.ref.WeakReference@4c4b8825, class cz.software602.sdar.pdf.TCmsInfo=java.lang.ref.WeakReference@72d75c44, class cz.software602.sdar.tsl.Crl=java.lang.ref.WeakReference@18eaaf43, class cz.software602.sdar.pdf.TPdfInfo=java.lang.ref.WeakReference@5798647c, class java.util.ArrayList=java.lang.ref.WeakReference@55ed35d1, class cz.software602.sdar.tsl.CertRevocation=java.lang.ref.WeakReference@48685869, class cz.software602.sdar.tsl.Status=java.lang.ref.WeakReference@3a847aa2, class cz.software602.sdar.pdf.TCertificates=java.lang.ref.WeakReference@4f8f3fb1, class cz.software602.sdar.tsl.GetCertTypeResponse=java.lang.ref.WeakReference@459ea645, class cz.software602.sdar.tsl.CertTypeResponseList=java.lang.ref.WeakReference@32b61fb8, class cz.software602.sdar.tsl.CertTypeResponse=java.lang.ref.WeakReference@52dc830a}]) but failed to remove it when the web application was stopped. Threads are going to be renewed over time to try and avoid a probable memory leak. VII 29, 2014 10:43:11 DOP. org.apache.catalina.loader.WebappClassLoader checkThreadLocalMapForLeaks SEVERE: The web application [/jasw] created a ThreadLocal with key of type [com.sun.xml.ws.api.client.ServiceInterceptorFactory$1] (value [com.sun.xml.ws.api.client.ServiceInterceptorFactory$1@b1f3006]) and a value of type [java.util.HashSet] (value [[]]) but failed to remove it when the web application was stopped. Threads are going to be renewed over time to try and avoid a probable memory leak. VII 29, 2014 10:43:11 DOP. org.apache.catalina.loader.WebappClassLoader checkThreadLocalMapForLeaks SEVERE: The web application [/jasw] created a ThreadLocal with key of type [com.sun.xml.bind.v2.ClassFactory$1] (value [com.sun.xml.bind.v2.ClassFactory$1@6be8e70]) and a value of type [java.util.WeakHashMap] (value [{class cz.software602.sdar.tsl.CertTypeResponseItem=java.lang.ref.WeakReference@2c89df9e, class java.util.ArrayList=java.lang.ref.WeakReference@fb814ea, class cz.software602.sdar.tsl.Status=ja
Re: realm, access to Request object
Hello. -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 5/20/14, 4:28 AM, Mark Thomas wrote: On 20/05/2014 09:11, Jan Vávra wrote: Hello. I write my own realm implementation for Tomcat 7.x. In the method Principal authenticate(X509Certificate[] certs) I'd like to read request headers. My authentication would be based on client certificate + custom http request value. Is it possible? In Tomcat, the Authenticator is responsible for gathering the credentials. This often requires interaction with the Request and related objects. The Realm is responsible for validating credentials. Therefore the Realm does not need access to the Request and related objects. This is something that securityfilter supports using a sub-interface of the Realm (analog) interface that has the ability to access the request directly. It's a bad architecture, but very useful for doing things such as recording login failures and their source IP addresses, etc. Is there some way that additional information (e.g. source IP address) could be provided to the Realm for things such as this? It's one of the reasons we still use sf instead of Tomcat's built-in realms. (Another is the lack of decent password-checking algorithms, but I'm working on that: https://issues.apache.org/bugzilla/show_bug.cgi?id=56403). Well, I looked at Chris's SecurityFilter and I'll go the same way. I'll get rid of realm and write my own simple security filter. We also plan to support OAuth 2.0 authentication where is transferred auth. header in form Authorization: Bearer x. And in other cases I need to combine clicert auth with basic auth. In the other project we' re also behind an authentication system that sends my tomcat X-Authorized-As header. So I have many reasons to access the Request object and writing the filter seems me as the only way how to authenticate web service method (server side). Jan. * Thanks, - -chris
realm, access to Request object
Hello. I write my own realm implementation for Tomcat 7.x. In the method Principal authenticate(X509Certificate[] certs) I'd like to read request headers. My authentication would be based on client certificate + custom http request value. Is it possible? The method authenticate is called in SSLAuthenticator.authenticate(Request request, HttpServletResponse response, LoginConfig config) But I do not see that the Request object is passed to realm instance. Is there something similar like WebServiceContext that is used for WS? ... @Resource WebServiceContext wsctx; MessageContext mctx = wsctx.getMessageContext(); HttpServletRequest request = (HttpServletRequest) mctx.get("javax.xml.ws.servlet.request"); ... Jan. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: mod_proxy not redirecting servlet redirect properly
Hello, is really cutting of the /myapp the thing you want to do? Isn't it turned-up? Now from url http://myip/myapp/smthg you redirect client to http://myip/smthg You wrote : "In one of the servlets POST method i am redirecting the request to a JSP page" So the scenatio is. 1. client makes a POST request to a servlet 2. The servlet returns Redirect in the response. And there you need to compute the url to redirect to. If you use only relative url, you should not have this problem. If you need full url, you should use mod_ajp or read the hostname:port part from configuration. But there is no need to define Redirect in Apache Server config. Jan. Hi I am very new to mod_proxy. Gone thru some tutorials and configured mod_proxy. Everything works great except this issue. Couldn't solve even after spending hrs in googling. Issue is - I have apache 2 in front of tomcat 6 (running in port 8080) in my internet website. I am using mod_proxy to mask the port 8080. In one of the servlets POST method i am redirecting the request to a JSP page but port 8080 is displayed in the URL as follows after successful redirect http://myip.com:8080/myapp/WebContent/result.jsp?message=success Couldn't figure out how to avoid it. Here is my httpd conf entry ServerAdmin sha...@example.com ServerName http://myip ServerAlias http://myip ProxyPass /myapp http://myip:8080/myapp ProxyPassReverse /myapp myip:8080/myapp ProxyPass /myapp ! RedirectMatch 301 ^/myapp/(.*)$ /$1 RedirectMatch 301 ^/myapp$ / Can someone pls. let me know what the problem is? thanks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 SSL Setup: ERR_CONNECTION_REFUSED
Maybe it'd helpful not using the java key store (JKS). Personally on Linux Tomcat installations without native APR I use the .p12 files with this config maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile=${catalina.home}/ssl/serverkey.p12" keystorePass="**PASS**" keystoreType="pkcs12" /> Jan Good Day! Everything was followed perfectly from this URL: http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html. I've done this setup a lot of times already and mostly I have been successful. Until our security team noticed that the installed root CA is incorrect. Instead of just importing the correct root CA, I deleted all the imported certificates (originally 2 certificates) using the "keytool -delete -alias -keystore .keystore". Afterwards, I imported the 2 certificates again. Now when I access https://mydomain:8443, it gives me a webpage not found with ERR_CONNECTION_REFUSED error in Chrome and ssl_error_no_cypher_overlap in Firefox. Could anyone please let me know what I must have did wrong? Thank you in advance. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 SSL Setup: ERR_CONNECTION_REFUSED
|Hello, on http://support.mozilla.org/cs/questions/952242 there is described smthg about ssl protocol settings for Firefox. It seems like you have configured ||in server.xml||eg. only SSLv2 protocol that is disabled in the client browser http://tomcat.apache.org/tomcat-7.0-doc/config/http.html sslProtocol http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SSLContext Jan | Good Day! Everything was followed perfectly from this URL: http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html. I've done this setup a lot of times already and mostly I have been successful. Until our security team noticed that the installed root CA is incorrect. Instead of just importing the correct root CA, I deleted all the imported certificates (originally 2 certificates) using the "keytool -delete -alias -keystore .keystore". Afterwards, I imported the 2 certificates again. Now when I access https://mydomain:8443, it gives me a webpage not found with ERR_CONNECTION_REFUSED error in Chrome and ssl_error_no_cypher_overlap in Firefox. Could anyone please let me know what I must have did wrong? Thank you in advance.
OT: Re: what if I lost the keystore which generate the CSR
Well, the original cert will be revoked and you can create new CSR and reapply new cert. With Thawte we did this one year ago without a problem. Contact Thawte support. Jan. Sorry I am a beginner about ssl cert. according to http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Create_a_local_Certificate_Signing_Request_(CSR) it will gen a keystore and CSR. we generate the CSR and send to Certificate Authority. What if I lost the keystore ? should I regen the CSR again to reapply the ssl cert? Refer to https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=SO832 It will generate a new keystore file. is it the file store the private key? which stated in https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=SO750 , which say 1. Private Key file loss. 2. Private Key pass phrase loss. 3. Private Key file has been compromised due to the server being hacked. .. .. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Form Authentication and Cache-Control
Hi. I've solved my problem. The correct attitude is to have all contexts unauthenticated and only few restrict. In my case restricted urls are /index.jsp, /admin/*, /user/* In the original web.xml I had all contexts restricted and static context /common/* was masked out. Although the /common/* was not under authetication, Tomcat was adding the Cache-Control: private, Expires: 1.1.1970 headers. So I personally think this is a bug. Thanks to Christopher Schultz who gave me a clue. Jan. === My aps has these part /* - common authenticated content /user/* - content for user /admin/* - content for admin /common/* - common unauthenticated static content like images, css, etc My web.xml MyApp /* myapp-admin-role myapp-user-role MyApp /admin/* myapp-admin-role MyApp /user/* myapp-user-role MyApp /common/* FORM /login.jsp /login_failed.jsp myapp-admin-role myapp-user-role Jan. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: ssl client certificate authentication
2. It seems me that checking of revocation of client certificate is done via "static" crl files located in APR's SSLCARevocationPath or JSSE's crlFile. If I write a cron task that periodically downloads crl list(s), will the Tomcat react on this change of CRL file(s)? I've found in org.apache.httpd.dev mail list a 5 years old mail saying that the Apache Server is not doing it. http://markmail.org/message/nrhnyd6dppl25uxj My reading of the source code is that the CRLs are read once when the server socket is created. Updates will be ignored. You read also the JSSE source code and it behaves equally to the APR (mod_ssl)? 3. And in general what is better to use APR or JSSE ? My opinion is: if the Tomcat serves not a web portal the JSSE is good enough although I can use only one crl file for client cert checking. In case of APR I must compile native libs on Linux so it is more complicated but more powerful ... 'better' is subjective. The right answer depends on your requirements. Is there an article that gives more info on it? I'd like to have some pros and cons. For now I'm a bit lazy to compile APR. Jan - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
ssl client certificate authentication
Hi all. I've studied the documentation at http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support and I have several questions on it. 1. While the APR/Native has config option SSLCACertificateFile that defines the set of allowed client cert authorities the JSSE SSL has no analogous option. Is the set of allowed client cert authorities defined implicitly by the java cacerts file located in $JAVA_HOME/lib/security/cacerts ? 2. It seems me that checking of revocation of client certificate is done via "static" crl files located in APR's SSLCARevocationPath or JSSE's crlFile. If I write a cron task that periodically downloads crl list(s), will the Tomcat react on this change of CRL file(s)? I've found in org.apache.httpd.dev mail list a 5 years old mail saying that the Apache Server is not doing it. http://markmail.org/message/nrhnyd6dppl25uxj 3. And in general what is better to use APR or JSSE ? My opinion is: if the Tomcat serves not a web portal the JSSE is good enough although I can use only one crl file for client cert checking. In case of APR I must compile native libs on Linux so it is more complicated but more powerful ... Jan - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Form Authentication and Cache-Control
Hi. Note that Cache-Control:private does not disable caching. Instead, it disables public-caching for proxies. The browser is still free to cache the document in certain ways. True disabling of the cache would be to set Cache-Control to "no-cache" or "no-store" (though no-store is usually more appropriate for controlling proxies and not browsers). Ok. I thought it controls browser caching. If I add disableProxyCaching="false" to at my context.xml the response headers change to: HTTP/1.1 304 Not Modified Server: Apache-Coyote/1.1 ETag: W/"3907-1372233712661" Date: Wed, 26 Jun 2013 11:25:23 GMT and browser in the next request doesn't asks for this image. Is it safe to override default bahaviour via disableProxyCaching? Or I am something missing? Or there is a best practice to place images, css styles into another application? What happens with dynamic resources? The reason that cache-disabling is on by default is that having proxies and/or browsers caching resources that were protected by authentication is a potential security or privacy problem. From the documentation for "disableProxyCaching": " Controls the caching of pages that are protected by security constraints. Setting this to false may help work around caching issues in some browsers but will also cause secured pages to be cached by proxies which will almost certainly be a security issue. securePagesWithPragma offers an alternative, secure, workaround for browser caching issues. If not set, the default value of true will be used. " Tomcat can't tell which resources are "okay" to allow the browser to cache and which aren't. Why we cannot tell tomcat what resources are okay? I was playing with Expiration Filter for /common/* but with no effect. IMO, you might want to think about using a fronting web server to serve your static content (which will not include any headers that would otherwise be sent by Tomcat) and map all dynamic requests to Tomcat. There are certainly other ways to get this done as well, but you may find that configuring your way around this "problem" is more difficult than you imagined. One way that I have in mind is to make second tomcat application /myapp-static that contains static images etc. And link all images to this context. But this is ugly. Is there actually a /problem/ with having Cache-Control:private set on your resources? Have you tried playing with the "securePagesWithPragma" setting? The problem is only the effectivity of network traffic. For one page load the browser asks for each image, ccs all the time ( after click, not Ctrl+R for refresh). Why Tomcat is also responding header Expires: Thu, 01 Jan 1970 00:00:00 UTC ? I think all this behaviour is somehow connected to form based auth. I must prove it by more tests. === My aps has these part /* - common authenticated content /user/* - content for user /admin/* - content for admin /common/* - common unauthenticated static content like images, css, etc My web.xml MyApp /* myapp-admin-role myapp-user-role Technically, the above web-resource-collection is protected, which includes everything on your site. Instead of blanketing the whole site with what amounts to a black-list and then white-listing other resources, why not do the reverse and only use a white-list? That will avoid "protecting" resources that need not be protected. MyApp /admin/* myapp-admin-role MyApp /user/* Umm... you have the same url-pattern (/*) in two separate web-resource-collections. Is that intentional? I have /* allowed for admin and user roles. There are only login, logout, j_sercurity_check pages. And after succ. login user is redirected to his context (/user or /admin). /admin/* is only for admin and /user/* only for user role. And also I do not want to allow for admin accessing the /user/* pages and vice versa. I do not have /* twice or I don't fully understand you. Jan. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Form Authentication and Cache-Control
Hello, If I use auth-method FORM, all requests return with headers denying caching on the browser side although I have excluded some part of my app from authentication. The headers for a png image are: HTTP/1.1 304 Not Modified Server: Apache-Coyote/1.1 Cache-Control: private Expires: Thu, 01 Jan 1970 00:00:00 UTC ETag: W/"3907-1372233712661" Date: Wed, 26 Jun 2013 11:06:17 GMT If I add disableProxyCaching="false" to className="org.apache.catalina.authenticator.FormAuthenticator" characterEncoding="utf-8"/> at my context.xml the response headers change to: HTTP/1.1 304 Not Modified Server: Apache-Coyote/1.1 ETag: W/"3907-1372233712661" Date: Wed, 26 Jun 2013 11:25:23 GMT and browser in the next request doesn't asks for this image. Is it safe to override default bahaviour via disableProxyCaching? Or I am something missing? Or there is a best practice to place images, css styles into another application? === My aps has these part /* - common authenticated content /user/* - content for user /admin/* - content for admin /common/* - common unauthenticated static content like images, css, etc My web.xml MyApp /* myapp-admin-role myapp-user-role MyApp /admin/* myapp-admin-role MyApp /user/* myapp-user-role MyApp /common/* FORM /login.jsp /login_failed.jsp myapp-admin-role myapp-user-role Jan. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: FORM based authentication and utf-8 encoding of credentials
Hello, When I create user with password with czech String "ŽežUlička.1" the browser sends correctly this string as: POST http://localhost:70/myapp/j_security_check HTTP/1.1 Content-Type: application/x-www-form-urlencoded j_username=p&j_password=%C5%BDe%C5%BEUli%C4%8Dka.1 The browser is not sending that correctly. The password is UTF-8 encoded but the Content-Type fails to specify the character set used. It it did, Tomcat would treat the password as UTF-8. This is a common failing of browsers and is covered in the FAQ. [1] Well I have tried IE, Firefox, Chrome. None of them is appending charset in Content-Type. I have manually modified the request header to: Content-Type: application/x-www-form-urlencoded; charset=utf-8 and Tomcat gives me the letters in the correct form. Ok, good to know. Any idea how to tell tomcat to use utf-8 in form based authentication? It's tomcat 7.0.34 on Czech Windows 7 32 bit with default ansi code page set as Windows-1250. Authentication is tricky because the processing happens before any user code runs. The best / only option is to set the characterEncoding attribute for the Authenticator [2] to UTF-8 and hope that the browsers are consistent in their failing to follow the specification and use whatever encoding the page is encoded with. HTH, Mark [1] http://wiki.apache.org/tomcat/FAQ/CharacterEncoding [2] http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Form_Authenticator_Valve/Attributes As you have referred in [2] I have added to my app's context xml characterEncoding="utf-8"/> and Czech letters are in the correct form. This is a solution. Thanks for an advice. Jan. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: FORM based authentication and utf-8 encoding of credentials
Well, it is custom created and managed xml file. But the core of problem is in the string credentials in method public Principal authenticate(String username, String credentials). If the string was encoded properly (in java as utf-16) the credentials.length would be equal to 11 but its real length is 14. And that corresponds to the fact that in credentials is stored some form of utf-8 encoding. Utf-8 encoding string "ŽežUlička.1" has length 14. +1 for each letter: Ž,ž,č. Jan. Where do you store your login/password : DB ? xml file ? encrypted in xml file ? ____ De : Jan Vávra [va...@602.cz] Envoyé : lundi 24 juin 2013 13:36 À : Tomcat Users List Objet : FORM based authentication and utf-8 encoding of credentials Hello, I'm successfully using form based authenntication when login or password contains only letters from English alphabet. I have also written own realm. When I create user with password with czech String "ŽežUlička.1" the browser sends correctly this string as: POST http://localhost:70/myapp/j_security_check HTTP/1.1 Content-Type: application/x-www-form-urlencoded j_username=p&j_password=%C5%BDe%C5%BEUli%C4%8Dka.1 The first letter "Ž" is really encoded in the utf-8 as bytes in hexa C5, BD. But in the method public Principal authenticate(String username, String credentials) the parameter credentials has first two bytes C3, 85. In my login.jsp I have these relevant parts: <% request.setCharacterEncoding("UTF-8"); %> ... and also tomcat is telling in the http response header: Content-Type: text/html;charset=UTF-8 But nothing of it forced Tomcat to translate password correctly from utf-8 string. Even the manual reencoding in authenticate(.) doesn't help: credentials = new String(credentials.getBytes(),"utf-8") Because the received bytes of first letter are C3, 85 instead of expected C5, BD. Any idea how to tell tomcat to use utf-8 in form based authentication? It's tomcat 7.0.34 on Czech Windows 7 32 bit with default ansi code page set as Windows-1250. Thanks Jan. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
FORM based authentication and utf-8 encoding of credentials
Hello, I'm successfully using form based authenntication when login or password contains only letters from English alphabet. I have also written own realm. When I create user with password with czech String "ŽežUlička.1" the browser sends correctly this string as: POST http://localhost:70/myapp/j_security_check HTTP/1.1 Content-Type: application/x-www-form-urlencoded j_username=p&j_password=%C5%BDe%C5%BEUli%C4%8Dka.1 The first letter "Ž" is really encoded in the utf-8 as bytes in hexa C5, BD. But in the method public Principal authenticate(String username, String credentials) the parameter credentials has first two bytes C3, 85. In my login.jsp I have these relevant parts: <% request.setCharacterEncoding("UTF-8"); %> ... and also tomcat is telling in the http response header: Content-Type: text/html;charset=UTF-8 But nothing of it forced Tomcat to translate password correctly from utf-8 string. Even the manual reencoding in authenticate(.) doesn't help: credentials = new String(credentials.getBytes(),"utf-8") Because the received bytes of first letter are C3, 85 instead of expected C5, BD. Any idea how to tell tomcat to use utf-8 in form based authentication? It's tomcat 7.0.34 on Czech Windows 7 32 bit with default ansi code page set as Windows-1250. Thanks Jan. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: .net web service client calling Tomcat 7
Is there a RFC that describes best behaviour of server and client in this situation? On my opinion Tomcat behaves correctly. If client doesn't send proper credentials it is dangerous and useless to read all input data. I've switched off the connection keep alive at Connector config. And now client doesn't suffer by closing a socket. So this is a solution for "bad" .net client. Jan. When client sends a request there are written 2 lines at tomcat access log: 192.168.1.211 - - [03/Jun/2013:16:02:24 +0200] "POST /ades-server/adesOperationsWebService HTTP/1.1" 401 951 192.168.1.211 - - [01/Jan/1970:00:59:59 +0100] "http://schemas.xmlsoap.org/soap/envelope/";> I can't offer an answer, but sympathy and a workaround: We ran into this exact same issue when we moved to Apache httpd webservers. We opted to disable keepalive for "MS Web Services" clients with: BrowserMatch "MS Web Services" nokeepalive rather than fighting an RFC interpretation battle... It looks like similar could be done in tomcat with "restrictedUserAgents" option on the http connector: http://tomcat.apache.org/tomcat-7.0-doc/config/http.html -- Bill - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
.net web service client calling Tomcat 7
Hello, I have a METRO web service at Tomcat 7.0.39 (S). The service is under http basic authentication. I have written own realm for http basic authentication. The realm's implementation is very small. It's something like read ini file with username with passwords. Few lines ... Our customer wrote a .net 4.5 web service client - WCF (C). When client sends a request there are written 2 lines at tomcat access log: 192.168.1.211 - - [03/Jun/2013:16:02:24 +0200] "POST /ades-server/adesOperationsWebService HTTP/1.1" 401 951 192.168.1.211 - - [01/Jan/1970:00:59:59 +0100] "xmlns:s="http://schemas.xmlsoap.org/soap/envelope/";> Basically the .net client never sends Authorization header at first time. I used wireshark to see the communication: 1. C sends packet with http headers. 2. C sends packet with first part of soap xml request that begins 3. S replies 401 Unauthorized. 4. S replies 400 Bad Request. 5. S sends RST (reset packet). The http headers are: POST http://xxx.xxx.cz:8080/ades-server/adesOperationsWebService HTTP/1.1 Content-Type: text/xml; charset=utf-8 VsDebuggerCausalityData: uIDPo/1qFcW8E5lEl/4q6vnckqsAsk/yOV26Z0GeRPNudW6KS8R+D9VgeudJgruTaBNYol8ACQAA SOAPAction: "" Host: xxx.xxx.cz:8080 Content-Length: 444815 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive I checked the Content-Length value against really sent data and these numbers match. My questions are. Why tomcat doesn't continue reading data until the whole request is read? Is it some configurable option? Is it against a DOS attack? I think that the reasons why tomcat considers (2) as a new http request are: - not reading the full request data according the value Content-Length - Connection: Keep-Alive I also tried curl client with intentionally not specifying Authorization header. Curl client doesn't send packet with data (2), but curl also complaints with message: * HTTP error before end of send, stop sending Thanks for any advice. Jan. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: configuring tomcat7 with apache 2.2.22
In this situation are both server exposed - Apache Server and Apache Tomcat. It can work. When you use reverse proxy only the Apache Server is exposed. So configuring a ssl certificate is only done once. On client computer/network there could be allowed only the standard http port 80 and not 8080. Depends on situation ... Jan. Thanks to some advice on this forum, and a lot of independent study and experimentation, I have a php app on apache (localhost:80) pulling in a database driven bar code from a IDAutomation Servlet running on tomcat (localhost:8080). Looks like this - $bcode = $row['Bar Code'] ; $beginurl = ""; echo $beginurl . $bcode . $endurl; Steve Spence, KK4HFJ http://arduinotronics.blogspot.com http://www.essnmag.com ---Original Message--- From: Jan Vávra To: Tomcat Users List Subject: Re: configyuring tomcat7 with apache 2.2.22 Sent: Mar 15 '13 07:43 Hello, I take care about an app that is a combination of Apache Server+php Drupal app and Apache Tomcat jsp app. Apache Server listens on the ports 80/443 and requests are reverse proxied to Apache Tomcat. Let's say that the tomcat app resides on/testca The apache server config will be ProxyRequests Off ProxyPass /testca ajp://127.0.0.1:9081/testca ProxyPassReverse /testca ajp://127.0.0.1:9081/testca Order Deny,Allow Deny from All Order Deny,Allow Allow from All and check if ajp module is loaded: LoadModule proxy_ajp_module modules/mod_proxy_ajp.so In the Apache Tomcat's server.xml change ajp port to 9081 On WinXP there should be no problem. I personally develop on Win 7, production is Linux. Jan. > Although not a newbie to building websites in html and php, and physical computing in C/C++, I'm having a dickens of a > time understanding the documentation of Integrating Tomcat 7 with my existing Apache 2.2.22 on WinXP (company > supplied development pc, nothing I can do about that). Can I get a bit of handholding please? > > I'm trying to evaluate a java servlet that requires tomcat. > > > Steve Spence, KK4HFJ > http://arduinotronics.blogspot.com > http://www.essnmag.com > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: configuring tomcat7 with apache 2.2.22
Hello, I take care about an app that is a combination of Apache Server+php Drupal app and Apache Tomcat jsp app. Apache Server listens on the ports 80/443 and requests are reverse proxied to Apache Tomcat. Let's say that the tomcat app resides on/testca The apache server config will be ProxyRequests Off ProxyPass /testca ajp://127.0.0.1:9081/testca ProxyPassReverse /testca ajp://127.0.0.1:9081/testca Order Deny,Allow Deny from All Order Deny,Allow Allow from All and check if ajp module is loaded: LoadModule proxy_ajp_module modules/mod_proxy_ajp.so In the Apache Tomcat's server.xml change ajp port to 9081 On WinXP there should be no problem. I personally develop on Win 7, production is Linux. Jan. Although not a newbie to building websites in html and php, and physical computing in C/C++, I'm having a dickens of a time understanding the documentation of Integrating Tomcat 7 with my existing Apache 2.2.22 on WinXP (company supplied development pc, nothing I can do about that). Can I get a bit of handholding please? I'm trying to evaluate a java servlet that requires tomcat. Steve Spence, KK4HFJ http://arduinotronics.blogspot.com http://www.essnmag.com - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Two auth methods for one application
On 02/02/2012 15:00, Christopher Schultz wrote: Jan, On 2/2/12 6:26 AM, Jan Vávra wrote: Is it possible to configure tomcat to call both variants of functions? I'd like to write something like CLIENT-CERT or BASIC. The servlet spec doesn't support anything like this. I think what you'll have to do is write your own Authenticator. You can configure your own Authenticator by registering a that is an Authenticator in your webapp's. Just write your own code and register it using. You can look at the documentation for, say, BasicAuthenticatorValve: http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html#Basic_Authenticator_Valve And you're going to want to extend AuthenticatorBase. Tomcat has a "CombinedRealm" which allows authentication against one of several sub-realms (like LDAP /or/ JDBC), but does not have a CombinedAuthenticator, which might be a useful addition. If you come up with something that works, consider donating it to the project. Jan, are you trying to achieve something like: http://wiki.apache.org/tomcat/SSLWithFORMFallback ? I'm trying to do SSL or Basic auth. This is slightly different: SSL or Form auth. How I'm thinking about that basic vs. form auth should be the only one difference. I'll explore this. Thanks. Jan - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Two auth methods for one application
Hello, I have implemented own realm. I extended RealmBase, overrided methods (1) public Principal authenticate(X509Certificate[] certs), (2) public Principal authenticate(String username, String credentials). I have Tomcat 6 that runs behind Apache Server over AJP. In the situation (1) client connects to HOST1, Apache Server challenges for client certificate. In the situation (2) client connects to HOST2. Both HOST1, HOST2 are configured to do a reverse proxy to /myapp on tomcat. I am not able to configure tomcat to call both methods. In the myapp's web.xml I have CLIENT-CERT SecustampRealm and tomcat calls the function (1). When I replace CLIENT-CERT for BASIC tomcat calls the function (2). Is it possible to configure tomcat to call both variants of functions? I'd like to write something like CLIENT-CERT or BASIC. Jan. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat recycling
Hello, thanks for a long response. As I see everybody are againts my proposal. Ok. Yes, some kind of restarting can be done via some scripts. In the best in a cluster environment... Personally I don't trust /etc/init.d/tomcat scripts that comes in wg. SLES linux. Sometimes this script didn't properly restart tomcat. It could be due to a some untermintated thread, who knows... I must look more closely into doc - how tomcat is starting and shutdowning if I'd like to do some tomcat recycling by own or modified scripts. Thanks. Jan. -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jan, At the end I'd like to make a little comparision. Recently I've used .NET + native calls of dlls, php + custom made php modules (native dlls), jsp+java. .NET and php have possibilities for some kind of recoveries. It's almost impossible to crash Apache like a whole (control + x worker processes). ?? If your PHP script is bad, you'll crash the request processor. If you are in prefork mode, a new child process is created when the old child dies unexpectedly. If you are in worker mode, well, you're not because mod_php doesn't work in worker more IIRC. But, if you were in worker mode, then you'd bring-down a bunch of PHP scripts all running in parallel and a whole lot of users would see errors. That's not terribly user-friendly. So .NET and php seems me they're more stable than tomcat because they have some possibilites. So, PHP and .NET are more stable because poorly-written applications can be mitigated by using server software that tolerates them? That doesn't make any sense at all. If you want to say that you'd rather work in .NET or PHP because app servers are more forgiving, then that's your decision. But don't try to assert that .NET or PHP is somehow better because of that decision. It may be better in your situation, but that certainly does not make them "more stable". I would argue the reverse: if your webapps crash and cause problems, the webapps are not stable. The platform is almost irrelevant. I haven't studied recovery options in other java app. servers, but I'd really appreciate something in Tomcat. If you can figure out how to determine whether Tomcat is "down", then you can easily script a restart. This kind of thing really can't be done by Tomcat itself because something outside the JVM needs to orchestrate the server restart. Since there are so many environments out there, the Tomcat team can't be expected to create auto-restart scripts for all those possibilities. I'd be interested to see how .NET does this, since .NET runs in a VM just like Java, and would have the same potential difficulties. IIRC, .NET doesn't have a rich server-side specification like the Java Servlet Spec that ties everything together for webapps. Basically, it's got IIS's ASP.NET-runner and those ASPs can call-out into "real" (that is, something NOT written in ASP but in a real language like C# or whatever) components. Given that thin veneer that Microsoft provides to its developers, it's not surprising that the server can so easily be bounced: there is no complicated infrastructure in place that needs to be torn-down and re-started. A servlet container is much more complicated and has many more moving parts than both IIS's .NET webapp stuff and mod_php. It's not surprising to me in the least that you would have a tougher time bouncing the service at regular intervals. If you really want to bounce Tomcat at regular intervals, set up a cluster and have cron (or task scheduler, etc) bounce Tomcat whenever you want. Bouncing Tomcat is a non-trivial operation, so it won't be instantaneous. I would never do rolling restarts of any service without having a cluster in place that could redirect traffic to an available server. I would even use mod_jk or something similar to take individual members out of the cluster and then wait until their traffic dies down before bouncing them. That way, nobody knows that your services are undergoing rolling restarts. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7Lt1gACgkQ9CaO5/Lv0PA9WQCfXA3h21pZlxuOQDxCppmi2ZxT P+gAnj0wksaWYvmgR3lCL0Z9fdvYkyWb =H67P -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat http connector
Hello, I use ajp, because on tomcat I make authentication based on client certificate. That you cannot do via http connector. Jan. Hi, Is there any document which I can refer to which states if tomcat's built in http connector (Coyote) can be used for production ? And also a comparison between http connector and AJP one. Thanks, Asha - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat recycling
Hello, -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jan, On 11/18/11 10:35 AM, Jan Vávra wrote: is there any way how to tell tomcat: Recycle after X minutes OR Y requests like it is eg. on the IIS server? Tomcat does not come with any mechanism for doing that. IIS has hacks to work-around horrible programming; Tomcat has some workarounds (ThreadLocal purging, etc.) but generally not. As I wrote I think I'd would be a good enhancement of Tomcat. If I add my own script containing "/etc/init.d/tomcat restart" to the crontab I loose the user sessions and users have to relogin. Then you need to fix your app. Unless you have changed the default, Tomcat will persist sessions across restarts. This doesn't work if your webapp puts non-serilizable objects into the session. Remember, just marking a class as "implements Serializable" might not be enough. Thanks for a good hint. It works. I experience some problems with OutOfMemory error. Fix your webapp. On tomcat I run a periodic thread that downloads CRLs and I suspect this of memory leaks. Certificate Revocation Lists? What do you do with them? Why just guess at the cause of your memory leak when you can fairly easily look at the objects that are taking up lots of room? Get a memory profiler and take a look. If you want to validate a certificate that is outdated but comes with a timestamp, you need to have a historical crl to judge whether the cert was or wasn't revoked during it's validity period. Some authorities are deleting outdated certs from their crl. Jan I consider to cut out this to a standalone process called via crontab. That would be my preference. I believe timer threads have no business running inside a servlet container, but there are many who disagree with me. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7Gu74ACgkQ9CaO5/Lv0PA9EwCgrJQWqZuyAJMu1BuOHazSJDeR 8GEAnArB7wYhJ5KVsAGqT4h9UhzCyee6 =HKqZ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat recycling
Hello, is there any way how to tell tomcat: Recycle after X minutes OR Y requests like it is eg. on the IIS server? IIS can reboot itself after N requests? That's awesome. What could possibly go wrong? Yes, IIS can do recycling See eg. at http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/1652e79e-21f9-4e89-bc4b-c13f894a0cfe.mspx?mfr=true It is a quite easy to setup it in the configuration. I might file an enhancement request for Tomcat... If you have already done it, can I vote it for? If I add my own script containing "/etc/init.d/tomcat restart" to the crontab I loose the user sessions and users have to relogin. Yes... because you restarted the server! As Chris Schultz wrote it is possible to persist sessions over tomcat restarts. I chagned my session objects to be serializable and It works. I experience some problems with OutOfMemory error. Wouldn't it be better to understand and fix the OOM, rather than just rebooting the server frequently? Yes, it is allways better to solve the cause than the consequence of a problem. But not allways man can have enough time or means to solve it. When an error occurs at production it is better to setup some kind of recovery (eg. recycling) and than solve it at pre-production / devel environment. You can use a third party lib with an error. Particulary in my case, my app consists of a one single cycle where I download a CRL, parse it using BouncyCastle lib and retrieve serial numbers of revoked certificates. So the problem can rather in third party lib than in my small piece of code. I've tried to profile memory consuption but have not found out nothing. Maybe I had had not enough memory for java virtual machine. I've set it from 128 MB to 512 MB and the problem have not occured yet. On tomcat I run a periodic thread that downloads CRLs and I suspect this of memory leaks. Why? Can't you fix that? If we forget the OOM exception, I was forced to make a ShutDownHook. I use spring quartz scheduler and my job can run quite a long time. So I had to add some notification to stop job correctly. Tomcat was complainting about possible memory leaks when ending quartz job-worker threads when I was stopping app for redeploy my app. In a single process model (crontab) I could afford to kill -9 the process and I could rely on transactionality in the database which I'm using. At the end I'd like to make a little comparision. Recently I've used .NET + native calls of dlls, php + custom made php modules (native dlls), jsp+java. .NET and php have possibilities for some kind of recoveries. It's almost imposible to crash Apache like a whole (control + x worker processes). So .NET and php seems me they're more stable than tomcat because they have some possibilites. I haven't studied recovery options in other java app. servers, but I'd really appriciate something in Tomcat. Jan - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: where to put static files?
Hello, when I started my project others told me to use apache for static content and tomcat for java/jsp. It works quite good. Tomcat is hidden under reverse proxy (mod_ajp). So static content gives apache, dynamic tomcat. Jan. I have a spring project (web app), in my project where should I be putting my static files like images/css/javascript? In my WEB-INF like: /WEB-INF/Assets {images/css/js} I know when I go in production I will have nginx map to this folder to serve the static files, but I just want to know where I can put them for development/testing. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat recycling
Hello, is there any way how to tell tomcat: Recycle after X minutes OR Y requests like it is eg. on the IIS server? If I add my own script containing "/etc/init.d/tomcat restart" to the crontab I loose the user sessions and users have to relogin. I experience some problems with OutOfMemory error. On tomcat I run a periodic thread that downloads CRLs and I suspect this of memory leaks. I consider to cut out this to a standalone process called via crontab. JV. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
problem with loading Bouncy Castle
Hello, I have a problem with loading bouncy castle. My code snippet is: int position = Security.addProvider(new BouncyCastleProvider()); KeyStore store = KeyStore.getInstance("PKCS12", "BC"); In the application log I have message that BouncyCastleProvider is already loaded (position== -1). But call of getInstance(.) failed with exception: java.security.KeyStoreException: PKCS12 not found Caused by: java.security.KeyStoreException: PKCS12 not found Caused by: java.security.NoSuchAlgorithmException: class configured for KeyStore(provider: BC)cannot be found Caused by: java.lang.ClassNotFoundException: org.bouncycastle.jce.provider.JDKPKCS12KeyStore$BCPKCS12KeyStore class JDKPKCS12KeyStore$BCPKCS12KeyStore is contained in webapps/appX/WEB-INF/lib/bcprov-ext-jdk16-146.jar In the catalina log there is a message: Nov 8, 2011 8:34:22 AM org.apache.catalina.loader.WebappClassLoader loadClass INFO: Illegal access: this web application instance has been stopped already. Could not load org.bouncycastle.jce.provider.JDKPKCS12KeyStore$BCPKCS12KeyStore. The eventual following stack trace is caused by an error thrown for debugging purposes as well as to attempt to terminate the thread which caused the illegal access, and has no functional impact. java.lang.IllegalStateException On the tomcat I have 2 more applications that use the same version of bcprov-ext. Each has it in own WEB-INF/lib directory. Could anybody give me an advice? Why tomcat does complaint about "Illegal access"? Is there any way how to debug work of org.apache.catalina.loader.WebappClassLoader? My tomcat version is: Apache Tomcat/6.0.29 1.6.0_22-b04 Sun Microsystems Inc. Linux 2.6.32.36-0.5-default amd64 Thanks. Jan