Re: Tomcat VAPT Closure

[Mark Eggers]

.]
 at 
org.apache.tomcat.util.digester.Digester.createSAXException(Digester.java:1966)
 at 
org.apache.tomcat.util.digester.Digester.createSAXException(Digester.java:1998)
 at 
org.apache.tomcat.util.digester.Digester.endElement(Digester.java:1049)
 at 
com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.endElement(AbstractSAXParser.java:609)
 at 
com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanEndElement(XMLDocumentFragmentScannerImpl.java:1782)
 at 
com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2967)
 at 
com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:602)
 at 
com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:505)
 at 
com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:842)
 at 
com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:771)
 at 
com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141)
 at 
com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1213)
 at 
com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:643)
 at 
org.apache.tomcat.util.digester.Digester.parse(Digester.java:1535)
 at 
org.apache.catalina.startup.Catalina.parseServerXml(Catalina.java:617)
 at org.apache.catalina.startup.Catalina.load(Catalina.java:709)
 at org.apache.catalina.startup.Catalina.load(Catalina.java:746)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
 at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 at java.lang.reflect.Method.invoke(Method.java:498)
 at 
org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:305)
 at 
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475)
 Caused by: java.lang.IllegalArgumentException: Multiple SSLHostConfig 
elements were provided for the host name [_default_]. Host names must be unique.
 at 
org.apache.tomcat.util.net.AbstractEndpoint.addSslHostConfig(AbstractEndpoint.java:294)
 at 
org.apache.tomcat.util.net.AbstractEndpoint.addSslHostConfig(AbstractEndpoint.java:250)
 at 
org.apache.coyote.http11.AbstractHttp11Protocol.addSslHostConfig(AbstractHttp11Protocol.java:691)
 at 
org.apache.catalina.connector.Connector.addSslHostConfig(Connector.java:878)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
 at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 at java.lang.reflect.Method.invoke(Method.java:498)
 at 
org.apache.tomcat.util.IntrospectionUtils.callMethod1(IntrospectionUtils.java:469)
 at 
org.apache.tomcat.util.digester.SetNextRule.end(SetNextRule.java:143)
 at 
org.apache.tomcat.util.digester.Digester.endElement(Digester.java:1046)
 ... 20 more
21-Apr-2023 16:37:07.456 SEVERE [main] 
org.apache.catalina.startup.Catalina.start Cannot start server, server instance 
is not configured


Regards,
Pratik

-Original Message-
From: Mark Eggers 
Sent: 25 April 2023 10:45
To: users@tomcat.apache.org
Subject: Re: Tomcat VAPT Closure

Pratik,

On 4/24/2023 10:09 PM, PRATIK HUMNABADKAR wrote:

Hi,

We need Tomcat support assistance for closure of our VAPT points for
disabling SSL TLS 1.0 and 1.1

Please guide us by arranging concerned technician with us for closure.

Tomcat version: 9.0.62
Operating system: Linux

We tried disabling in below way.

Changes done in server.xml
[cid:image001.png@01D9775F.7B492550]

Error received on Tomcat restart:
[cid:image002.png@01D9775F.7B492550]

Regards,
Pratik


DISCLAIMER: This message, including any attachments may contain proprietary, 
confidential and privileged information for the sole use of the intended 
recipient(s), and is protected by law. If you are not the intended recipient, please 
notify the sender immediately and destroy all copies of the original message and 
attachments, if any. Any unauthorized review, use, disclosure, dissemination, 
forwarding, printing or copying of this email or any action taken in reliance on this 
e-mail is strictly prohibited and may be unlawful. Bajaj Finance Ltd. and / or its 
group companies reserve the right to record

Re: Tomcat VAPT Closure

[Mark Eggers]

Pratik,

On 4/24/2023 10:09 PM, PRATIK HUMNABADKAR wrote:

Hi,

We need Tomcat support assistance for closure of our VAPT points for disabling 
SSL TLS 1.0 and 1.1

Please guide us by arranging concerned technician with us for closure.

Tomcat version: 9.0.62
Operating system: Linux

We tried disabling in below way.

Changes done in server.xml
[cid:image001.png@01D9775F.7B492550]

Error received on Tomcat restart:
[cid:image002.png@01D9775F.7B492550]

Regards,
Pratik


DISCLAIMER: This message, including any attachments may contain proprietary, 
confidential and privileged information for the sole use of the intended 
recipient(s), and is protected by law. If you are not the intended recipient, please 
notify the sender immediately and destroy all copies of the original message and 
attachments, if any. Any unauthorized review, use, disclosure, dissemination, 
forwarding, printing or copying of this email or any action taken in reliance on this 
e-mail is strictly prohibited and may be unlawful. Bajaj Finance Ltd. and / or its 
group companies reserve the right to record, monitor, and inspect all email 
communications through its internal and external networks. Your messages can be 
subject to such lawful supervision as Bajaj Finance Ltd. and / or its group companies 
deem necessary in order to protect their information, interests and reputation. Bajaj 
Finance Ltd. and / or its group companies prohibit and may take steps to prevent 
their information systems from being used to view, store or forward offensive or 
discriminatory material. If this message contains such material, please report it to 
ab...@bflaf.com . Please ensure you have adequate virus 
protection before you open or detach any documents from this transmission. Bajaj 
Finance Ltd. and / or its group companies do not accept any liability for viruses.



The list strips attachments. Please inline your server.xml and your log 
file, removing all sensitive information.


Also, this list consists of volunteers.  We'll do what we can to help 
you if you are willing to work with us and provide the required information.


. . . just my two cent
/mde/

Re: ClassNotFound after upgrade to tomcat 10

[Mark Eggers]

https://jakarta.ee/specifications/tags/3.0/tagdocs/c/tld-summary.html

 . . . just my two cents
/mde/

On 4/17/2023 3:34 PM, Kevin Huntly wrote:

Now i'm getting these:

17-Apr-2023 18:32:03.236 INFO [main]
org.apache.catalina.core.ApplicationContext.log No Spring
WebApplicationInitializer types detected on classpath
17-Apr-2023 18:32:04.904 INFO [main]
org.apache.catalina.core.ApplicationContext.log Initializing Spring
DispatcherServlet 'eSolutions'
17-Apr-2023 18:32:16.844 SEVERE [catalina-exec-1]
org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service() for
servlet [eSolutions] in context with path [/esolutions] threw exception
[Handler processing failed: java.lang.NoClassDefFoundError:
jakarta/servlet/jsp/jstl/core/Config] with root cause
 java.lang.ClassNotFoundException:
jakarta.servlet.jsp.jstl.core.Config

17-Apr-2023 18:32:16.986 SEVERE [catalina-exec-1]
org.apache.catalina.core.ApplicationDispatcher.invoke Servlet.service() for
servlet [jsp] threw exception
 org.apache.jasper.JasperException:
/theme/cws/html/en/jsp/errHandler.jsp (line: [1], column: [1]) The absolute
uri: [http://java.sun.com/jsp/jstl/core] cannot be resolved in either
web.xml or the jar files deployed with this application

I removed the apache taglibs dependency, clearly that was a mistake.


Kevin Huntly
Email: kmhun...@gmail.com
Cell: 716/424-3311


-BEGIN GEEK CODE BLOCK-
Version: 1.0
GCS/IT d+ s a C++ UL+++$ P+(++) L+++ E---
W+++ N+ o K(+) w--- O- M-- V-- PS+ PE Y(+)
PGP++(+++) t+ 5-- X-- R+ tv+ b++  DI++ D++
G++ e(+) h--- r+++ y+++*
--END GEEK CODE BLOCK--


On Mon, Apr 17, 2023 at 6:26 PM Torsten Krah  wrote:


You should only use https://jakarta.ee/specifications/tags/3.0/ and not
the
old 1.2.5 one, remove that old one.
Why do you have both included?

Kevin Huntly  schrieb am Di., 18. Apr. 2023, 00:19:


6.0.0

1.2.5

3.0.0

3.1.1


Kevin Huntly
Email: kmhun...@gmail.com
Cell: 716/424-3311


-BEGIN GEEK CODE BLOCK-
Version: 1.0
GCS/IT d+ s a C++ UL+++$ P+(++) L+++ E---
W+++ N+ o K(+) w--- O- M-- V-- PS+ PE Y(+)
PGP++(+++) t+ 5-- X-- R+ tv+ b++  DI++ D++
G++ e(+) h--- r+++ y+++*
--END GEEK CODE BLOCK--


On Mon, Apr 17, 2023 at 6:17 PM Torsten Krah  wrote:


All the api ones have to be provided, not compile scope imho. Tomcat

does

provide them, don't package them in your war file and double check the
versions from the guide, there is still a class referencing the old API

and

is causing the exception.

You missed to add the versions you used, add them here please, the
information you provided is lacking those crucial detail.

Kevin Huntly  schrieb am Di., 18. Apr. 2023,

00:12:



Thank you for that... I have the right (I think) dependencies in my

pom:




org.apache.taglibs

taglibs-standard-impl

${taglibs.version}

jar

compile





jakarta.servlet.jsp.jstl

jakarta.servlet.jsp.jstl-api

${jstl.version}

jar

compile





jakarta.servlet.jsp

jakarta.servlet.jsp-api

${jsp-api.version}

jar

compile





jakarta.servlet

jakarta.servlet-api

${jakarta.servlet.version}

jar

provided




I just want to use the jstl tag libraries =(


Kevin Huntly
Email: kmhun...@gmail.com
Cell: 716/424-3311


-BEGIN GEEK CODE BLOCK-
Version: 1.0
GCS/IT d+ s a C++ UL+++$ P+(++) L+++ E---
W+++ N+ o K(+) w--- O- M-- V-- PS+ PE Y(+)
PGP++(+++) t+ 5-- X-- R+ tv+ b++  DI++ D++
G++ e(+) h--- r+++ y+++*
--END GEEK CODE BLOCK--


On Mon, Apr 17, 2023 at 6:07 PM Torsten Krah 

wrote:



Please read

https://tomcat.apache.org/migration-10.html#Server_Pages_3.0

and while you are there, read the whole guide ;-).

Kevin Huntly  schrieb am Mo., 17. Apr. 2023,

23:57:



Hello,

I'm getting the following exception when I try to access my

webapp:


17-Apr-2023 17:52:55.982 SEVERE [catalina-exec-1]
org.apache.catalina.core.ApplicationDispatcher.invoke

Servlet.service()

for

servlet [jsp] threw exception
 java.lang.ClassNotFoundException:
javax.servlet.jsp.tagext.TagLibraryValidator
 at











org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1437)

 at











org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1245)

 at

java.base/java.lang.ClassLoader.defineClass1(Native

Method)
 at


java.base/java.lang.ClassLoader.defineClass(ClassLoader.java:1013)

 at











java.base/java.security.SecureClassLoader.defineClass(SecureClassLoader.java:150)

 at











org.apache.catalina.loader.WebappClassLoaderBase.findClassInternal(WebappClassLoaderBase.java:2487)

 at

Re: connecting tomcat server to eclipse java ee

[Mark Eggers]

Stephanie,

On 3/9/2023 7:06 PM, Stephanie Panah wrote:

I was able to resolve the issue. I found:

https://stackoverflow.com/questions/62764029/unknown-version-of-tomcat-was-specified-with-tomcat-9-0-37
--you need to open the folder once
--It will ask you for permission to enter after which its contents will be
visible to you as well as Eclipse
--after setting up and installing Tomcat, open the folder & then try
connecting from Eclipse
--Instead of changing permissions, try this

I had to change permissions, and that took some jiggling, but I can open
and access the Tomcat folder, now

You may wish to add this to your documentation

And now, when I tried to start the Tomcat server from Eclipse (even though
it is running in Services)
I am seeing: The server cannot be started because one or more of the ports
are invalid. Open the server editor and correct the invalid ports.
I set the admin port to 8005.

After more searching, I stopped the Tomcat server in Services and tried to
start in eclipse.
omgosh, it worked. good grief.

and, thank you,
Stephanie





On Thu, Mar 9, 2023 at 6:36 PM Stephanie Panah 
wrote:



Help please. I have installed: Java EE, Eclipse and Tomcat.
When I try to connect the server, I encounter:
Unknown version of Tomcat was specified.
I am looking all over. please help

Java EE for web developers
C:\Users\steph> java -fullversion
java full version "17.0.6+9-LTS-190"

and
Eclipse IDE for Enterprise Java and Web Developers
Version: 2022-12 (4.26.0)
Build id: 20221201-1913

and
http://localhost:8080/
Apache Tomcat/10.1.7
If you're seeing this, you've successfully installed Tomcat.
Congratulations!
C:\Program Files\Apache Software Foundation\Tomcat 10.1
and Tomcat is running in Services









If you're doing development, you really do not want to run Tomcat as a 
service.


1. Download the appropriate zip file from tomcat.apache.org
2. Unzip it in a place that you have R/W access
3. Add the runtime to Eclipse

in Window->Preferences->Server->Runtime Environments
a. click on the Add button
b. open up the Apache folder
c. browse to the version of Tomcat that you want
d. select it and click on the Next button

e. click on the Browse button and browse to where you unzipped Apache Tomcat
f. select the folder, leave the default names as is
g. click finish

Now, you'll need to create a new server based on the default runtime. 
This is handy, because you can have several servers based on the default 
runtime. You can run them on different ports, have one set up for 
debugging, choose different JREs, etc.


1. Go to Window->Show View
2. Select Other
3. Type in Server in the search text
4. Select Servers
5. Click on the Open button

It will complain that you have no servers configured. I know, you're 
going why? I configured a server runtime environment, so why no server. 
That's because you can have several servers based on the same runtime 
(see above).


So:

a. create a new server - opens up a Define a New Server dialogue.
b. open the Apache folder, and select the desired Tomcat version (same 
as before)

c. give it a unique name in Server name: field
d. The server runtime environment should be populated with the one added 
above

e. click on the Next button
f. this will show you a list of projects to add - since you don't have 
any, just click Finish


Now you should see a new line in the Servers window that describes your 
server. If you double-click on the line, you'll get a nice configuration 
screen.


There are lots of things to tweak. However, you should note the following:

Server Path: .metadata\.plugins\org.eclipse.wst.server.core\tmp0

If you have more than one server, they'll be located in tmp1, tmp2, etc.

If you need to change anything besides the ports for your Tomcat server, 
create the same directory structure that you see in Tomcat under the 
tmpN directory:


bin
conf
lib
logs
temp
webapps
work

Note, you may only need to create what you need, and probably not 
webapps. It's been a while, and I'm a NetBeans person, not an Eclipse 
person.


You can add things like database drivers in the lib subdirectory. You 
should be able to see logs in the logs directory. I recommend using 
log4j2 in your applications (along with commons-logging) and log to the 
${ sys:catalina.base}/logs directory.


You can also modify the launch configuration and add the database driver 
jar that way:


a. click on Open launch configuration
b. select the Classpath tab
c. click on User Entries
d. Click on the Add External JARS.. button
f. Browse to the JAR containing the database driver and add it

You can now start, stop, and control whether or not the Tomcat server is 
launched in debug mode, all from the IDE.


I hope this is not overwhelming. I worked through some of these while 
writing this up, since I'm an Apache NetBeans person. I don't want to 
get into an IDE war, but I just like NetBeans better.


. . . . just my two cents
/mde/

Re: AW: AW: AW: Question to possible memory leak by Threadlocal variable

[Mark Eggers]

Thomas:

On 3/28/2022 2:01 PM, Thomas Hoffmann (Speed4Trade GmbH) wrote:

Hello Chris,


-Ursprüngliche Nachricht-
Von: Christopher Schultz 
Gesendet: Montag, 28. März 2022 18:48
An: users@tomcat.apache.org
Betreff: Re: AW: AW: Question to possible memory leak by Threadlocal
variable

Thomas,

On 3/25/22 16:59, Thomas Hoffmann (Speed4Trade GmbH) wrote:

-Ursprüngliche Nachricht-
Von: Christopher Schultz 
Gesendet: Freitag, 25. März 2022 14:05
An: users@tomcat.apache.org
Betreff: Re: AW: Question to possible memory leak by Threadlocal
variable

Thomas,

On 3/24/22 05:49, Thomas Hoffmann (Speed4Trade GmbH) wrote:




-Ursprüngliche Nachricht-
Von: Mark Thomas 
Gesendet: Donnerstag, 24. März 2022 09:32
An: users@tomcat.apache.org
Betreff: Re: Question to possible memory leak by Threadlocal
variable

On 24/03/2022 07:57, Thomas Hoffmann (Speed4Trade GmbH) wrote:




Is it correct, that every spawned thread must call tl.remove() to
cleanup all

the references to prevent the logged warning (and not only the main
thread)?

Yes. Or the threads need to exit.


Second question is: How might it cause a memory leak?
The threads are terminated and hold a reference to this static
variable. But

on the other side, that class A is also eligible for garbage
collection after undeployment.

So both, the thread class and the class A are ready to get garbage
collected. Maybe I missed something (?)


It sounds as if the clean-up is happening too late. Tomcat expects
clean-up to be completed once contextDestroyed() has returned for
all ServLetContextListeners. If the clean-up is happening
asynchronously

(e.g.

the call is made to stop the threads but doesn't wait until the
threads have
stopped) you could see this message.

In this case it sounds as if you aren't going to get a memory leak
but Tomcat can't tell that at the point it checks.

Mark

---
-- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


Hello Mark,
thanks for the information.
The shutdown of the framework is currently placed within the
destroy()

method of a servlet (with load on startup).

At least the debugger shows that servlet-->destroy() is executed
before

the method checkThreadLocalMapForLeaks() runs.

I will take a look, whether the threads already exited.


Tomcat only checks its own request-processing threads for
ThreadLocals, so any threads created by the application or that
library are unrelated to the warning you are seeing.

Any library which saves ThreadLocals from request-processing threads
is going to have this problem if the objects are of types loaded by
the webapp ClassLoader.

There are a few ways to mitigate this, but they are ugly and it would
be better if the library didn't use ThreadLocal storage, or if it
would use vanilla classes from java.* and not its own types.

You say that those objects are eligible for GC after the library
shuts down, but that's not true: anything you stick in ThreadLocal storage

is being held ...

by the ThreadLocal storage and won't be GC'd. If an object can't be
collected, the java.lang.Class defining it can't be collected, and
therefore the ClassLoader which loaded it (the webapp
ClassLoader) can't be free'd. We call this a "pinned ClassLoader" and
it still contains all of the java.lang.Class instances that the
ClassLoader ever loaded during its lifetime. If you reload
repeatedly, you'll see un-collectable ClassLoader instances piling up
in memory which is
*definitely* a leak.

The good news for you is that Tomcat has noticed the problem and
will, over time, retire and replace each of the affected Threads in
its request- processing thread pool. As those Thread objects are
garbage-collected, the TheradLocal storage for each is also
collected, etc. and *eventually* your leak will be resolved. But it would be

better not to have one in the first place.


Why not name the library? Why anonymize the object type if it's
org.apache.something?

-chris


Hello Chris,
I didn't want to blame any library  But as you ask for it, I send more

details.


Regarding the ThreadLocal thing:
I thought that the threadlocal variables are stored within the
Thread-class in the member variable "ThreadLocal.ThreadLocalMap
threadLocals":
https://github.com/AdoptOpenJDK/openjdk-

jdk11/blob/master/src/java.bas

e/share/classes/java/lang/Thread.java

So I thought, when the thread dies, these variables will also be
released and automatically removed from the ThreadLocal variable /
instance (?)

This is correct, but if the ThreadLocal is being stored in the request-
processing thread, then when your web application is redeployed, the
request processing threads outlive that event. Maybe you thought your
application gets a private set of threads for its own use, but that's not the
case: Tomcat pools threads across all applications deployed on the server.
You can play some games 

Re: Odd EL resolution issue - java.lang.NoClassDefFoundError: package/Class1 (wrong name: package/class1)

[Mark Eggers]

Just a note:

On 2/8/2022 8:32 AM, Rob Sargent wrote:



On 2/8/22 08:11, Robert Turner wrote:

Okay. Yep, my most recent suspicion was correct -- it's related to the
Docker bind to a local folder containing the webapps. As such, I believe
it's a Docker issue of some sort and not Tomcat specific. However, you 
may

want to understand it more completely in any case.

Thanks for your help Mark, Rob S and Neil.


Is docker the new regexp?  You know: I had a problem. Used docker to 
solve it.  Now I have two problems.


When you attach a volume to a container from a case-insensitive file 
system (Windows, MacOS), then that directory will be case-insensitive.


At least that's what a quick search indicates. I run all of my local 
Docker images from WSL2 (Ubuntu 20.04 LTS) on Windows 10 Pro, so I don't 
experience a case issue.


This may or may not help

. . . just my two cents
/mde/


OpenPGP_signature
Description: OpenPGP digital signature

Re: Do I Need Network NameSpaces to Solve This Tomcat+Connector/J Problem?

[Mark Eggers]

Eric:

On 12/29/2021 1:04 PM, Eric Robinson wrote:

We want to run a large number of tomcat instances on the same server without 
virtualization or containerization. Each instance is executed from its own 
folder tree and listens on its own unique TCP port. Each instance will run code 
that connects to a backend database server to send queries that are triggered 
by JSP calls from users. We've done this successfully with up to 120 instances 
of tomcat running on the same server while avoiding the overhead of 
virtualization and the complexity of containers. Based on our experience over 
the past decade, we know that we could potentially host 500 or more separate 
tomcat instances on the same server without running into performance problems. 
So now we want to make it 500 parallel instances.


Here's the problem. When tomcat initiates an outbound connection (for example, 
with Connector/J to query a backend database) it establishes a socket, and the 
socket has a client port. With thousands of users making requests that require 
the tomcat services to query back end databases, the OS can easily run out of 
available client ports to allocate to sockets. To avoid that problem, we can 
assign multiple IPs to the server and use the localSocketAddress property of 
Connector/J to group tomcats such that only a subset of them each use the same 
source IP. Then each group will have its own range of 64,000-ish client ports. 
I've tested this and it works.



My question is, is there a better way?


Are you using database connection pooling? If you are, wouldn't the 
outbound connections to the database from a particular Tomcat be limited 
to the maxTotal in your context.xml (maxActive in Tomcat 7).


So unless you're using a huge pool, wouldn't the required number of 
outbound ports be fairly small?


. . . just my two cents
/mde/


OpenPGP_signature
Description: OpenPGP digital signature

[OT] Re: Critical Random "Can't read cryptographic policy directory: unlimited"

[Mark Eggers]

Jerry:

On 12/21/2021 4:17 PM, Jerry Malcolm wrote:

Mark,

Thanks for the comments.  I have somewhat of a solution.  I just want to 
document what I learned in case anyone else has this problem.  From what 
I have been able to determine, you are correct about it being an Amazon 
problem.  I don't really understand what is happening.  But here's what 
I found... After a day of testing all types of scenarios, I found that 
it only happens the first time after installing a new ami (image) on a 
brand new EC2 and bringing up the EC2 and auto-starting TC for  the 
first time.  But it fails EVERY time with this scenario. Bouncing TC 
fixed it every time. Bouncing the EC2 never causes it to come back. Only 
booting a brand new EC2 instance causes it. I tried removing the tomcat 
autostart, ran the ami EC2 creation, waited a bit, and went to the 
console and manually started tomcat.  No problem.


So all I can deduce from this is that there's a timing issue. I'm 
suspecting that AWS is starting up the EC2 before it is fully created 
(likely something not complete in the file system setup). I added a 
2-minute sleep in rc.local to delay the startup of tomcat long enough 
for whatever wasn't finished yet to complete. With a 2-min sleep, it now 
works every time.  Pretty ugly fix IMHO.  But working ugly beats not 
working pretty.  I'll probably play around with the 2-min sleep to see 
if I can reduce that.  I may try to talk to Amazon about it.  I may also 
try banging my head against the wall, probably with the same results as 
talking to amazon about this.


The takeaway from this is that AWS appears to be trying to shave a 
little performance delay by jumping the gun on the EC2 boot. The result 
in this case is TC saying the crypto file doesn't exist, but it does 
exist a minute or two later.  Likely nothing to do specifically with the 
crypto file.  That's just likely the first file needed that wasn't ready 
yet.


Moving on the next fire that needs to be put out...

Thx

Jerry


On 12/20/2021 5:22 AM, Mark Thomas wrote:

On 20/12/2021 06:59, Jerry Malcolm wrote:
I'm adding a slight variation to the error I get at times (see bottom 
of stack trace below)


This is the code that throws the root exception:

if (!Files.isDirectory(cryptoPolicyPath)
    || !Files.isReadable(cryptoPolicyPath)) {
    throw new SecurityException(
    "Can't read cryptographic policy directory: " +
    cryptoPolicyProperty);
}


That points very strongly to a file system issue. My recommendation is 
to take this up with AWS support.


Mark




On 12/19/2021 11:55 PM, Jerry Malcolm wrote:
I have a production environment of 10+ AWS EC2 servers all built 
from a single EC2 snapshot image. The master EC2 works fine.  But 
when we propagated the image to all of the production servers, we 
started getting  "Can't read cryptographic policy directory: 
unlimited" errors when I try to get a jdbc connection object from 
the pool.  Full stack trace is below.  The three critical lines in 
the trace are:


java.lang.ExceptionInInitializerError
Caused by: java.lang.SecurityException: Can not initialize 
cryptographic mechanism
Caused by: java.lang.SecurityException: Can't read cryptographic 
policy directory: unlimited


On some machines rebooting the tomcat service fixes the problem and 
it continues to work fine after that.  On other machines, the 
problem is still there after rebooting.  But even on the machines 
that are fixed after TC bounce, if I bounce the full EC2, the 
problem is back.


We've had this environment working for almost two years.  I did a 
minor version upgrade to TC 8.5.73 a month ago.  And I upgraded to 
java 11 probably a year ago.  Otherwise, no changes that I'm aware 
of.  Definitely nothing in the past few days before the error hit 
yesterday.


Everything I can find on google about the error messages says to 
make sure the 'unlimited' folder is present and accessible.  The 
folder is there and has been there untouched.  And I know it's not 
disappearing and reappearing to become accessible after the TC 
reboot that sometimes fixes the problem.


The mySQL RDS all of these instances talk to hasn't changed. And 
other servers that aren't part of this image distribution have no 
problems accessing it.  It just makes no sense that the same EC2 
image that works on one machine started failing on a bunch of 
identical configuration EC2s yesterday.


I know this call goes through layers of tomcat, layers of the mysql 
driver, and then layers of the jvm before it occurs. But can anyone 
help me understand what TC/mySQL might be trying to do with this 
call to JVM crypto code and why it has started failing on all of my 
servers?  Any Java crypto gurus out there?


Stack trace of error:

java.lang.ExceptionInInitializerError
at java.base/javax.crypto.Cipher.getInstance(Cipher.java:540)
at java.base/sun.security.ssl.JsseJce.getCipher(JsseJce.java:185)
at 

Re: [OT] BasicDataSource restart()

[Mark Eggers]

Chris,

On 12/9/2021 7:35 PM, Christopher Schultz wrote:

Mark,

On 12/9/21 00:54, Mark Eggers wrote:
Then there's clustering without multicast. Right now we don't use 
sessions, so I am not concerned about clustering. However, we will 
have some applications in the near future that will require sessions. 
Clustering across availability zones, and recovering seamlessly from 
region outages remain problems to be solved (preferably inexpensively).


Rémy did a lot of (all?) work on the Kubernetes integration over the 
past few years. You may find that you can migrate to that and never have 
to deal with multicast ever again.


-chris



I've seen that mentioned before. Once I get the applications behaving 
(memory constraints, etc), I will then look at running clusters on 
Kubernetes across multiple regions.


Thanks for the pointer.

. . . just my two cents
/mde/


OpenPGP_signature
Description: OpenPGP digital signature

Re: BasicDataSource restart()

[Mark Eggers]

Jerry,

On 12/8/2021 9:18 PM, Jerry Malcolm wrote:


On 12/1/2021 10:38 AM, Jerry Malcolm wrote:

Mark,

On 12/1/2021 12:21 AM, Mark Eggers wrote:

Jerry,

On 11/30/2021 10:06 PM, Jerry Malcolm wrote:
I'm circling back to this after a few months.  I am building on a 
Windows 10 box with 9.0.52 TC. But I'm running on an AWS Linux2 with 
8.5.72.  This has never caused any problems so far, or at least as 
far as I can tell. But I'm hitting something strange with this 
relatively new BasicDataSource.restart() method.   My reference to 
restart() builds fine.  But when I run it on the 8.5.72 server I 
get: java.lang.NoSuchMethodError: 'void 
org.apache.tomcat.dbcp.dbcp2.BasicDataSource.restart()'


Rémy mentioned that it should be in TC 8.5.58+.   This is a 
relatively clean EC2 on AWS, not running much other than Tomcat. And 
I have not done in backdoor (non yum) installs of TC that might have 
left old jar files around.   I noticed that there are 2 dbcp2 jar 
files in TC's lib. One is from the java install. But the error 
message above is a tomcat path.  So I'm assuming it's tomcat's dbcp2 
jar that's being referenced. I exploded the jar hoping there would 
be some version numbers somewhere inside telling me if I somehow 
have a backlevel jar.  But I couldn't find anything.  All I know is 
it's date is 2/25/2021 and it's 286,358 bytes.


Any other ideas come to mind why it's telling me the restart() 
method doesn't exist?


Thx as always.

Jerry


On 9/7/2021 2:49 PM, Jerry Malcolm wrote:


On 9/7/2021 2:35 PM, Christopher Schultz wrote:

Jerry, Rémy,

On 9/3/21 07:15, Rémy Maucherat wrote:
On Fri, Sep 3, 2021 at 2:46 AM Jerry Malcolm 
 wrote:


I have a requirement to start a new log database on the first of 
every
month.  I still need to have access to older monthly log 
databases.   I

do not want to create a bunch of hardcoded manually configured
individual datasources, one for each month.  I have a dynamic 
datasource

solution that is completely implemented and working except for one
little thing.

I access the BasicDataSource implementation class for the 
datasource.  I
have an algorithm that substitutes _MM at the appropriate 
spot in
the configured URL and then updates the url in the datasource. 
All of
this works great.  I can live with the fact that the datasource 
can only
point to one database at a time.  My concern is that once I 
transition
to another database, there are existing connections in the pool 
that are
already attached to the old database.  I need to clear those out 
and
start over.  But I don't have the luxury of bouncing tomcat to 
clean it up.


The apache commons BasicDataSource has a restart() method. But
unfortunately that method is omitted from the Tomcat version. 
There is a
close() method on the BasicDataSource.  But I don't see anything 
that
will re-open it after closing.  I thought about changing 
maxActive to 0,

and waiting for it to drain, then setting it back to the original
value.  None of these sound like an ideal solution. Without a 
restart()

method, is there any other way to force all existing connections to
close and start clean?


The code is kept in sync with DBCP (with a bit of lag maybe), so 
these
lifecycle methods were also added to Tomcat one year ago (9.0.38+ 
and

8.5.58+).


We are using this at $work to bounce our database connection pools 
after TLS client certificate changes. This is the code we are 
using to reload the pool:


  try
  {
  Context ctx = new InitialContext();

  DataSource ds = (DataSource)ctx.lookup(getJNDIPath());

  if(null == ds)
  throw new ServiceException("Cannot obtain DataSource");

  if(isInstanceOf(ds, 
"org.apache.tomcat.dbcp.dbcp2.BasicDataSource")
 || isInstanceOf(ds, 
"org.apache.commons.dbcp2.BasicDataSource")) {


  return call(ds, "restart");
  }
  } catch (Exception e) {
org.apache.log4j.Logger.getLogger(this.getClass()).error("Failed 
to reload DataSource " + getJNDIPath());

  }

The call() method simply encapsulates all of the work to make a 
reflective method call to BasicDataSource.restart().


As Rémy points out, it requires a Tomcat version 9.0.38+ or 8.5.58+.

Hope that helps,
-chris


Chris,

I'll definitely try this.  But I'm curious about the restart 
method. Is it some sort of a hidden method that's only available to 
reflection?  Seems it would be a lot more straightforward to just 
make the restart method public like it is in the apache version of 
BasicDataSource.  I'm not complaining.  If this works, then fine. 
Just curious.


Thx

Jerry


I haven't been following this thread, so I may be way off.

The last time I used an AWS EC2 instance "out of the box" with an 
AWS-supplied Tomcat, I ran into some very strange behavior.


It turns out that AWS packaged the 8.5.x Tomcat with the older 
(7.0.x) resource pool. I figured this out by looking at logs and 
seeing the complaints about my cont

Re: BasicDataSource restart()

[Mark Eggers]

Jerry,

On 11/30/2021 10:06 PM, Jerry Malcolm wrote:
I'm circling back to this after a few months.  I am building on a 
Windows 10 box with 9.0.52 TC.  But I'm running on an AWS Linux2 with 
8.5.72.  This has never caused any problems so far, or at least as far 
as I can tell.  But I'm hitting something strange with this relatively 
new BasicDataSource.restart() method.   My reference to restart() builds 
fine.  But when I run it on the 8.5.72 server I get: 
java.lang.NoSuchMethodError: 'void 
org.apache.tomcat.dbcp.dbcp2.BasicDataSource.restart()'


Rémy mentioned that it should be in TC 8.5.58+.   This is a relatively 
clean EC2 on AWS, not running much other than Tomcat. And I have not 
done in backdoor (non yum) installs of TC that might have left old jar 
files around.   I noticed that there are 2 dbcp2 jar files in TC's lib. 
One is from the java install.  But the error message above is a tomcat 
path.  So I'm assuming it's tomcat's dbcp2 jar that's being referenced. 
I exploded the jar hoping there would be some version numbers somewhere 
inside telling me if I somehow have a backlevel jar.  But I couldn't 
find anything.  All I know is it's date is 2/25/2021 and it's 286,358 
bytes.


Any other ideas come to mind why it's telling me the restart() method 
doesn't exist?


Thx as always.

Jerry


On 9/7/2021 2:49 PM, Jerry Malcolm wrote:


On 9/7/2021 2:35 PM, Christopher Schultz wrote:

Jerry, Rémy,

On 9/3/21 07:15, Rémy Maucherat wrote:
On Fri, Sep 3, 2021 at 2:46 AM Jerry Malcolm 
 wrote:


I have a requirement to start a new log database on the first of every
month.  I still need to have access to older monthly log 
databases.   I

do not want to create a bunch of hardcoded manually configured
individual datasources, one for each month.  I have a dynamic 
datasource

solution that is completely implemented and working except for one
little thing.

I access the BasicDataSource implementation class for the 
datasource.  I

have an algorithm that substitutes _MM at the appropriate spot in
the configured URL and then updates the url in the datasource. All of
this works great.  I can live with the fact that the datasource can 
only

point to one database at a time.  My concern is that once I transition
to another database, there are existing connections in the pool 
that are

already attached to the old database.  I need to clear those out and
start over.  But I don't have the luxury of bouncing tomcat to 
clean it up.


The apache commons BasicDataSource has a restart() method. But
unfortunately that method is omitted from the Tomcat version. There 
is a

close() method on the BasicDataSource.  But I don't see anything that
will re-open it after closing.  I thought about changing maxActive 
to 0,

and waiting for it to drain, then setting it back to the original
value.  None of these sound like an ideal solution.  Without a 
restart()

method, is there any other way to force all existing connections to
close and start clean?


The code is kept in sync with DBCP (with a bit of lag maybe), so these
lifecycle methods were also added to Tomcat one year ago (9.0.38+ and
8.5.58+).


We are using this at $work to bounce our database connection pools 
after TLS client certificate changes. This is the code we are using 
to reload the pool:


  try
  {
  Context ctx = new InitialContext();

  DataSource ds = (DataSource)ctx.lookup(getJNDIPath());

  if(null == ds)
  throw new ServiceException("Cannot obtain DataSource");

  if(isInstanceOf(ds, 
"org.apache.tomcat.dbcp.dbcp2.BasicDataSource")
 || isInstanceOf(ds, 
"org.apache.commons.dbcp2.BasicDataSource")) {


  return call(ds, "restart");
  }
  } catch (Exception e) {
org.apache.log4j.Logger.getLogger(this.getClass()).error("Failed to 
reload DataSource " + getJNDIPath());

  }

The call() method simply encapsulates all of the work to make a 
reflective method call to BasicDataSource.restart().


As Rémy points out, it requires a Tomcat version 9.0.38+ or 8.5.58+.

Hope that helps,
-chris


Chris,

I'll definitely try this.  But I'm curious about the restart method. 
Is it some sort of a hidden method that's only available to 
reflection?  Seems it would be a lot more straightforward to just make 
the restart method public like it is in the apache version of 
BasicDataSource.  I'm not complaining.  If this works, then fine. Just 
curious.


Thx

Jerry


I haven't been following this thread, so I may be way off.

The last time I used an AWS EC2 instance "out of the box" with an 
AWS-supplied Tomcat, I ran into some very strange behavior.


It turns out that AWS packaged the 8.5.x Tomcat with the older (7.0.x) 
resource pool. I figured this out by looking at logs and seeing the 
complaints about my context.xml.


I raised the issue with AWS, and got silence back.

Ever since then, I package up my own version of Tomcat using releases 
from tomcat.apache.org.


Could you be experiencing some similar issue?

. . 

Re: How to *properly* create and use a CATALINA_BASE installation

[Mark Eggers]

Jon,

On 11/17/2021 6:54 PM, jonmcalexan...@wellsfargo.com.INVALID wrote:

Sorry about my bad reply order.  Mark, you do a lot of what I do, but most of 
our stuff isn't using initd. I like your use of links, best way to handle 
upgrades, imo.­


Thanks,


Sent with BlackBerry Work (www.blackberry.com)

From: Mark Eggers 
Sent: Nov 17, 2021 8:10 PM
To: users@tomcat.apache.org
Subject: Re: How to *properly* create and use a CATALINA_BASE installation


On 11/17/2021 5:28 PM, 
jonmcalexan...@wellsfargo.com.INVALID<mailto:jonmcalexan...@wellsfargo.com.INVALID>
 wrote:

We export it. You have to make sure the setenv.sh<http://setenv.sh> is calling 
setenv.sh<http://setenv.sh>. it works fine for me.­


Thanks,


Sent with BlackBerry Work (www.blackberry.com<http://www.blackberry.com>)

From: Michael B Allen mailto:iop...@gmail.com>>
Sent: Nov 17, 2021 6:54 PM
To: Tomcat Users List mailto:users@tomcat.apache.org>>
Subject: Re: How to *properly* create and use a CATALINA_BASE installation

On Wed, Nov 17, 2021 at 11:04 AM 
mailto:jonmcalexan...@wellsfargo.com.invalid>>
 wrote:

I, in my opinion, find it far easier to set my BASE in the 
setenv.sh<http://setenv.sh> for the instance I'm using. As Chris said, you can 
have multiple instances (BASEs) on a server.


Jon,

If you mean you're setting $CATALINA_BASE in setenv.sh<http://setenv.sh>, I 
don't think
that will work because when you run 
$CATALINA_BASE/bin/startup.sh<http://startup.sh>,
$CATALINA_BASE won't be set yet and so it's going to set
$CATALINA_BASE to $CATALINA_HOME and then source the
$CATALINA_HOME/bin/setenv.sh<http://setenv.sh> and not the $CATALINA_BASE 
specific
setenv.sh<http://setenv.sh>. I think that's what Chris was referring to in his 
first
reply to you.

Although if I'm using a $CATALINA_BASE/bin/run.sh<http://run.sh> alternative to
startup.sh<http://startup.sh> like in my previous post, I would probably just 
put ALL the
various environment variables (listed at the top of 
bin/catalina.sh<http://catalina.sh>)
in there too. Using setenv.sh<http://setenv.sh> at that point would just be 
needlessly
spreading config around.

The documentation currently seems to be targeting installations shared
by multiple different users where $CATALINA_HOME and $CATALINA_BASE
get set in the users environment such that different users can have
different bases but share a common installation like in /usr/local or
some such. Then you *would* want to put base specific stuff in
$CATALINA_BASE/bin/setenv.sh<http://setenv.sh>. But IMO that's kind of a late 
90's way
of doing things. Nowadays, not only do people have their own machines,
but they have multiple instances in VMs and private servers and docker
and so on. So I think the self-contained 
$CATALINA_BASE/bin/run.sh<http://run.sh>
method is probably a little better for most cases (although I still
need to study the Windows service use-case which is probably
important).

Mike

--
Michael B Allen
Java Active Directory Integration
https://urldefense.com/v3/__http://www.ioplex.com/__;!!F9svGWnIaVPGSwU!4iBjG2OA7erMr6vPvbqVyxiEd3LfwnDYJHJSyYeYUf-BvIj0XsTET3jr1g4QVb95_R5ATTc$
 ;


On Linux with systemd, I put the following in the systemd file:

Environment=CATALINA_HOME=/home/tcadmin/Services/[sname]/CATALINA_HOME/
Environment=CATALINA_BASE=/home/tcadmin/Services/[sname]CATALINA_BASE/
Environment=CATALINA_PID=/var/run/tomcat/[sname].pid

where [sname] is the name of the service.

tcadmin is the unprivileged user that runs all the Tomcats on the system.

Everything else is set in
/home/tcadmin/Services/[sname]/CATALINA_BASE/bin/setenv.sh<http://setenv.sh>

For the old style init.d systems, I put everything in:

/etc/sysconfig/[tomcatx]/[sname]

where [tomcatx] is the base version of Tomcat, and [sname] is the
service name.

Then there is an init file for each service that reads the
appropriate /etc/sysconfig/[tomcatx]/[sname] file to set the up the
environment.

CATALINA_HOME and CATALINA_BASE are links to an appropriate Tomcat
installation, and one configured for that particular service.

Then to upgrade to a new Tomcat, you do the following:

1. Unpack the new reference version of Tomcat somewhere which becomes
CATALINA_HOME.

2. Create the new service-specific installation of Tomcat which becomes
CATALINA_BASE.

All of the above can be done without disturbing the existing service.

To upgrade, do the following:

1. Shut down the service
2. Move the links
3. Start up the service

If things blow up in your face, then the roll back is really easy:

1. Shut down the service
2. Restore the links
3. Start up the service

Since the CATALINA_BASE is linked to a version-specific directory,
you'll have log files to figure out why things didn't go according to
plan if you have to roll back.

Automate configuring your CATALINA_BASE s

Re: How to *properly* create and use a CATALINA_BASE installation

[Mark Eggers]

Mike,

On 11/17/2021 7:16 PM, Michael B Allen wrote:

On Wed, Nov 17, 2021 at 9:05 PM Mark Eggers
 wrote:

CATALINA_HOME and CATALINA_BASE are links to an appropriate Tomcat
installation, and one configured for that particular service.

Then to upgrade to a new Tomcat, you do the following:

1. Unpack the new reference version of Tomcat somewhere which becomes
CATALINA_HOME.

2. Create the new service-specific installation of Tomcat which becomes
CATALINA_BASE.

All of the above can be done without disturbing the existing service.

To upgrade, do the following:

1. Shut down the service
2. Move the links
3. Start up the service

If things blow up in your face, then the roll back is really easy:

1. Shut down the service
2. Restore the links
3. Start up the service


This makes me realize my proposed bin/run.sh method is not really
tuned for production. Indeed links could be used to great effect here.
Windows has mklink /d   which is essentially the same
as ln on *nix near as I can tell. Might help with issues like the
catalina.policy file path in the registry when using the Windows
service.

Mike


How well do mklinks work with services? I am not really a Windows 
administrator, so I have no idea.


It's just something to consider, where Windows operates almost, but not 
quite, entirely unlike Linux.


. . . just my two cents
/mde/


OpenPGP_signature
Description: OpenPGP digital signature

Re: How to *properly* create and use a CATALINA_BASE installation

[Mark Eggers]

On 11/17/2021 5:28 PM, jonmcalexan...@wellsfargo.com.INVALID wrote:

We export it. You have to make sure the setenv.sh is calling setenv.sh. it 
works fine for me.­


Thanks,


Sent with BlackBerry Work (www.blackberry.com)

From: Michael B Allen 
Sent: Nov 17, 2021 6:54 PM
To: Tomcat Users List 
Subject: Re: How to *properly* create and use a CATALINA_BASE installation

On Wed, Nov 17, 2021 at 11:04 AM  wrote:

I, in my opinion, find it far easier to set my BASE in the setenv.sh for the 
instance I'm using. As Chris said, you can have multiple instances (BASEs) on a 
server.


Jon,

If you mean you're setting $CATALINA_BASE in setenv.sh, I don't think
that will work because when you run $CATALINA_BASE/bin/startup.sh,
$CATALINA_BASE won't be set yet and so it's going to set
$CATALINA_BASE to $CATALINA_HOME and then source the
$CATALINA_HOME/bin/setenv.sh and not the $CATALINA_BASE specific
setenv.sh. I think that's what Chris was referring to in his first
reply to you.

Although if I'm using a $CATALINA_BASE/bin/run.sh alternative to
startup.sh like in my previous post, I would probably just put ALL the
various environment variables (listed at the top of bin/catalina.sh)
in there too. Using setenv.sh at that point would just be needlessly
spreading config around.

The documentation currently seems to be targeting installations shared
by multiple different users where $CATALINA_HOME and $CATALINA_BASE
get set in the users environment such that different users can have
different bases but share a common installation like in /usr/local or
some such. Then you *would* want to put base specific stuff in
$CATALINA_BASE/bin/setenv.sh. But IMO that's kind of a late 90's way
of doing things. Nowadays, not only do people have their own machines,
but they have multiple instances in VMs and private servers and docker
and so on. So I think the self-contained $CATALINA_BASE/bin/run.sh
method is probably a little better for most cases (although I still
need to study the Windows service use-case which is probably
important).

Mike

--
Michael B Allen
Java Active Directory Integration
https://urldefense.com/v3/__http://www.ioplex.com/__;!!F9svGWnIaVPGSwU!4iBjG2OA7erMr6vPvbqVyxiEd3LfwnDYJHJSyYeYUf-BvIj0XsTET3jr1g4QVb95_R5ATTc$


On Linux with systemd, I put the following in the systemd file:

Environment=CATALINA_HOME=/home/tcadmin/Services/[sname]/CATALINA_HOME/
Environment=CATALINA_BASE=/home/tcadmin/Services/[sname]CATALINA_BASE/
Environment=CATALINA_PID=/var/run/tomcat/[sname].pid

where [sname] is the name of the service.

tcadmin is the unprivileged user that runs all the Tomcats on the system.

Everything else is set in 
/home/tcadmin/Services/[sname]/CATALINA_BASE/bin/setenv.sh


For the old style init.d systems, I put everything in:

/etc/sysconfig/[tomcatx]/[sname]

where [tomcatx] is the base version of Tomcat, and [sname] is the 
service name.


Then there is an init file for each service that reads the
appropriate /etc/sysconfig/[tomcatx]/[sname] file to set the up the 
environment.


CATALINA_HOME and CATALINA_BASE are links to an appropriate Tomcat 
installation, and one configured for that particular service.


Then to upgrade to a new Tomcat, you do the following:

1. Unpack the new reference version of Tomcat somewhere which becomes 
CATALINA_HOME.


2. Create the new service-specific installation of Tomcat which becomes 
CATALINA_BASE.


All of the above can be done without disturbing the existing service.

To upgrade, do the following:

1. Shut down the service
2. Move the links
3. Start up the service

If things blow up in your face, then the roll back is really easy:

1. Shut down the service
2. Restore the links
3. Start up the service

Since the CATALINA_BASE is linked to a version-specific directory, 
you'll have log files to figure out why things didn't go according to 
plan if you have to roll back.


Automate configuring your CATALINA_BASE setup with a couple of Ant 
build.xml files, a couple of property files, with an XSLT file or two, 
and configuring a new version of Tomcat takes a few seconds.


Version the property files to keep track of Tomcat updates, and you can 
keep track of what was changed, by whom, and when. All of that makes a 
sysadmin a happy camper.


Add more or less automation to taste.

This is of course only germane if you're running a traditional IS 
architecture.


. . . just my two cents
/mde/


OpenPGP_signature
Description: OpenPGP digital signature

Re: Strange Oracle JDBC Driver error on Application Deployment

[Mark Eggers]

Jon,

On 11/2/2021 3:26 PM, jonmcalexan...@wellsfargo.com.INVALID wrote:

I have an application team that is getting the following stack trace while starting 
Tomcat 8.5.70. I've done some searching but can't find anything. In looking at their 
context.xml it appears that they have jmxEnabled="false" in each of the 
resources.

Any assistance would be grand.

Thanks,

 Stack Trace 

02-Nov-2021 13:01:45.809 SEVERE [localhost-startStop-1] 
org.apache.tomcat.jdbc.pool.DataSource.registerJmx Unable to register JDBC pool 
with JMX
 java.lang.NullPointerException
 at 
org.apache.tomcat.jdbc.pool.DataSource.registerJmx(DataSource.java:129)
 at 
org.apache.tomcat.jdbc.pool.DataSource.preRegister(DataSource.java:98)
 at 
org.apache.tomcat.util.modeler.BaseModelMBean.preRegister(BaseModelMBean.java:927)
 at 
com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.preRegister(DefaultMBeanServerInterceptor.java:1007)
 at 
com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.registerDynamicMBean(DefaultMBeanServerInterceptor.java:919)
 at 
com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.registerObject(DefaultMBeanServerInterceptor.java:900)
 at 
com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.registerMBean(DefaultMBeanServerInterceptor.java:324)
 at 
com.sun.jmx.mbeanserver.JmxMBeanServer.registerMBean(JmxMBeanServer.java:522)
 at 
org.apache.tomcat.util.modeler.Registry.registerComponent(Registry.java:637)
 at 
org.apache.catalina.core.NamingContextListener.addResource(NamingContextListener.java:1014)
 at 
org.apache.catalina.core.NamingContextListener.createNamingContext(NamingContextListener.java:552)
 at 
org.apache.catalina.core.NamingContextListener.lifecycleEvent(NamingContextListener.java:245)
 at 
org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123)
 at 
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5130)
 at 
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
 at 
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:753)
 at 
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:727)
 at 
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:695)
 at 
org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:1016)
 at 
org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1903)
 at 
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
 at 
java.util.concurrent.FutureTask.run(FutureTask.java:266)
 at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
 at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
 at java.lang.Thread.run(Thread.java:748)
02-Nov-2021 13:01:46.066 SEVERE [localhost-startStop-1] 
org.apache.tomcat.jdbc.pool.DataSource.registerJmx Unable to register JDBC pool 
with JMX
 java.lang.NullPointerException
 at 
org.apache.tomcat.jdbc.pool.DataSource.registerJmx(DataSource.java:129)
 at 
org.apache.tomcat.jdbc.pool.DataSource.preRegister(DataSource.java:98)
 at 
org.apache.tomcat.util.modeler.BaseModelMBean.preRegister(BaseModelMBean.java:927)
 at 
com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.preRegister(DefaultMBeanServerInterceptor.java:1007)
 at 
com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.registerDynamicMBean(DefaultMBeanServerInterceptor.java:919)
 at 
com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.registerObject(DefaultMBeanServerInterceptor.java:900)
 at 
com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.registerMBean(DefaultMBeanServerInterceptor.java:324)
 at 
com.sun.jmx.mbeanserver.JmxMBeanServer.registerMBean(JmxMBeanServer.java:522)
 at 
org.apache.tomcat.util.modeler.Registry.registerComponent(Registry.java:637)
 at 

Re: Security Vulnerability Question

[Mark Eggers]

On 10/13/2021 11:16 AM, Kenaw, Seretseab wrote:

Hello,

Our IT team just notified us with a severe security vulnerability on our web 
application with the Tomcat version that we are using (9.0.12). What 
remediations can we use to quickly fix the issue?

Thank you
Seretseab Kenaw

CONFIDENTIALITY NOTICE: This e-mail communication and any attachments may 
contain proprietary and privileged information for the use of the designated 
recipients named above. Any unauthorized review, use, disclosure or 
distribution is prohibited. If you are not the intended recipient, please 
contact the sender by reply e-mail and destroy all copies of the original 
message.



Update.

Your version of Tomcat is over 3 years old. There are multiple security 
vulnerabilities that have been addressed since then.


See: https://tomcat.apache.org/security-9.html

. . . just my two cents
/mde/


OpenPGP_signature
Description: OpenPGP digital signature

Re: Apache Tomcat/9.0.52 - New Install has 2 Tomcat Services Running?

[Mark Eggers]

Terrence,

On 9/20/2021 11:49 AM, Terrence Rideau wrote:

I have a new Linux install of Apache Tomcat/9.0.52.   When I start Tomcat using 
"/bin/systemctl start tomcat" it starts with 2 Tomcat services.

My webapp runs but I have a issue importing and the application support team 
thinks it is related to my having 2 Tomcat Services.

How do I remove the 2nd Tomcat service or is this normal?

Terrence


I think that we'll need a lot more information before we can be helpful.

Things like:

1. What platform?
2. How did you install Tomcat?
3. How did you enable Tomcat with systemd / systemctl?
4. What's the content of /etc/systemd/system/multi-user.target.wants?

If this is a custom systemd script, then maybe post that with all 
secrets (passwords, etc.) replaced.


I have two types of systems that use systemd - CentOS 7 and Ubuntu 
20.04. I wrote my own systemctl script and installed Tomcat from 
tomcat.apache.org using the tar.gz file.


My script is sort of hackish, so I'm not really keen to share it. It's 
also different between CentOS 7 and Ubuntu due to the way positional 
parameters seem to be handled in Ubuntu vs. CentOS 7.


Or maybe it's my lack of understanding concerning systemd (more likely).

Anyway, start with that set of questions, and hopefully someone will be 
able to help out.


. . . just my two cents
/mde/



OpenPGP_signature
Description: OpenPGP digital signature

Re: server returned HTTP response code 403 during ant install operation

[Mark Eggers]

Barry,

On 9/18/2021 1:31 PM, Barry Kimelman wrote:

I am running tomcat 9.0.52 on ubuntu 20.04 LTS

I am able to compile my application but when I issue the "ant install"
command it fails with the following error message

[barry] /home/barry/tomcat/hockey3 1106 ant install
Buildfile: /home/barry/tomcat/hockey3/build.xml
Trying to override old definition of datatype resources

prepare:

compile:

install:

BUILD FAILED
/home/barry/tomcat/hockey3/build.xml:370: java.io.IOException: Server
returned HTTP response code: 403 for URL:
http://localhost:8080/manager/text/deploy?path=%2Fhockey3=file%3A%2F%2F%2Fhome%2Fbarry%2Ftomcat%2Fhockey3%2Fbuild
 at
java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1924)
 at
java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1520)
 at
org.apache.catalina.ant.AbstractCatalinaTask.execute(AbstractCatalinaTask.java:224)
 at org.apache.catalina.ant.DeployTask.execute(DeployTask.java:180)
 at org.apache.tools.ant.UnknownElement.execute(UnknownElement.java:292)
 at jdk.internal.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)
 at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 at java.base/java.lang.reflect.Method.invoke(Method.java:566)
 at
org.apache.tools.ant.dispatch.DispatchUtils.execute(DispatchUtils.java:99)
 at org.apache.tools.ant.Task.perform(Task.java:350)
 at org.apache.tools.ant.Target.execute(Target.java:449)
 at org.apache.tools.ant.Target.performTasks(Target.java:470)
 at org.apache.tools.ant.Project.executeSortedTargets(Project.java:1391)
 at org.apache.tools.ant.Project.executeTarget(Project.java:1364)
 at
org.apache.tools.ant.helper.DefaultExecutor.executeTargets(DefaultExecutor.java:41)
 at org.apache.tools.ant.Project.executeTargets(Project.java:1254)
 at org.apache.tools.ant.Main.runBuild(Main.java:830)
 at org.apache.tools.ant.Main.startAnt(Main.java:223)
 at org.apache.tools.ant.launch.Launcher.run(Launcher.java:284)
 at org.apache.tools.ant.launch.Launcher.main(Launcher.java:101)

Total time: 0 seconds

My tomcat-users.xml file has the following content (after the comments are
removed)

  1 
  2
  3 http://tomcat.apache.org/xml;
  4  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
  5  xsi:schemaLocation="http://tomcat.apache.org/xml
tomcat-users.xsd"
  6  version="1.0">
  7
  8  
  9  
 10  
 11  
 12  
 13  
 14  
 15
 16 

my build.properties file has the following data

# Context path to install this application on
app.path=/hockey3

# Tomcat 9 installation directory
catalina.home=/opt/tomcat

# Manager webapp username and password
manager.username=admin_user
manager.password=admin_password

I have been busy google searching but nothing usefull has turned up so far.
How can I fix this 403 error problem ?

Thanks.



http://tomcat.apache.org/tomcat-9.0-doc/manager-howto.html#Executing_Manager_Commands_With_Ant

Fourth bullet point.

Hope this helps.

. . . just my two cents.
/mde/



OpenPGP_signature
Description: OpenPGP digital signature

Re: Timestamp Error

[Mark Eggers]

On 8/27/2021 11:16 AM, Jerry Malcolm wrote:


On 8/27/2021 11:55 AM, Christopher Schultz wrote:

Mark and Jerry,

On 8/26/21 22:03, Mark Eggers wrote:

Jerry,

On 8/26/2021 6:35 PM, Jerry Malcolm wrote:
I am encountering a weird problem. I'm getting the following SQL 
error on an INSERT command.


com.mysql.cj.jdbc.exceptions.MysqlDataTruncation: Data truncation: 
Incorrect datetime value: '1969-12-31 18:00:00.0' for column...

The column is a TIMESTAMP in mySQL.

I pasted the SQL statement directly out of my log into phpMyAdmin, 
and it worked.  When I change the date to '2021-08-27 01:03:18.1077537'

it also works.

I tried it on my production AWS server.  The server timezone was 
different but same failure with '1970-01-01 00:00:00.0'


I'm running Win10 with latest updates (AWS Linux 2 on production)
TC 9.0.16
mysql-connector-java-8.0.26.jar
mysql5.7.19

I found some discussions on the web from around 2016.  But it just 
said to update the connector and TC. My versions are already way

past 2016 versions.

My biggest concern is that some dates work and some don't.  If I 
have to avoid dates that fail, I can probably do that.  But right now,
I don't know what dates are going to work and what dates are going 
to fail.


Am I missing something obvious?  I've never had a SQL statement that 
failed consistently on TC but worked when pasted into phpMyAdmin.


Suggestions?

Thanks.

Jerry


There is a setting in the driver called something like "null means 
zero datetime" which may confuse the heck out of TIMESTAMP columns, 
which expect a UNIX-epoch timestamp value.


The datetime value '1969-12-31 18:00:00.0' you may recognize as the 
start of the UNIX Epoch minus 6 hours, which suggests to me that your 
system is running in Us-Mountain Time, 6 hours behind UTC in the summer.


I would bet that you are trying to insert a NULL into a TIMESTAMP, and 
that your driver is using MDT as your time zone, trying to convert 
NULL -> 1970-01-01 00:00:00 UTC -> 1969-12-31 18:00:00 MDT -> boom, 
since the minimum allowed TIMESTAMP value is 1970-01-01 00:00:00.


Might I ask why you are using a TIMESTAMP field? IMHO they aren't good 
for much...


-chris

Chris,  thanks for the info.  Why timestamp?  Unfortunately, some of 
this code was written 20+ years ago when I was a lot less 
knowledgeable... But too difficult to change now.


I'm not inserting nulls.  Always a quoted date/time string.

You are correct about the timezone.  That's on my dev laptop, and I 
never got around to setting the timezone stuff correctly on my my dev 
machine.  However, my production server (Linux) does have the timezones 
all set correctly.  My insert statement has a value of "new 
Timestamp(0).toString()".  On the production server, this becomes 
'1970-01-01 00:00:00.0' and it still fails on production.


Is the jdbc driver enforcing the minimum timestamp value?  mySQL accepts 
1969-12-31 18:00:00.0 in the insert statement.  mySQL may be adjusting 
the time +6 on my laptop back up the epoch value before storing it.  But 
the situation still remains that the same insert statement works on 
phpMyAdmin and fails on TC.


The timezone thing is just adding unnecessary complexity to the 
problem.  The production server fails on TC with '1970-01-01 00:00:00.0' 
in the insert statement, but works with that value when inserted into 
mySQL pasting the insert statement into phpMyAdmin.


The exception is com.mysql.cj.jdbc.exceptions.MysqlDataTruncation.  Is 
the driver detecting this and generating the exception?  Or does the 
insert statement get all the way to mySQL and mySQL fails back to the 
driver followed by the driver throwing the exception?


Jerry


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



https://docs.oracle.com/javase/8/docs/api/java/sql/Timestamp.html

See the constructor: public Timestamp(long time)

. . . just my two cents
/mde/



OpenPGP_signature
Description: OpenPGP digital signature

Re: Timestamp Error

[Mark Eggers]

Jerry,

On 8/26/2021 6:35 PM, Jerry Malcolm wrote:
I am encountering a weird problem. I'm getting the following SQL error 
on an INSERT command.


com.mysql.cj.jdbc.exceptions.MysqlDataTruncation: Data truncation: 
Incorrect datetime value: '1969-12-31 18:00:00.0' for column...

The column is a TIMESTAMP in mySQL.

I pasted the SQL statement directly out of my log into phpMyAdmin, and 
it worked.  When I change the date to '2021-08-27 01:03:18.1077537'

it also works.

I tried it on my production AWS server.  The server timezone was 
different but same failure with '1970-01-01 00:00:00.0'


I'm running Win10 with latest updates (AWS Linux 2 on production)
TC 9.0.16
mysql-connector-java-8.0.26.jar
mysql5.7.19

I found some discussions on the web from around 2016.  But it just said 
to update the connector and TC. My versions are already way

past 2016 versions.

My biggest concern is that some dates work and some don't.  If I have to 
avoid dates that fail, I can probably do that.  But right now,

I don't know what dates are going to work and what dates are going to fail.

Am I missing something obvious?  I've never had a SQL statement that 
failed consistently on TC but worked when pasted into phpMyAdmin.


Suggestions?

Thanks.

Jerry




https://dev.mysql.com/doc/refman/5.7/en/datetime.html

When you paste from the logs, you're not pasting what the original 
INSERT command is doing. Therefore, it will work, since the error 
message is giving the minimum date back that is supported by MySQL.


. . . just my two cents
/mde/



OpenPGP_signature
Description: OpenPGP digital signature

Re: 200 response and redirect for ".../test.jsp"

[Mark Eggers]

Folks,

On 8/24/2021 3:55 PM, Christopher Schultz wrote:

James,

On 8/24/21 17:20, James H. H. Lampert wrote:
I could have sworn I asked about this over a year ago, but I can't 
find any record of having done so.


We've got a low-priority complaint about a security scan looking for 
"test.jsp" on one of our installations, expecting a 404 response, and 
instead getting a 200 response and a redirect to our own error page.


Just a sanity check: this *is* a problem with our ROOT context, not 
with Tomcat itself, right? And it has to be solved within our ROOT 
context, right?


My guess is that the vuln scanner assumes that "GET test.jsp" returning 
a 200 response means "it's got something bad in there". They are 
probably thinking about a *specific* test.jsp file, but you just happen 
to have one, probably as part of your application.


If you haven't deployed any of Tomcat's "example", "docs", or ROOT 
applications (meaning, the ROOT webapp that hosts Tomcat's documentation 
and stuff), then yes, this complaint is being aimed at your application.


You should probably be able to find test.jsp on your disk, or in your 
WAR file if for some reason you aren't exploding WAR files on deployment.


Go read the source for that file and maybe it will give you some insight 
as to where it came from.


-chris


If I understand correctly, the security scanning looks for something 
like this:


/appname/../test.jsp

How that triggers a 200, then generates an application error page I'm 
not certain.


In your application, do you have an  specified for 404 errors?

In your ROOT application (if different from your regular application) do 
you have an  specified?


What my $work environment has are application-specific error pages per 
application, and a generic error page for the ROOT application, which is 
just a placeholder.


Going to /appname/../test.jsp in my $work environment ends up at ROOT, 
which generates a 404 and the generic error page since there is no 
test.jsp page.


My $work environment has front end Apache HTTPD servers connected to 
multiple Tomcats via mod_jk. This may influence the results.


Security scans by various clients of $work have not complained about the 
above setup.


. . . just my two cents
/mde/



OpenPGP_signature
Description: OpenPGP digital signature

Re: Getting some peculiar TLS results in Tomcat 7

[Mark Eggers]

Chris,

On 8/16/2021 12:56 PM, Christopher Schultz wrote:

protocol="org.apache.coyote.http11.Http11Protocol" 
sslEnabledProtocols="TLSv1.2"


... and have no other protocol-related configuration settings.


Thanks.

That was my take as well. However, I figured the original author could 
read the documentation and not have it spelled out.


I'm a little out of my field here since we do all of our HTTPS stuff on 
Apache HTTPD or AWS load balancers at $work.


Nexus 3 uses Jetty under the covers, so when I implement a local docker 
repository, I'll have to wade through that (not looking forward to it).




OpenPGP_signature
Description: OpenPGP digital signature

Re: Getting some peculiar TLS results in Tomcat 7

[Mark Eggers]

On 8/13/2021 5:27 PM, James H. H. Lampert wrote:

While we've been systematically updating our customer boxes, a few of
our customer boxes are still on Tomcat 7.

I've got the following Connector tag set up in server.xml:


compressableMimeType="text/html,text/xml,text/plain,text/css,
 text/javascript,text/json,application/x-javascript,  
application/javascript,application/json" />
And yet SSLLabs tells me the box in question is still accepting TLS 1.0 
and TLS 1.1.


Can anybody shed any light on this? (And yes, I know, "alias" should be 
"keyAlias," but it's the only chain in the keystore, so it shouldn't 
make any difference.)


https://tomcat.apache.org/tomcat-7.0-doc/config/http.html

Search for sslEnabledProtocols

. . . just my two cents
/mde/



OpenPGP_signature
Description: OpenPGP digital signature

Re: Correct manager.xml for Tomcat 8 manager GUI

[Mark Eggers]

On 2/24/2021 9:54 AM, Patrick Baldwin wrote:

Hi, I'm trying to reconfigure a pre-existing dev Tomcat 8 server so folks
can use the manager GUI; so far, I just get the ERR_CONNECTION_REFUSED
message.

I've stripped the tomcat users file down to just:

$ cat /usr/local/tomcat/conf/tomcat-users.xml

  
  


And the  /usr/local/tomcat/conf/Catalina/localhost /manager.xml is
currently:
$ pwd
/usr/local/tomcat/conf/Catalina/localhost
$ cat manager.xml









Not seeing an error in catalina.out about the manager, looks like it's
deploying OK:

24-Feb-2021 12:00:56.070 INFO [localhost-startStop-1]
org.apache.catalina.startup.HostConfig.deployDescriptor Deploying
configuration descriptor
[/usr/local/tomcat/conf/Catalina/localhost/manager.xml]
24-Feb-2021 12:00:56.092 INFO [localhost-startStop-1]
org.apache.catalina.startup.HostConfig.deployDescriptor Deployment of
configuration descriptor
[/usr/local/tomcat/conf/Catalina/localhost/manager.xml] has finished in
[22] ms

Since it's a dev system, I've temporarily turned off the firewall and
selinux to make sure they aren't the issue.

Any thoughts?



What version of Tomcat 8?

For all recent versions of Tomcat (even 7), you'll need the following:

http://tomcat.apache.org/xml;
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
  xsi:schemaLocation="http://tomcat.apache.org/xml 
tomcat-users.xsd"

  version="1.0">



. . . just my two cents
/mde/






OpenPGP_signature
Description: OpenPGP digital signature

Re: Memory leak with Jersey 2.33

[Mark Eggers]

Mark,

On 2/1/2021 1:33 AM, Mark Thomas wrote:

Is the GC root above the only one? I've seen similar behaviour in the
past where weak references appear to be the cause of a leak but closer
inspection uncovers a strong reference.

Mark


Thanks for putting me on the correct track. I'm using log4j2 2.14.0 and 
Jersey REST 2.33 which includes Jackson 2.11.3.


Analyzing the heap dump using Eclipse MAT and excluding weak references 
led me down a fun rabbit hole.


Leak 1:
https://github.com/FasterXML/jackson-core/issues/400

Fix:
in setenv.(bat/sh) add
-Dcom.fasterxml.jackson.core.util.BufferRecyclers.trackReusableBuffers=true

In a servlet context listener add
int released = releaseBuffers(); // with the proper import, of course

Leak 2:
https://issues.apache.org/jira/browse/LOG4J2-578

Although it's marked as fixed, it apparently is not.

Fix (for now):
in setenv(bat/sh) add
-Dlog4j2.disable.jmx=true

With all of that done, undeploying the web application and doing a heap 
dump shows no traces of the offending app (all WebappClassLoaders have 
started=true).


Again, thanks for the tip.

. . . just my two cents.



OpenPGP_signature
Description: OpenPGP digital signature

Re: Memory leak with Jersey 2.33

[Mark Eggers]

On 1/31/2021 9:39 PM, Mark Eggers wrote:

Folks,

This is probably not a Tomcat issue, but any thoughts on how to resolve 
this would be greatly appreciated.


I am running into an apparent ClassLoader leak with the following 
configuration:


Windows 10 Professional (64 bit, latest updates)
OpenJDK 11.0.10
Apache Tomcat 7.0.107
Jersey Rest 2.33

I have a simple application:

ApplicationConfig:

@ApplicationPath("/service")
public class ApplicationConfig extends Application {

     public ApplicationConfig() {
     }

     @Override
     public Set> getClasses(){
     Set> resources = new java.util.HashSet<>();


resources.add(org.mdeggers.cplanapi.resource.CostInfoResource.class);

resources.add(org.mdeggers.cplanapi.resource.InstituteInfoResource.class);

resources.add(org.mdeggers.cplanapi.resource.InstituteTypeInfoResource.class); 




resources.add(org.mdeggers.cplanapi.mapper.NotFoundExceptionMapper.class);

     return resources;
     }
}

One of three resources:

@Path("/v1/inst")
public class InstituteInfoResource {

     public InstituteInfoResource() {
     }

     @GET
     @Path("/info")
     @Produces({MediaType.APPLICATION_JSON})
     public InstituteContainer getNationalList() {
     InstituteInfo instituteinfo = new InstituteInfo();
     return instituteinfo.getNational();
     }

     @GET
     @Path("/info/{ state : [A-Z]{2} }")
     @Produces({MediaType.APPLICATION_JSON})
     public InstituteContainer getStateList(@PathParam("state") String 
state) {

     InstituteInfo instituteinfo = new InstituteInfo();
     return instituteinfo.getState(state);
     }
}

The InstituteInfo class is a DAO that makes requests into a MySQL 
database and returns a container with the information.


This all works, but on undeploying the Tomcat Manager complains that 
there is a leak after unloading the web application.


Doing a heap dump and looking at it with the following OQL in Eclipse 
MAT shows that the application still resides in memory, with started=false.


SELECT wcl.contextName.toString() AS contextName,
    wcl.started AS started,
    wcl.@retainedHeapSize AS retainedSize
FROM org.apache.catalina.loader.WebappClassLoader wcl

contextName   started  retainedSize
/cplanapi false    586,720
/docs true  46,664
/host-manager true  47,288
/manager  true  47,392
/examples true  85,432
   true  46,912

GC roots for cplanapi are:

class com.sun.naming.internal.ResourceManager
'- propertiesCache java.util.WeakHashMap
    '- table java.util.WeakHashMap$Entry[16]
   '- java.util.WeakHashMap$Entry
  '- referent org.apache.catalina.loader.WebappClassLoader

This occurs on both Windows and Linux, and with the above JRE as well as 
Java 1.8.0_202.


. . . just my two cents
/mde/



Please ignore this. Doing two rounds of GC through the manager removed 
the application from memory (as confirmed by a heap dump).


Now I need to figure out how to force a GC, since we had an OOM 
Metaspace issue with repeated deployments of the application.


. . . just my two cents
/mde/



OpenPGP_signature
Description: OpenPGP digital signature

Memory leak with Jersey 2.33

[Mark Eggers]

Folks,

This is probably not a Tomcat issue, but any thoughts on how to resolve 
this would be greatly appreciated.


I am running into an apparent ClassLoader leak with the following 
configuration:


Windows 10 Professional (64 bit, latest updates)
OpenJDK 11.0.10
Apache Tomcat 7.0.107
Jersey Rest 2.33

I have a simple application:

ApplicationConfig:

@ApplicationPath("/service")
public class ApplicationConfig extends Application {

public ApplicationConfig() {
}

@Override
public Set> getClasses(){
Set> resources = new java.util.HashSet<>();


resources.add(org.mdeggers.cplanapi.resource.CostInfoResource.class);

resources.add(org.mdeggers.cplanapi.resource.InstituteInfoResource.class);

resources.add(org.mdeggers.cplanapi.resource.InstituteTypeInfoResource.class);


resources.add(org.mdeggers.cplanapi.mapper.NotFoundExceptionMapper.class);

return resources;
}
}

One of three resources:

@Path("/v1/inst")
public class InstituteInfoResource {

public InstituteInfoResource() {
}

@GET
@Path("/info")
@Produces({MediaType.APPLICATION_JSON})
public InstituteContainer getNationalList() {
InstituteInfo instituteinfo = new InstituteInfo();
return instituteinfo.getNational();
}

@GET
@Path("/info/{ state : [A-Z]{2} }")
@Produces({MediaType.APPLICATION_JSON})
public InstituteContainer getStateList(@PathParam("state") String 
state) {

InstituteInfo instituteinfo = new InstituteInfo();
return instituteinfo.getState(state);
}
}

The InstituteInfo class is a DAO that makes requests into a MySQL 
database and returns a container with the information.


This all works, but on undeploying the Tomcat Manager complains that 
there is a leak after unloading the web application.


Doing a heap dump and looking at it with the following OQL in Eclipse 
MAT shows that the application still resides in memory, with started=false.


SELECT wcl.contextName.toString() AS contextName,
   wcl.started AS started,
   wcl.@retainedHeapSize AS retainedSize
FROM org.apache.catalina.loader.WebappClassLoader wcl

contextName   started  retainedSize
/cplanapi false586,720
/docs true  46,664
/host-manager true  47,288
/manager  true  47,392
/examples true  85,432
  true  46,912

GC roots for cplanapi are:

class com.sun.naming.internal.ResourceManager
'- propertiesCache java.util.WeakHashMap
   '- table java.util.WeakHashMap$Entry[16]
  '- java.util.WeakHashMap$Entry
 '- referent org.apache.catalina.loader.WebappClassLoader

This occurs on both Windows and Linux, and with the above JRE as well as 
Java 1.8.0_202.


. . . just my two cents
/mde/



OpenPGP_signature
Description: OpenPGP digital signature

Re: AccessLog implementation via logging subsystem?

[Mark Eggers]

Thomas,

On 1/20/2021 2:59 AM, Thomas Meyer wrote:

Hi,

as far as I can see there seems to be no AccessLog interface implementation 
that is using the standard tomcat logging subsystem.
Is there a reason for this?
I have a use case were I want to forward access log to splunk via http event 
collector endpoint.
The idea is to log access log via tomcat logging and configure tomcat logging 
to use HttpEventCollectorLog4jAppender to forward all access logs to splunk.

mfg
thomas


You could probably configure Tomcat to use log4j2 and its 
SocketAppender to do this. Then it becomes a configuration exercise.


I think there were some notes on how to do the former on the mailing 
list. It's been a couple of years since I've set up Tomcat with log4j2, 
otherwise I'd write up detailed instructions.


I hope that gets you started down a reasonable path.

. . . just my two cents.
/mde/



OpenPGP_signature
Description: OpenPGP digital signature

Re: javadoc 404

[Mark Eggers]

Rob,

On 1/10/2021 8:51 PM, Rob Sargent wrote:
While trying to understand why PerUserPoolDataSource doesn't implement 
javax.sql.ConnectionPoolDataSource on



https://tomcat.apache.org/tomcat-9.0-doc/api/org/apache/tomcat/dbcp/dbcp2/datasources/package-summary.html 



I get a 404 from anchor cpdsadapter example


https://tomcat.apache.org/tomcat-9.0-doc/api/org/apache/tomcat/dbcp/dbcp2/cpdsadapter/package.html 






I went to https://tomcat.apache.org/tomcat-9.0-doc/api/overview-summary.html

and then

https://tomcat.apache.org/tomcat-9.0-doc/api/org/apache/tomcat/dbcp/dbcp2/cpdsadapter/package-summary.html 



with no issue. Maybe an internal link is broken?

. . . just my two cents
/mde/



OpenPGP_signature
Description: OpenPGP digital signature

Re: Strange crash-on-takeoff, Tomcat 7.0.104

[Mark Eggers]

James,

On 11/18/2020 5:06 PM, James H. H. Lampert wrote:

Ladies and Gentlemen:

The same customer installation that required 104 (but with the 103 
catalina.sh, to avoid Bug 64501) back in June is now demanding an update 
to 106 because of the CVE-2020-13935 vulnerability.


Two questions:

1. Is the problem from June fixed in 106?
2. Does 106 take care of CVE-2020-13935?

--
JHHL


http://tomcat.apache.org/tomcat-7.0-doc/changelog.html
http://tomcat.apache.org/security-7.html

. . . just my two cents
/mde/


OpenPGP_0x41466EC60D793C2D.asc
Description: application/pgp-keys


OpenPGP_signature
Description: OpenPGP digital signature

Re: Tomcat SecurityListener

[Mark Eggers]

Shawn,

On 10/12/2020 12:59 PM, Beard, Shawn wrote:

Tomcat 9.0.31.0 loads a org.apache.catalina.security.SecurityListener by 
default in the catalina.sh file.

This SecurityListener also sets the UMASK of files to 0027. This has the effect 
of any file tomcat creates or the app running in tomcat creates with 
permissions or -rw-r-

This is causing a problem for us as it prevents certain people from being able 
to read log files or read any file the application might create. Putting these 
users in the group of the user that tomcat runs as is not an option.

I’ve tried changing the catalina.sh to set the UMASK to something like 0022 but 
that prevents tomcat from starting with an error that it has to me at least as 
restrictive as 0027.

I’ve also tried setting the UMASK to 0022 in the setenv.sh with same results.

I’m hesitant to comment out the loading of the security listener in catalina.sh 
as I don’t want to disable anything else important that it may be doing from a 
security standpoint.

Does anyone have any ideas as to a workaround?
 ​

Shawn   Beard‑ Sr. Systems Engineer

Middleware Engineering

[cid:image624238.png@1BC27BA2.B6427C15]
3840 109th Street   ,   Urbandale   ,   IA  50322

Phone: +1-515-564-2528
Email:  sbe...@wrberkley.com

Website: https://berkleytechnologyservices.com/




[cid:image040736.jpg@BA9411B9.333ADE5A]

Technology Leadership Unleashing Business Potential







CONFIDENTIALITY NOTICE: This e-mail and the transmitted documents contain 
private, privileged and confidential information belonging to the sender. The 
information therein is solely for the use of the addressee. If your receipt of 
this transmission has occurred as the result of an error, please immediately 
notify us so we can arrange for the return of the documents. In such 
circumstances, you are advised that you may not disclose, copy, distribute or 
take any other action in reliance on the information transmitted.



I don't know what your security or audit requirements are. These are 
some options off the top of my head.


1. Service account for the user that runs Tomcat
You don't run Tomcat as root, correct?

You could then have a list of authorized sudoers, use two factor 
authentication (maybe for both the users and the service account), and 
audit both the service account and the sudoers accounts.


Prevent the service account from being accessed directly.

2. Remote logging
This would take care of needing to access log files on the server, but 
it would not allow anyone to audit application-created files.


Speaking of application-created files, I hope that these are not 
user-provided files that are then directly accessible. Without careful 
auditing, that can lead to some pretty serious security breaches.


. . . just my two cents.
/mde/


OpenPGP_0x41466EC60D793C2D.asc
Description: application/pgp-keys


OpenPGP_signature
Description: OpenPGP digital signature

Re: Class loader does not find class in WEB-INF/classes

[Mark Eggers]

Carles,


On 9/1/2020 11:23 AM, Christopher Schultz wrote:
> Carles,
> 
> On 9/1/20 14:08, Carles Franquesa wrote:
>> This message is a reply to those that asked me for uploading a
>> simple version of my webapp reproducing the problem of not finding
>> classes when a JSP is inside a subfolder, thus not hanging directly
>> from web root directly.
> 
>> I have slimmed down the code as much as possible. You'll see is
>> almost nothing.
> 
>> algorismes.zip
>>  w?usp=drive_web>
> 
> 
> 
>> So, the project's became very simple, but the problem is there:
> 
>> Built with NetBeans 8.0.2 on Windows 10 Tested on local host (so
>> tomcat running on windows), it works My VPS holds a public web
>> domain called algosismes.cat. Tested on my VPS, it depends.
> 
>> Once deploy's done with tomcat 8.5.57 manager app, clicking on its
>> list of sites, it works, since the browser is connecting to the
>> ip:port/algorismes.
> 
>> Setting directly "algorismes.cat" in the browser url, the error is
>> found. Just click to go to the level2.jsp.
> 
>> Lervel2.jsp is a blank page that just declares ann object of class
>> Student to show the problem.
> 
>> Anybody can explain to me what am i doing wrong?
> 
> The ZIP file does not contain a build web application. Can you publish
> your WAR file instead of mixed source/resources?
> 
> It's pretty important how you build the WAR, which is why I'm asking
> for it.
> 
> -chris
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

There are a lot of issues with your project that have nothing to do with
Tomcat. I'm going to assume that most of your project problems exist
because of how aggressively you stripped down your project.

As a start, you'll need to set up your project correctly in NetBeans.

Instead of just copying the commons-fileupload-1.3.jar and
commons-io-2.2.jar into WEB-INF/lib, you'll need to add them to your
project.

Right-mouse on the project, then:

Properties->Libraries
Click on the Add Jar / Folder button

Browse to your jar files and add them. Then when NetBeans builds the
project, they will be included in the war file.

I've checked, and all of the files are in the proper place in the built
war file.

Now some project notes:

1. Start with using NetBeans 12 - netbeans.apache.org

2. Seriously consider using a Maven-based project instead of an
Ant-based project
This will make dependency management much easier.

3. Seriously consider using the NetBeans built-in CDNJS manager for
JavaScript libraries
This will make JavaScript dependency management much easier.

4. Do not use generic top-level package names. Consider starting
everything with org.franquesa.

5. Do not manage database access on your own. Use JNDI and Tomcat's pooling.
See: http://tomcat.apache.org/tomcat-8.5-doc/jndi-resources-howto.html

See Christopher Schultz's excellent document on how to properly handle
pooled JDBC connections:

https://blog.christopherschultz.net/2009/03/16/properly-handling-pooled-jdbc-connections/

Yes, there are reasons to manage your own database pooling, but there
are not that many use cases for it.

PS: I fixed some obvious typos in your posted project, built it, and ran
it on Tomcat 9.0.37 and JDK 11 on a local internal system (not
localhost). I was able to successfully click on the first page and
navigate to the second page (/appname/folder/level2.jsp).



signature.asc
Description: OpenPGP digital signature

Re: Tomcat and CLoudWatch

[Mark Eggers]

Jake,

On 8/21/2020 10:26 AM, Jake Orel wrote:
> Hey Chris,
> I've been working with Jerry on this. What I had found was to use Collectd
> with the java and genericJMX plugins to gather the Mbeans i wanted to
send.
> After that there was the options of either using a cloudwatchPlugin
>  for collectd or using the
> AWS Cloudwatch agent to collect the metrics from collectd and send
those to
> cloudwatch. I've been able to get basic ec2 metrics (memory-free,
> memory-percent-used, disk-used) from both of those angles but neither one
> has let me send the JMX to cloudwatch. I don't seem to be getting any
error
> messages from either of them and they both tell me they're running.
>

>
> On Fri, Aug 21, 2020 at 11:34 AM Christopher Schultz <
> ch...@christopherschultz.net> wrote:
>
> Jerry,
> 
> On 8/19/20 13:19, Jerry Malcolm wrote:
 Is anyone successfully monitoring Tomcat JMX beans on Amazon
 CloudWatch?  This shouldn't be that difficult.  But we are hitting
 a brick wall.  Can't get anything to work that is recommended on
 forums.
> 
> What have you tried so far?
> 
> -chris

Seems like fluentd would be another approach. I haven't tried it yet,
but the following links look promising.

Cloudwatch - albeit with a Kubernetes cluster
https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Container-Insights-setup-logs.html

Fluentd JMX plugin
https://github.com/hidsuzuk/fluent-plugin-jmx/blob/master/README.md

This looks workable, although it may be a bit heavy for a per-EC2
implementation.

I'm slowly working on dockerizing and containerizing a bunch of
applications running on Tomcat. This is the monitoring approach that I'm
considering.

. . . just my two cents
/mde/




signature.asc
Description: OpenPGP digital signature

Re: seamless restart

[Mark Eggers]

Chris,

On 5/12/2020 1:25 PM, Christopher Schultz wrote:
> Mark,
> 
> On 5/12/20 16:14, Mark Eggers wrote:
>> Chris,
> 
>> On 5/12/2020 12:55 PM, Christopher Schultz wrote:
>>> Jonathan,
>>>
>>> On 5/12/20 11:20, Jonathan Yom-Tov wrote:
>>>> The problem is that my application is running on AWS which
>>>> apparently doesn't support multicasting so I can't use
>>>> Tomcat's DeltaManager.
>>>
>>> The membership-manager is separate from the replication-manager,
>>> so this has nothing to do with e.g. DeltaManager.
>>>
>>> You don't have to use multicast. You can use static membership if
>>> you know your node IP addresses.
>>>
>>> Rémy recently added a cloud membership service that uses
>>> Kubernetes as its default membership service. It looks like he
>>> hasn't written any documentation for it, but it exists in Tomcat
>>> 9 and 10.[1]
>>>
> 
>> This sounds interesting. I wonder how this will play using
>> multiple availability zones for high availability. It still won't
>> handle region outages, but there are other approaches for that.
> 
> I have no idea. There doesn't seem to me to be any reason why
> Kubernetes could not be used across regions. Maybe you wouldn't be
> able to use AWS-kube and might have to do it yourself. I have zero
> experience with Kubernetes, and zero experience with complex AWS
> deployments.
> 
>> I'll read the link you sent, and maybe play with that locally with
>> a Kubernetes setup. If I have questions about the set up, would
>> here or the dev list be the place to ask?
> 
> I think here would be better, since the answers will be visible to a
> wider group of people.
> 

That sounds reasonable. I know a lot of the devs read this group, so
hopefully (once I get started) there will be some answers.

> I'd love to see a writeup about this, including "how to set up
> Kubernetes from scratch to manage your Tomcat cluster" because I know
> literally nothing practical about it.

That and tying it into a cloud environment should be interesting. I'll
need to think about this before writing stuff on a mailing list, let
alone a document.

I'm just starting my journey through Docker / Kubernetes. I've put
together some simple images locally, and even have a private repository
set up running on Nexus 3. My experience with Kubernetes clusters is
limited to running "canned" environments.

It looks like an interesting road.

. . . just my two cents.
/mde/

> 
> -chris
> 
>>>> I thought of using one of the Store implementations for
>>>> PersistentManager but that has the issues which I mentioned
>>>> earlier. My aim is to get to the point where I can add or take
>>>> away servers from the cluster without impacting user
>>>> experience.
>>>
>>> See above. Sounds like the cloud membership service is what you
>>> are looking for because it (a) handles dynamic membership and (b)
>>> doesn't use multicast.
>>>
>>>> Ideally all state would be stored in a central location (e.g.
>>>> Redis). But, since this is difficult because of the way the
>>>> application is built I thought of using one server and only
>>>> persisting the sessions when the server goes down. But I still
>>>> have to solve the issues I mentioned.
>>> I would avoid single points of failure if possible. A "central
>>> location" tends to be a single point of failure. Tomcat clustered
>>> with e.g. BackupManager and dynamic membership will (a) achieve
>>> your goals and (b) not require additional products.
>>>
>>> Hope that helps, -chris
>>>
>>> [1]
>>> https://github.com/apache/tomcat/blob/master/java/org/apache/catalina
> /tr
>>>
>>>
> ibes/membership/cloud/CloudMembershipService.java#L34
>>>
>>>> On Tue, May 12, 2020 at 6:06 PM Christopher Schultz <
>>>> ch...@christopherschultz.net> wrote:
>>>
>>>> Jonathan,
>>>
>>>> On 5/12/20 05:51, Jonathan Yom-Tov wrote:
>>>>>>> I have an application which changes the state of user
>>>>>>> sessions in lots of places in the code. Is it possible to
>>>>>>> do a seamless switch of Tomcat servers, preserving all
>>>>>>> sessions?
>>>>>>>
>>>>>>> I know I can use PersistentManager to persist sessions
>>>>>>> and load them. I can think of two strategies:
>>>>>>>
>>>&

Re: seamless restart

[Mark Eggers]

Chris,

On 5/12/2020 12:55 PM, Christopher Schultz wrote:
> Jonathan,
> 
> On 5/12/20 11:20, Jonathan Yom-Tov wrote:
>> The problem is that my application is running on AWS which
>> apparently doesn't support multicasting so I can't use Tomcat's
>> DeltaManager.
> 
> The membership-manager is separate from the replication-manager, so
> this has nothing to do with e.g. DeltaManager.
> 
> You don't have to use multicast. You can use static membership if you
> know your node IP addresses.
> 
> Rémy recently added a cloud membership service that uses Kubernetes as
> its default membership service. It looks like he hasn't written any
> documentation for it, but it exists in Tomcat 9 and 10.[1]
> 

This sounds interesting. I wonder how this will play using multiple
availability zones for high availability. It still won't handle region
outages, but there are other approaches for that.

I'll read the link you sent, and maybe play with that locally with a
Kubernetes setup. If I have questions about the set up, would here or
the dev list be the place to ask?

Thanks!

. . . just my two cents
/mde/

>> I thought of using one of the Store implementations for
>> PersistentManager but that has the issues which I mentioned
>> earlier. My aim is to get to the point where I can add or take away
>> servers from the cluster without impacting user experience.
> 
> See above. Sounds like the cloud membership service is what you are
> looking for because it (a) handles dynamic membership and (b) doesn't
> use multicast.
> 
>> Ideally all state would be stored in a central location (e.g.
>> Redis). But, since this is difficult because of the way the
>> application is built I thought of using one server and only
>> persisting the sessions when the server goes down. But I still have
>> to solve the issues I mentioned.
> I would avoid single points of failure if possible. A "central
> location" tends to be a single point of failure. Tomcat clustered with
> e.g. BackupManager and dynamic membership will (a) achieve your goals
> and (b) not require additional products.
> 
> Hope that helps,
> -chris
> 
> [1]
> https://github.com/apache/tomcat/blob/master/java/org/apache/catalina/tr
> ibes/membership/cloud/CloudMembershipService.java#L34
> 
>> On Tue, May 12, 2020 at 6:06 PM Christopher Schultz <
>> ch...@christopherschultz.net> wrote:
> 
>> Jonathan,
> 
>> On 5/12/20 05:51, Jonathan Yom-Tov wrote:
> I have an application which changes the state of user
> sessions in lots of places in the code. Is it possible to do
> a seamless switch of Tomcat servers, preserving all
> sessions?
>
> I know I can use PersistentManager to persist sessions and
> load them. I can think of two strategies:
>
> 1. Persist sessions periodically. This is more robust as I
> might not have control of when the server shuts down. 2.
> Persist sessions on server shutdown.
>
>
> The problem with the first approach is that I might lose the
> latest changes when the new server comes up. The problem with
> the second is that I'll have to lock access to the session
> until the old server is done saving it, which may make
> response times very slow.
>
> Is there a good solution to this that I might have
> overlooked?
> 
>> If you want to solve these problems:
> 
>> 1. Seamless (uninterrupted) restarts 2. Always up-to-date (well, as
>> much as possible) 3. No downtime
> 
>> Then you really need a cluster where the sessions are being
>> replicated around the cluster.
> 
>> This will solve some other problems as well:
> 
>> 4. Expected downtime (e.g. OS/Tomcat/application upgrade) 5.
>> Unexpected downtime (network outage, hardware fault) 6. Scaling-out
>> (either manually or automatically)
> 
>> You can do it with as little as two Tomcat instances. If you only
>> care about being able to restart your application (and not the
>> whole server, for example), then you can even run them side-by-side
>> on the same server. You won't get protection against OS upgrades
>> and unexpected downtime in that case, but you can get familiar with
>> the setup without a whole lot of infrastructure.
> 
>> -chris
>>>
>>> -
>>>
>>>
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>
>>>
> 
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>




signature.asc
Description: OpenPGP digital signature

Re: seamless restart

[Mark Eggers]

Jonathan,

On 5/12/2020 8:20 AM, Jonathan Yom-Tov wrote:
> The problem is that my application is running on AWS which apparently
> doesn't support multicasting so I can't use Tomcat's DeltaManager. I
> thought of using one of the Store implementations for
PersistentManager but
> that has the issues which I mentioned earlier. My aim is to get to the
> point where I can add or take away servers from the cluster without
> impacting user experience. Ideally all state would be stored in a central
> location (e.g. Redis). But, since this is difficult because of the way the
> application is built I thought of using one server and only persisting the
> sessions when the server goes down. But I still have to solve the issues I
> mentioned.
>
>
>
>
> On Tue, May 12, 2020 at 6:06 PM Christopher Schultz <
> ch...@christopherschultz.net> wrote:
>
> Jonathan,
> 
> On 5/12/20 05:51, Jonathan Yom-Tov wrote:
 I have an application which changes the state of user sessions in
 lots of places in the code. Is it possible to do a seamless switch
 of Tomcat servers, preserving all sessions?

 I know I can use PersistentManager to persist sessions and load
 them. I can think of two strategies:

 1. Persist sessions periodically. This is more robust as I might
 not have control of when the server shuts down. 2. Persist sessions
 on server shutdown.


 The problem with the first approach is that I might lose the latest
 changes when the new server comes up. The problem with the second
 is that I'll have to lock access to the session until the old
 server is done saving it, which may make response times very slow.

 Is there a good solution to this that I might have overlooked?
> 
> If you want to solve these problems:
> 
> 1. Seamless (uninterrupted) restarts
> 2. Always up-to-date (well, as much as possible)
> 3. No downtime
> 
> Then you really need a cluster where the sessions are being replicated
> around the cluster.
> 
> This will solve some other problems as well:
> 
> 4. Expected downtime (e.g. OS/Tomcat/application upgrade)
> 5. Unexpected downtime (network outage, hardware fault)
> 6. Scaling-out (either manually or automatically)
> 
> You can do it with as little as two Tomcat instances. If you only care
> about being able to restart your application (and not the whole
> server, for example), then you can even run them side-by-side on the
> same server. You won't get protection against OS upgrades and
> unexpected downtime in that case, but you can get familiar with the
> setup without a whole lot of infrastructure.
> 
> -chris

Could you use the RedissonSessionManager and an AWS - distributed Redis
server?

You could put all of your Tomcat servers in an elastic group, and let
AWS manage that.

The real problem with this approach is deployment. How do you deploy
across an elastic group of Tomcat servers when you may not know the IP
addresses of the servers or how many you have?

I can think of some really kludgy ways to do this with S3 and AWS
events, but I've not worked out the details.

Another way to approach this is to run Docker on AWS (along with Redis),
and then deploy a new version by deploying a new Docker image in a
rolling fashion.

If your session interface changes a lot, that could create issues.

That's one of the advantages of using versioned deployment
(app.war##nnn) with a cluster. Old apps stay around until the session
expires, while new sessions get the new version.

Maybe -- just thinking out loud -- you could use an elastic group, AWS
events, Redis (RedisSessionManager), and numbered WAR files to simulate
a Tomcat cluster.

Another question: Is the database-backed session manager provided with
Tomcat slow? You could use that instead of the third party
RedissonSessionManager.

You should be able to test everything but the deployment locally. Just
run a Docker implementation on your development machine, and then test
either RedissonSessionManager or the JDBC backed session store. Docker
will (can) be set up to mimic AWS elastic group behavior (expansion /
contraction of containers), so the only question will be updates.

Use something like JMeter to test sessions and hammer your Docker
cluster. By default, Docker routes every request to a new container in a
multi-container group. You'll know really quickly if distributed
sessions aren't working.

I need to get back to this for $work, but I've been getting yanked
around a bit. Hopefully, I'll be able to start testing all of these
ideas in the next month or so.

. . . just my two cents
/mde/



signature.asc
Description: OpenPGP digital signature

Re: 2 questions

[Mark Eggers]

On 4/9/2020 3:45 PM, jonmcalexan...@wellsfargo.com.INVALID wrote:
> Potentially off-topic, sorta, questions.
> 
> 
> 1. How do we get the latest versions of mod-jk.so tomcat connector 1.2.46 
> or 1.2.48? I see the binaries and such for IIS, but not .so versions.
> 
> 2. How, on windows, do we tell what version of mod-jk.so is currently in 
> use on Apache HTTP?
> 
> Asking here as it has to do with connecting to Tomcat. :)
> 
> 
> Dream * Excel * Explore * Inspire
> Jon McAlexander
> Asst Vice President
> 
> Middleware Product Engineering
> Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions
> 
> 8080 Cobblestone Rd | Urbandale, IA 50322
> MAC: F4469-010
> Tel 515-988-2508 | Cell 515-988-2508
> 
> jonmcalexan...@wellsfargo.com
> 
> 
> This message may contain confidential and/or privileged information. If you 
> are not the addressee or authorized to receive this for the addressee, you 
> must not use, copy, disclose, or take any action based on this message or any 
> information herein. If you have received this message in error, please advise 
> the sender immediately by reply e-mail and delete this message. Thank you for 
> your cooperation.
> 
> 
Normally you have to build those yourself.

Some Linux distributions offer mod_jk in various repositories.

For Windows, you can download them from the Apache Lounge (1.2.46 last I
checked).

For Apache HTTPD, you can tell what's installed by looking at
server-info - ie., http://127.0.0.1/server-info/. This of course depends
on whether it's enabled. It's not by default. It also depends on what
the restrictions are. My Windows 10 machine is set to only allow
127(.0.0.1) in the Require directive.

. . . just my two cents
/mde/



signature.asc
Description: OpenPGP digital signature

Re: Setting up Tomcat behind an existing Apache httpd server (on Amazon Linux 2)

[Mark Eggers]

James,

On 4/9/2020 12:11 PM, James H. H. Lampert wrote:
> On 4/6/20 2:13 PM, Mark Eggers wrote:
>> # Secure your proxy - localhost for now - this is IMPORTANT
>> 
>>    Require ip 127
>> 
> 
> Dear Mr. Eggers:
> 
> It seems I was right about how what you said about this, and what the
> docs say about it, appeared to contradict each other: with that in the
> VirtualHost with the ProxyPass and ProxyPassReverse directives, it
> blocked all outside access through the proxy.
> 
> Once I commented out those lines, I got proxied straight to the default
> ROOT context.
> 
> Then, when I reactivated the valve in the manager app, I found that I
> was still able to get into it via the proxy, but not directly.
> 
> I've now put this in
>> https://qux.baz.com/manager;>
>>  Require ip xx.yy.zz.qq
>> 
>> https://corge.bax.com/manager;>
>>  Require ip xx.yy.zz.qq
>> 
> 
> where xx.yy.zz.qq is my office IP address. I could get in just fine.
> Then I changed the IP address to something different, restarted my
> browser, and I could still get in. I also tried it with "/*" on the ends
> of the URLs, and with "/html" on the ends, and with "/html/*" on the
> ends. I also went back to the original "*" on one of them, and it went
> back to locking me out of everything. Something doesn't seem right here.
> 

I'll play with this a little later.

Please note that when you change Apache HTTPD configurations you must
restart Apache HTTPD.

This is one of the reasons why I prefer mod_jk. I can change the mapped
URLs on the fly without having to restart Apache HTTPD (albeit with some
small hit to performance).

The way that I have things set up for a client is to have a machine with
two interfaces and use an  directive in server.xml.

I then run an additional HTTP/1.1 connector and bind it to the internal
interface only. The internal interface is protected by VPN with a two
factor authentication.

I could further protect the sensitive applications by using the remote
address filter and restricting access to the management and build
systems subnets.

To access the manager application, you have to connect to the VPN, and
then browse to the following:

http://internal.dns.domain.com:port/manager/html

This will will bring up a manager interface that is appropriate for:

https://external.dns..domain.com

and all the applications running there. This is mostly used by the
client's internal Jenkins build system to publish applications to the
appropriate Tomcat server. It can also be used by a JMX application for
Tomcat monitoring.

My urimapping.properties file contains lines like:

!/manager|/*=worker_name
!/jmxmonitor|/*=worker_name

This blocks proxying the manager and JMX applications by mod_jk.

This has been running in production since I set it up, and has survived
both random script kiddie attacks and security audits by the client's
customers.

You could look at mimicking this behavior with mod_proxy by using an
exclamation mark (not tested).

Something like the following:

ProxyPass /manager !
ProxyPass /jmxmonitor !

per the documentation here:

https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxypass

Apparently, the documentation would recommend something like the following:


ProxyPass "!"


ProxyPass "!"


I think that the above is probably easier to read and more specific.
Place the directives in the appropriate virtual host.

You could also be more expressive with LocationMatch and regular
expressions.

Once this is done you could access the manager application directly by
using the appropriate port and configuring AWS's firewall rules to allow
your office IP address through the port.

Again, I have not tried this since I use mod_jk.  Again, please remember
to restart Apache HTTPD after any configuration changes.


. . . just my two cents
/mde/



signature.asc
Description: OpenPGP digital signature

Re: Setting up Tomcat behind an existing Apache httpd server (on Amazon Linux 2)

[Mark Eggers]

On 4/8/2020 6:42 PM, calder wrote:
> On Wed, Apr 8, 2020, 18:11 James H. H. Lampert 
> wrote:
> 
>>
>> And as to vendor-supplied installations, I agree with you. I'm rather
>> irritated with the "Debianism" of splitting Tomcat up so completely that
>> webapp contexts can be in at least two different places, and the general
>> "Linuxism" of *not* including manager and host-manager (although I've
>> never needed the latter) in the basic installation, and sometimes not
>> even including a default root.
>>
> 
> It's not just a Debian thing - it's a Linux distro idiosyncrasy.
> 
> And you don't have to use a distro's Tomcat layout / configuration.  We
> don't - we download P.V. Tomcat and extract to /opt (obviously, one could
> choose to install to /usr/local if building) and use separate CATALINA_BASE
> and CATALINA_HOME.
> 

That's what I do as well. I use Ant scripts plus some property files to
configure things. When a new version is rolled out, I edit a property
file, build the new CATALINA_BASE directories with the Ant scripts, and
I've got the new setup.

To put the new setup into production, I shut down the existing Tomcats,
move some links around, and bring up the new Tomcats. If the new Tomcats
fail to come up properly, I swap the links back, bring up the old
Tomcats, and then take a look at the logs in the appropriate CATALINA_BASE.

The advantage to this setup is that I can do all of my upgrading except
for the link swap at any time. The actual outage time is minutes.

I should script the link swapping as well to shorten the down time and
remove the chance of fat-fingering things.

. . . just my two cents
/mde/





signature.asc
Description: OpenPGP digital signature

Re: Setting up Tomcat behind an existing Apache httpd server (on Amazon Linux 2)

[Mark Eggers]

James,

On 4/8/2020 5:41 PM, James H. H. Lampert wrote:
> On 4/8/20 4:57 PM, Mark Eggers wrote:
>> See
>> https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxy
>> for some examples.
> 
> Yes. That's the very point in the documentation that has my head spinning:
>>> For example, the following will allow only hosts in
>>> yournetwork.example.com to access content via your proxy server:
> 
>>>> 
>>>>   Require host yournetwork.example.com
>>>> 
> 
> *Access* content?? I thought the Tomcat server is *serving* content.
> 
>> So if I remember everything correctly, you could be really specific with
>> the following:
>>
>> https://qux.baz.com;>
>> Require ip 127.0.0.1
>> 
>>
>> Place this inside the virtual host defined in the appropriate ssl.conf
>> snippet. I think that you have an ssl.conf file per domain, right?
>>
>> Then in the non-ssl snippet, you would rewrite all the requests to go to
>> HTTPS.
> 
> That part makes sense, although I'm not entirely sure why I would want
> to "be really specific" about the domain in the Proxy container, unless
> it's to keep it from fighting with the other VirtualHosts. And actually,
> I put the SSL and non-SSL VirtualHost blocks for the new domain in a
> single .conf file.
> 

James,

This is going to be way off topic, and may not be completely correct.
While I'm pretty good with Apache Tomcat, I'm still learning about
Apache HTTPD. We should probably have further discussions off the
mailing list.

Anyway from an overview standpoint, think of a proxy as a virtual file
system.

Instead of serving information from a directory subject to 
constraints, Apache HTTPD is serving information from a proxy.

From the browser's standpoint, the information is being served by Apache
HTTPD, even though you're proxying Apache Tomcat.

For example, on my mod_jk connected Apache Tomcat, the server is
reported as:

Server: Apache/2.2.15 (CentOS)

This is what CentOS's patched Apache HTTPD 2.2 server reports, and is
not indicative of the Apache Tomcat that I'm running behind mod_jk.

So Apache HTTPD matches an incoming request to the most specific URL
that it can, and then applies rules.

This allows me to restrict HTTPD methods, do rewrites, and then passes
the results off to Apache Tomcat (if configured to do so).

When Apache Tomcat gets done with whatever it does (renders JSPs,
creates / serves JSON, serves JS/CSS, etc.), it sends this back to
Apache HTTPD.

Apache HTTPD then does things like compress the output, edits / adds
cookies, and edits / adds headers.

Finally, the result gets sent to the browser.

The browser has no idea that the response is generated via Apache
Tomcat. OK, if someone notices a JSESSIONID, the user might have a clue.
Other than that, no.

I proxy behind Apache HTTPD for several reasons. Until recently, SAN
certificates, Java, and Tomcat didn't play nicely together. That's changed.

It's also easier to add some headers and cookies in Apache HTTPD than in
Apache Tomcat. This is especially true for SameSite cookies, where
certain browsers are broken and cannot handle SameSite=None. I have to
do some ugly browser sniffing (fragile, not recommended) so that cookies
generated by Apache Tomcat work inside an iframe.

Now the order that all of this stuff happens is an entirely new
discussion that might be better off-list, or on the Apache HTTPD mailing
list.

Think of Apache HTTPD as a Valve / Filter combination in the Apache
Tomcat sense, if that helps.

Oh, and being specific has some nice benefits. You can create different
rules for different URLs before passing it off to a back end Apache
Tomcat. Access control is just ONE of the things that you can do with
Apache HTTPD sitting in front of Apache Tomcat.

Running all of this in a cloud environment brings its own set of challenges.

. . . just my two cents
/mde/




signature.asc
Description: OpenPGP digital signature

Re: Setting up Tomcat behind an existing Apache httpd server (on Amazon Linux 2)

[Mark Eggers]

On 4/8/2020 4:11 PM, James H. H. Lampert wrote:
> On 4/8/20 3:52 PM, Mark Eggers wrote:
>>>> 
>>>>     Require ip 127
>>>> 
> 
> Dear Mr. Eggers (et al.):
> 
> I'm still not clear on what that even *does* (and the official docs
> leave me even more confused: "only allow hosts in . . . to access
> content via your proxy"); could you (or somebody else) explain it?
> Remember, while I may be (deservedly or otherwise) a guru on getting
> Tomcat running on an IBM Midrange box, I have no illusions about having
> the slightest clue what I'm doing with httpd. Yesterday, I was tearing
> my hair out because certbot wasn't working, only to discover that I had
> a malformed VirtualHost.
> 
> And as to vendor-supplied installations, I agree with you. I'm rather
> irritated with the "Debianism" of splitting Tomcat up so completely that
> webapp contexts can be in at least two different places, and the general
> "Linuxism" of *not* including manager and host-manager (although I've
> never needed the latter) in the basic installation, and sometimes not
> even including a default root.
> 
> -- 

Basically, the  is applied to all the proxy statements in your
configuration.

See

https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxy

for some examples.

The Require statement means only allow connections from what is required
- in my example 127 gets mapped to 127.0.0.1 (localhost).

So the configuration that I have given restricts all proxy connections
to localhost, which means that no outside proxy connections are
possible. This is a good thing, I think.

So if I remember everything correctly, you could be really specific with
the following:

https://qux.baz.com;>
Require ip 127.0.0.1


Place this inside the virtual host defined in the appropriate ssl.conf
snippet. I think that you have an ssl.conf file per domain, right?

Then in the non-ssl snippet, you would rewrite all the requests to go to
HTTPS.

Again, please verify this with an Apache HTTPD expert, and discuss this
on the Apache HTTPD mailing list. I do all of this with mod_jk, so my
configuration is quite a bit different.

Again, I personally like the broad brush approach and then override
specifics per virtual host. Sort of a combination of least permissions
plus management by exception.

. . . just my two cents
/mde/



signature.asc
Description: OpenPGP digital signature

Re: Setting up Tomcat behind an existing Apache httpd server (on Amazon Linux 2)

[Mark Eggers]

James,

On 4/8/2020 3:27 PM, James H. H. Lampert wrote:
> Dear Mr. Eggers, et al.:
> 
> Well, after running test installations of Tomcat on a whole string of
> EC2 spot instances, I went ahead and installed it on the target server.
> I've got it running, and enabled to start automatically, and I've added
> a security group to temporarily open 8080 to my office IP address, so
> that I can reach it directly and verify that it works (it does). And
> I've also verified that mod_proxy and mod_proxy_http are enabled (they
> already were; I didn't have to lift a finger)
> 
> On 4/6/20 2:13 PM, Mark Eggers wrote:
>> # Secure your proxy - localhost for now - this is IMPORTANT
>> 
>>    Require ip 127
>> 
>>
>> # Map applications
>> # You could just use / if you're proxying all requests
>> # Pick the correct Apache Tomcat port
>>
>> ProxyPass "/foo" "http://127.0.0.1:8080/foo;
>> ProxyPassReverse "/foo" "http://127.0.0.1:8080/foo;
> 
> Now I'm not sure I understand the  container and its
> contents. The httpd and Tomcat servers are both running on the same box.
> "Require ip 127" sounds like it's specifying an incomplete IP address.
> 
> I can sort-of understand the ProxyPass and ProxyPassReverse directives.
> Given that all requests to this particular VirtualHost ("qux.baz.com" to
> speak metasyntactically) should be going to Tomcat (which will have a
> root context and at least four [including manager] named contexts),
> would this be:
> 
>     ProxyPass "/" "http://127.0.0.1:8080/;
>     ProxyPassReverse "/" "http://127.0.0.1:8080;
> 
> ???
> 
> Conversely, none of the other VirtualHosts would be proxying Tomcat (or
> anything else), so should all this be within the VirtualHost?
> 
> -- 
> JHHL
> 

See the following for IP address configuration in Apache HTTPD 2.4:

https://httpd.apache.org/docs/2.4/mod/mod_authz_host.html

I think putting the proxy restriction in the virtual host would be OK,
but I'm a belt and suspenders kind of person. Putting it in the default
host makes sure that someone doesn't inadvertently open up your server
later. You can always override it at the virtual host level if you wish.

Finally, one of my pet peeves concerning vendor-supplied Apache HTTPD
installations is that they turn on a lot of modules by default. The
first thing I do with such an installation is to turn off everything
that is not being used in an installation. This usually includes all of
the _dav, _user, and proxy_ modules.

. . . just my two cents
/mde/




signature.asc
Description: OpenPGP digital signature

{[OT] Re: Setting up Tomcat behind an existing Apache httpd server (on Amazon Linux 2)

[Mark Eggers]

On 4/6/2020 5:47 PM, James H. H. Lampert wrote:
> As it happens, I'm now struggling with an issue just trying to get a new
> virtual host up and running on the httpd server. I've put it on Server
> Fault, at: https://preview.tinyurl.com/rr3rxwa
> 
> While it may not be necessary to solve this problem in order to get the
> httpd server to proxy the Tomcat server, this certainly *looks* like
> something that might pick a fight with what's being proxied to Tomcat.
> 
> -- 
> JHHL

I don't have enough reputation points to comment on your question on
serverfault.

Is your DocumentRoot (/var/www/html/test) underneath the default
DocumentRoot (normally /var/www/html)?

If so, try moving the DocumentRoot to /var/www/test. I don't know how
Apache HTTPD deals with overlapping DocumentRoots (I suppose I should go
read the docs).

. . . just my two cents
/mde/



signature.asc
Description: OpenPGP digital signature

Re: Setting up Tomcat behind an existing Apache httpd server (on Amazon Linux 2)

[Mark Eggers]

James,

On 4/6/2020 3:09 PM, James H. H. Lampert wrote:
> First of all, thank you, Mr. Malcom, Herr Kreuser, and Mr. Eggers.
> 
> One thing I will note is that near as I can tell, mod_proxy and
> mod_proxy_http are already present on the system (I can find
> "mod_proxy.so" and "mod_proxy_http.so"), but mod_jk does not appear to
> be present (no sign of a "mod_jk.so" anywhere).
> 
> Second, we do indeed have an "00-ssl.conf" file in conf.modules.d, and
> an "ssl.conf" in conf.d. The conf.d directory also has .conf files for
> all the domain names, in the form domain.conf and domain-le-ssl.conf,
> each containing the VirtualHost configurations for the various domains.
> 
> Now obviously, the very last thing I want to do is disrupt the existing
> web sites being served.
> 
> Mr. Eggers: Not quite sure I understand the "No virtual host for now"
> bit, at the top of your sample proxy configuration; I thought everything
> in httpd had to be in a virtual host.
> 
> Something I just noticed myself: if I go to http://www.baz.com, it
> *doesn't* immediately redirect me to https://www.baz.com, but if I go to
> http://www.foo.com or http://www.bar.com, it *does* immediately switch
> me to https. This seems like some sort of an oversight by my colleague,
> who configured the sites.
> 
> From what I can see, "mod_proxy" seems easier to set up (and one less
> thing to download); what are the disadvantages, if any?
> 
> -- 
> JHHL

I iust meant that my example didn't have a virtual host. In your
requirement, you'd probably put the LoadModule and 
configurations in the main httpd.conf section so it'll be inherited by
the named virtual hosts.

In each named virtual host, you would then place the ProxyPass /
ProxyPassReverse pairs for a targeted (named) host. You could even have
one Apache HTTPD talk to different back-end Tomcats (one for each named
host in domain-le-ssl.conf).

There are a lot of ways to slice and dice this. It all depends on your
requirements.

. . . just my two cents
/mde/



signature.asc
Description: OpenPGP digital signature

Re: Setting up Tomcat behind an existing Apache httpd server (on Amazon Linux 2)

[Mark Eggers]

Hi Jerry / James,

On 4/6/2020 1:59 PM, Jerry Malcolm wrote:
> Hi James,
> 
> I've been using this precise setup for years, first on a dedicated
> hosted server and recently on EC2/Linux2.  I use mod_jk.
> 
> The first step is to make sure httpd recognizes all of the domain names
> and subdomains.  That includes the vhost definitions of all of the
> domains and subdomains, either as separate virtual hosts or as host
> alias names.  Then, as you described, you need to make sure the
> certificates include all of the domain and subdomain names.  LetsEncrypt
> will 'expand' an existing cert if you just add another host name to the
> LetsEncrypt call.
> 
> You are probably doing this already.  But just for completeness you
> should  support both http://foo.com (port 80) and https://foo.com.  That
> way, users aren't required to enter https.  I just add a 'redirect
> permanent' in the port 80 vhost def to route it to https://foo.com.  
> Once you are 'in' with ssl into httpd at 443 the certificate work is
> done.  No need to set up any certificates into tomcat unless you have a
> specific reason to use ssl/tls between httpd and tomcat (unlikely if you
> running both on the same EC2).
> 
> The biggest area of concentration is setting up the url patterns that
> httpd will route to tomcat via mod_jk.  These are defined in httpd.conf
> as global or in virtual host configuration sections You can explicitly
> list the url patterns to send to tomcat:
> 
>    JkMount /*.json  worker1
>    JkMount /*.jsp   worker1
>    JkMount /*/*.json    worker1
>    JkMount /*/FileUpload    worker1
> 
> or you can send 'all' (*) and define exceptions using JkUnMount
> (example; /css/*).  The mod_jk log is a lifesaver when you are setting
> this up.  Set the mod_jk log level to debug and see how mod_jk is
> deciding whether to pass a url to tomcat or pass it back to httpd for
> processing.
> 
> Once you get to tomcat, you just have to define all of the same host
> domain and subdomains in tomcat's server.xml to ensure tomcat is going
> to accept the requests that mod_jk has decided to send to it.
> 
> Let me know as you encounter issues.  I'll be glad to assist.
> 
> Jerry
> 
> On 4/6/2020 2:53 PM, James H. H. Lampert wrote:
>> Here is the situation:
>>
>> We have an existing Amazon EC2 instance, running Amazon Linux 2, with
>> an Apache httpd server already running our web sites (for argument's
>> sake, "foo.com," "bar.com," and "baz.com."), and already getting its
>> certs from Let's Encrypt, using "foo.com" as the CN, with
>> "www.foo.com," "bar.com," "www.bar.com," "baz.com," and "www.baz.com"
>> as SANs. And it seems to be working quite nicely.
>>
>> Now, we want to add a Tomcat server, which would then serve several
>> webapp contexts at "qux.baz.com," and maybe also "corge.baz.com,"
>> running behind the httpd server (which is something I've never done
>> before; I've always set up Tomcat directly facing the outside world,
>> so with this, I frankly haven't a clue what I'm doing).
>>
>> First of all, which is currently considered the easier/better way to
>> get Tomcat running behind httpd, given the above scenario?
>> "mod_proxy," or "mod_jk?" Or is there something else I haven't heard of?
>>
>> Second of all, I found this step-by-step procedure.
>>
>>> https://preview.tinyurl.com/vwnutqj
>>
>>  Is it any good?
>>
>> Third, am I correct in assuming that all we need to do in order for
>> the existing Let's Encrypt setup to cover the new "qux" and "corge"
>> subdomains is to add them to the SANs already listed?
>>
>> Finally, are there any "gotchas" I need to be concerned with?
>>
>> -- 
>> James H. H. Lampert
>> Touchtone Corporation

I also prefer mod_jk. It's a little bit trickier to set up. You have to
worry about timings, and getting them to agree between
workers.properties and server.xml. Fortunately, there's a very good
sample workers.properties file in the mod_jk source code.

My local setup is as follows:

#
# This file will configure three Tomcat workers
# The Tomcat workers are using differing ports and the same (localhost)
address
#

#
# adding all of the workers in a list at once
# not strictly necessary, since the use of the list is additive
#
worker.list=jk-status,jk-manager,titan

#
# status manager for read-only
# manager manager for read/write
#
worker.jk-status.type=status
worker.jk-status.read_only=true

worker.jk-manager.type=status

#
# template
#
# Notes on configuration
# type   - ajp13 which is the protocol and the default
# socket_connect_timeout - in milliseconds (what happens when Tomcat
#  is started later?
# socket_keepalive   - send keep alive packets when connection is
#  idle
# ping   - how to do the keep alive (see
#  documentation)
# ping_timeout   - default in milliseconds
# minsize- minimum pool size 

Re: Setting up Tomcat behind an existing Apache httpd server (on Amazon Linux 2)

[Mark Eggers]

James,

On 4/6/2020 12:53 PM, James H. H. Lampert wrote:
> Here is the situation:
> 
> We have an existing Amazon EC2 instance, running Amazon Linux 2, with an
> Apache httpd server already running our web sites (for argument's sake,
> "foo.com," "bar.com," and "baz.com."), and already getting its certs
> from Let's Encrypt, using "foo.com" as the CN, with "www.foo.com,"
> "bar.com," "www.bar.com," "baz.com," and "www.baz.com" as SANs. And it
> seems to be working quite nicely.
> 
> Now, we want to add a Tomcat server, which would then serve several
> webapp contexts at "qux.baz.com," and maybe also "corge.baz.com,"
> running behind the httpd server (which is something I've never done
> before; I've always set up Tomcat directly facing the outside world, so
> with this, I frankly haven't a clue what I'm doing).
> 
> First of all, which is currently considered the easier/better way to get
> Tomcat running behind httpd, given the above scenario? "mod_proxy," or
> "mod_jk?" Or is there something else I haven't heard of?
> 
> Second of all, I found this step-by-step procedure.
> 
>> https://preview.tinyurl.com/vwnutqj
> 
>  Is it any good?
> 
> Third, am I correct in assuming that all we need to do in order for the
> existing Let's Encrypt setup to cover the new "qux" and "corge"
> subdomains is to add them to the SANs already listed?
> 
> Finally, are there any "gotchas" I need to be concerned with?
> 
> -- 
> James H. H. Lampert
> Touchtone Corporation

I prefer mod_jk to mod_proxy for a variety of reasons. Chief among those
is its ability to change web applications on the fly (albeit with some
performance loss).

Unfortunately, there is discussion on the dev list indicating that AJP
may be deprecated in the future. Thus, mod_proxy seems to be the way to go.

I've not put together a mod_proxy_http connection before, so I thought
that I would try it on a Windows 10 Professional system with Tomcat
7.0.103 and Apache HTTPD 2.4.38 (yes, yes, I'll upgrade soon).

First of all, I think that the following is very suspicious.


AllowOverride All
Require all granted
Options Indexes FollowSymLinks


This appears to establish a set of Apache HTTPD directives for the
Tomcat - served web applications. This is completely unnecessary. The
entire point of a proxy is to pass information from Apache HTTPD to
Apache Tomcat via a network protocol (in this case HTTP).

Second of all, the proxy_pass statements appear to do some rewriting.
This is in general not a good idea, since cookie paths will get munged.
You'll have to use mod_rewrite in order to straighten out cookie paths,
and you may break website links which would require rewriting. In
general, it's a very good idea to keep the path the same between Apache
HTTPD and Apache Tomcat.

At least the above is the case for mod_ajp.

Third of all, I have no idea why there's a Location directive with
"/webapps" in the configuration. Since there's no DocumentRoot for this
virtual host, I suspect it will be in reference to the parent's
(default) DocumentRoot. What that serves is a mystery to me given the
configuration fragment.

Maybe some Apache HTTPD experts on the list have some ideas.

Also note that this isn't HTTPS. Typically, an HTTPS Apache HTTPD
configuration lives in ssl.conf, and you protect HTTP access by doing a
redirect in httpd.conf to the HTTPS site.

You could terminate HTTPS on Apache HTTPD, and then connect Apache HTTPD
via HTTP to Apache Tomcat.

Also note that referencing Apache Tomcat's webapps directory in Apache
HTTPD is a VERY BAD THING. Apache HTTPD has no concept of WEB-INF or
META-INF, so it's conceivable that you could serve and expose secrets
from appname/META-INF or appname/WEB-INF. It's best to just not do this.

Given the above, I thought that I would hack together a quick and dirty
proxy configuration. Again I use mod_jk, so please let some of the more
experienced people chime in on this.

On UNIX / Linux you could also probably use UNIX sockets instead of
HTTP, HTTPS, or AJP.

# No virtual host for now
# No SSL for now

# enabling proxy and http proxy (note, you could use HTTP/2 as well)
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so

# Secure your proxy - localhost for now - this is IMPORTANT

  Require ip 127


# Map applications
# You could just use / if you're proxying all requests
# Pick the correct Apache Tomcat port

ProxyPass "/foo" "http://127.0.0.1:8080/foo;
ProxyPassReverse "/foo" "http://127.0.0.1:8080/foo;

This works on my local machine. I hope this is useful.

. . . just my two cents
/mde/



signature.asc
Description: OpenPGP digital signature

Re: Tomcat app within docker container

[Mark Eggers]

Alex,

On 1/9/2020 8:51 AM, Alex K wrote:
> Hi all,
> 
> I have two .war files that when deployed at a plain Debian 9 VM are working
> fine.
> I have prepared a docker file so as to deploy the same apps within a docker
> container and for some reason one of the apps is not loading due to some
> error.
> 
> Dockerfile:
> FROM debian:latest
> USER root
> 
> ENV CATALINA_HOME /opt/tomcat
> ENV PATH $CATALINA_HOME/bin:$PATH
> RUN mkdir -p "$CATALINA_HOME"
> WORKDIR $CATALINA_HOME
> 
> # Install packages
> RUN apt update && apt install default-jdk -y && groupadd tomcat && useradd
> -s /bin/false -g tomcat -d $CATALINA_HOME tomcat
> COPY apache-tomcat-8.5.50.tar.gz /tmp/
> 
> RUN tar xzvf /tmp/apache-tomcat-8.5.50.tar.gz -C /opt/tomcat
> --strip-components=1
> 
> ADD app.war $CATALINA_HOME/webapps/
> ADD orbeon.war $CATALINA_HOME/webapps/
> ADD server.xml $CATALINA_HOME/conf/
> ADD web.xml $CATALINA_HOME/conf/
> ADD mariadb-java-client-2.4.1.jar $CATALINA_HOME/lib
> ADD setenv.sh $CATALINA_HOME/bin/
> 
> RUN chgrp -R tomcat $CATALINA_HOME && \
> chown -R tomcat webapps/ work/ temp/ logs/ && \
> chmod -R g+r conf && \
> chmod g+x conf && \
> chmod 750 $CATALINA_HOME/bin/setenv.sh && \
> rm -f /tmp/apache-tomcat-8.5.50.tar.gz;
> 
> EXPOSE 8443
> CMD ["catalina.sh", "run"]
> 
> I have tried also several other ways, by using directly other docker tomcat
> images everytime resulting with some error.
> 
> The error I am getting now is:
> 
> 10:21:32.201 WARN  c.h.c.c.s.CubaXmlWebApplicationContext  - Exception
> encountered during context initialization - cancelling refresh attempt:
> org.springframework.beans.factory.BeanCreationException: Error creating
> bean with name 'org.springframework.security.filterChains': Cannot resolve
> reference to bean
> 'org.springframework.security.web.DefaultSecurityFilterChain#0' while
> setting bean property 'sourceList' with key [0]; nested exception is
> org.springframework.beans.factory.BeanCreationException: Error creating
> bean with name
> 'org.springframework.security.web.DefaultSecurityFilterChain#0': Cannot
> create inner bean '(inner bean)#27690bd5' of type
> [org.springframework.security.web.authentication.www.BasicAuthenticationFilter]
> while setting constructor argument with key [4]; nested exception is
> org.springframework.beans.factory.BeanCreationException: Error creating
> bean with name '(inner bean)#27690bd5': Cannot resolve reference to bean
> 'clientAuthenticationEntryPoint' while setting constructor argument; nested
> exception is org.springframework.beans.factory.BeanCreationException: Error
> creating bean with name 'clientAuthenticationEntryPoint' defined in class
> path resource [com/haulmont/addon/restapi/rest-dispatcher-spring.xml]:
> Instantiation of bean failed; nested exception is
> org.springframework.beans.BeanInstantiationException: Failed to instantiate
> [org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint]:
> Constructor threw exception; nested exception is
> java.lang.NoClassDefFoundError: javax/xml/bind/JAXBException
> 10:21:32.243 ERROR c.h.a.r.a.r.RestAPIDispatcherServlet- Context
> initialization failed
> org.springframework.beans.factory.BeanCreationException: Error creating
> bean with name 'org.springframework.security.filterChains': Cannot resolve
> reference to bean
> 'org.springframework.security.web.DefaultSecurityFilterChain#0' while
> setting bean property 'sourceList' with key [0]; nested exception is
> org.springframework.beans.factory.BeanCreationException: Error creating
> bean with name
> 'org.springframework.security.web.DefaultSecurityFilterChain#0': Cannot
> create inner bean '(inner bean)#27690bd5' of type
> [org.springframework.security.web.authentication.www.BasicAuthenticationFilter]
> while setting constructor argument with key [4]; nested exception is
> org.springframework.beans.factory.BeanCreationException: Error creating
> bean with name '(inner bean)#27690bd5': Cannot resolve reference to bean
> 'clientAuthenticationEntryPoint' while setting constructor argument; nested
> exception is org.springframework.beans.factory.BeanCreationException: Error
> creating bean with name 'clientAuthenticationEntryPoint' defined in class
> path resource [com/haulmont/addon/restapi/rest-dispatcher-spring.xml]:
> Instantiation of bean failed; nested exception is
> org.springframework.beans.BeanInstantiationException: Failed to instantiate
> [org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint]:
> Constructor threw exception; nested exception is
> java.lang.NoClassDefFoundError: javax/xml/bind/JAXBException
> 
> 
> Since I am not very familiar with tomcat, I would appreciate any pointers
> how to troubleshoot this.
> 
> Thanx,
> Alex
> 

What's the Java version for Debian 9 versus the debian:latest docker image?

. . . just my two cents
/mde/



signature.asc
Description: OpenPGP digital signature

Re: Dates on Linux vs. Windows

[Mark Eggers]

On 1/7/2020 1:13 PM, Jerry Malcolm wrote:
> On 1/7/2020 3:09 PM, Michael Osipov wrote:
>> Am 2020-01-07 um 21:58 schrieb Jerry Malcolm:
>>> This may be more of a Java question than Tomcat.  But I'm not sure. 
>>> I have the same code, talking to the same MySql Linux (AWS)
>>> database.  I read a date column value in a Tomcat app.  After calling
>>> resultSet.getDate(...) I printed the date instance and the getTime()
>>> value:
>>>
>>> On windows: 2019-02-01 154900080
>>>
>>> On linux:   2019-01-31 154897920
>>>
>>> Again this is the SAME line of code in java reading the SAME field in
>>> the SAME database.  Only thing different is Linux/Windows OS.  The
>>> date is supposed to be 2/1/2019 and shows that in phpMyAdmin.
>>>
>>> I've been running on Linux for a few months.  But I don't have an
>>> extensive background in the specifics of Linux.  I'm sure there must
>>> be something that is configured differently.  I'm at a loss. But this
>>> is not a trivial problem.  I do monthly billing. My dates need to be
>>> accurate.
>>
>> Have you verified that you aren't tricked by any timezone issues?
> Probably so.  But how would I know?  I was under the impression that
> java.sql.Date was timezone independent.  Shouldn't it simply convert a
> month/day/year value to the number of milliseconds since the epoch?  How
> would timezone issues affect that?  And if I am 'tricked' how do I
> 'untrick'.  What do I set/change?

According to the AWS documentation, there are two places that you have
to set manually in order to get the timezone changed universally.

1. /etc/sysconfig/clock

This you've already changed correctly.

2. /etc/localtime

According to the documentation, you'll need to link /etc/localtime to
the appropriate /usr/share/zoneinfo/America timezone file - most likely
Chicago.

sudo ln -sf /usr/share/zoneinfo/America/Chicago /etc/localtime

Also, do you have chrony installed and running on your Linux instance?
This is an NTP replacement that the AWS documentation recommends, and
will sync your time with AWS time servers.

Once you do all of this, you'll have to reboot.

Here's a link to the documentation:

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-time.html

For what it's worth, the following quick and dirty code (note, no
packages, ma) prints out the correct timezone (Pacific Standard Time)
before I made the link and rebooted the machine.

Here's the code (no package, bad programming practice).

tz.java:

import java.util.TimeZone;
public class tz {
public static void main(String[] args) {
System.out.println(TimeZone.getDefault().getDisplayName());
}
}

$ javac tz.java
$ java -cp . tz
Pacific Standard Time
$

As an aside, on my CentOS 6 system, there are notes in the
/etc/sysconfig/clock file:

# The time zone of the system is defined by the contents of /etc/localtime.
# This file is only for evaluation by system-config-date, do not rely on its
# contents elsewhere.

So I suspect that part of your system thinks it's UTC and part CST/CDT?

. . . just my two cents.
/mde/



signature.asc
Description: OpenPGP digital signature

Re: why is ContextListener.attributeAdded means?

[Mark Eggers]

On 7/24/2019 12:58 AM, Karen Goh wrote:
>  
> 
> 
> 
> 
> On Wednesday, July 24, 2019, 12:54:35 PM GMT+8, Mark Eggers 
>  wrote:
> 
> 
> Karen,
> 
> On 7/23/2019 7:41 PM, Karen Goh wrote:
>> Dear experts,
>>
>> I need some help again.
>>
>> I am trying to get a html page out on my browser, I changed my Tomcat server 
>> as the previous one has some Ant script 'creeping in when I downloaded an 
>> example'. However, I do not know why am I receiving an error message ?
>>
>> Background :-
>> -
>> Netbean IDE
>> Windows OS
>> Tomcat 9.0.12
>> JEE
>>
>> Error Message :
>>
>> 24-Jul-2019 10:03:27.271 INFO [main] 
>> org.apache.catalina.core.ApplicationContext.log ContextListener: 
>> contextInitialized()
>> 24-Jul-2019 10:03:27.271 INFO [main] 
>> org.apache.catalina.core.ApplicationContext.log SessionListener: 
>> contextInitialized()
>> 24-Jul-2019 10:03:27.292 INFO [main] 
>> org.apache.catalina.core.ApplicationContext.log ContextListener: 
>> attributeAdded('StockTicker', 'async.Stockticker@4fa4f485')
>>
>> Can I know why there is a ContextListner:attributeAdded('StockTicer', 
>> 'async.Stockticker@4fa4f485') as appeared in the log ?
>>
>> How do I make it go away so that I can run my webApp ?
>>
>> Thank you for your help.
>> Karen
> 
> 
> This is coming from the examples that are shipped with Tomcat. In
> particular, this appears to be from the Stock Ticker asynchronous example.
> 
> In other words, this is nothing to be concerned about.
> 
> . . . just my two cents.
> /mde/
> 
> I have never seen this log infor pop up.
> 
> Now, I have another problem - Tomcat server keeps popping up the 
> authentication gui - Tomcat manager.
> 
> I can't get this Tomcat Manager GUI to stop appear. And I have not configure 
> the app to use Tomcat Manager at all.
> 
> Please let me know how to stop if from appearing.
> 
> Tks.

This is a NetBeans thing. NetBeans uses the manager application (and the
manager-script role) to deploy or redeploy to Tomcat.

The instructions for configuring tomcat-users.xml are in that file.

Normally when you add a Tomcat server to NetBeans, it will ask to create
the user with that manager-script role if one does not exist. Or you
could supply one that you've configured in tomcat-users.xml.

Then save the password in NetBeans, so that you won't get prompted each
time there's a deploy or redeploy.

NetBeans by default will redeploy on save if you are currently running
the application. If you save the password for the user with the
manager-script role, then you should not see the prompt.

If the application is not running in Tomcat, then NetBeans won't try to
redeploy on save.

. . . just my two cents
/mde/





signature.asc
Description: OpenPGP digital signature

Re: why is ContextListener.attributeAdded means?

[Mark Eggers]

Karen,

On 7/23/2019 7:41 PM, Karen Goh wrote:
> Dear experts,
> 
> I need some help again.
> 
> I am trying to get a html page out on my browser, I changed my Tomcat server 
> as the previous one has some Ant script 'creeping in when I downloaded an 
> example'.  However, I do not know why am I receiving an error message ?
> 
> Background :-
> -
> Netbean IDE
> Windows OS
> Tomcat 9.0.12
> JEE
> 
> Error Message :
> 
> 24-Jul-2019 10:03:27.271 INFO [main] 
> org.apache.catalina.core.ApplicationContext.log ContextListener: 
> contextInitialized()
> 24-Jul-2019 10:03:27.271 INFO [main] 
> org.apache.catalina.core.ApplicationContext.log SessionListener: 
> contextInitialized()
> 24-Jul-2019 10:03:27.292 INFO [main] 
> org.apache.catalina.core.ApplicationContext.log ContextListener: 
> attributeAdded('StockTicker', 'async.Stockticker@4fa4f485')
> 
> Can I know why there is a ContextListner:attributeAdded('StockTicer', 
> 'async.Stockticker@4fa4f485') as appeared in the log ?
> 
> How do I make it go away so that I can run my webApp ?
> 
> Thank you for your help.
> Karen

This is coming from the examples that are shipped with Tomcat. In
particular, this appears to be from the Stock Ticker asynchronous example.

In other words, this is nothing to be concerned about.

. . . just my two cents.
/mde/



signature.asc
Description: OpenPGP digital signature

Re: OT: Tomcat on AWS for Dummies

[Mark Eggers]

Chris,

> Jerry,
> 
>> On 7/19/19 13:38, Jerry Malcolm wrote:
> I have had a dedicated hosted environment with WAMP and
> Tomcat for over 15 years.  I'm very familiar with everything
> related to that environment... apache http, mysql, dns
> server, the file system, JAMES, and all of my management
> scripts that I've accumulated over the years. Everything is
> in the same box and basically on the same desktop. But now I
> have a client that has needs that are best met in an AWS
> environment.
>> Can you explain that in a little more depth? What is it about AWS
>> that meets their needs better?
> 
>> I ask because you can provision a one-box wonder in AWS just like
>> you do on a physical space with a single server. You just have to
>> use remote-desktop to get into it, and then it's all the same.
> 
>> But if they want to use RDS, auto-scaling, and other
>> Amazon-provided services then things can get confusing.
>>> Unfortunately, that is the precise reason we need to go AWS 
>>> Extremely high availability and scalability / load-balancing
>>> across multiple instances.  There will need to at least one
>>> instance running at all times. Even when doing
>>> maintenance/upgrades on other instances.
> 
> It's not "unfortunate" necessarily. At least it makes it clear why
> they want to migrate to AWS.
> 
>> So the answer to your question really depends upon what the client 
>> thinks they'll be getting by you taking your existing product "to
>> the cloud".
> 
> I understand just enough AWS to be dangerous, which is not 
> much I do know that it's a bunch of different modules,
> and I believe I lose the direct file system access.
>> That heavily depends upon how you do things. You can get yourself
>> a server with a disk and everything, just like you are used to
>> doing.
>>> Do you mean AWS offers a 'file server' module that I can
>>> basically access directly as a drive from TC?  If so, that eases
>>> my mind a bunch. I manage and serve gigabytes of videos and
>>> photos.  I don't really want a full CMS implementation.  Just
>>> want a big hard drive I can get to.
> 
> No, AWS doesn't really have a "file server" module that you can
> enable. Do you need a large disk for bulk storage? What are you
> storing? Perhaps switching over to a key-value store (which can act
> like a filesystem) or a document-store database (e.g. CouchDB) if you
> have fairly regular documents that you want to store. All of those
> technologies are quite cloud-friendly. You can even use them
> single-node if you want to make your application available to either
> AWS-based clients OR your more traditional one-box-wonder clients. Or,
> you can abstract your "write a file somewhere" process so that you can
> swap implementations at run-time: configuration says local-disk? Use
> FileWriter. Using CouchDB? Push the file to CouchDB through it's APIs.
> 

What about using EFS (NFS store) in this environment? For Windows, an
NFS client would have to be installed, but that doesn't seem like much
of a barrier.

> 
> I've watched an AWS intro video and a couple of youtube
> videos on setting up TC in AWS. But they always starts with
> "now that you have your AWS environment set up".   I am
> looking for something that explains the big picture of
> migrating an existing WAMP+TC to AWS.  I am not so naive to
> think that there won't be significant rip-up to what I have
> now. But I don't want to do unnecessary rip-up just because I
> don't understand where I'm heading. Basically, I don't know
> enough to know what I don't know But I need to start
> planning ahead and learning soon if I'm going to have any
> disasters in my code where I might have played it too loose 
> with accessing the file system directly in my dedicated 
> environment.
>
> Has anyone been down this path before and could point me to
> some tutorials targeted to migrating WAMP+TC to AWS? Or
> possible hand-hold me just a little...? I'm a pretty quick
> learner.  I just don't know where to start.
>> As usual, start with your requirements :)
> 
>>> Requirements are what I have now in a single box, but with the
>>> addition of multiple instances of TC (and HTTPD and/or mySQL?)
>>> for HA and load balancing.
> 
> One box with multi is ... not HA. Sorry. That allows you to do things
> like upgrade the application without taking it down completely. But it
> does not allow you to perform maintenance on the OS because everything
> has to come down.
> 
>>> Day-1 launch won't be massive traffic and theoretically could be
>>> handled by my single dedicated server I have today.  But if this
>>> takes off like the client predicts, I don't want to get caught 
>>> flat-footed and have to throw together an emergency redesign to
>>> begin clustering TC to handle the traffic. Rather go live
>>> initially with single instance AWS, but with a thought-out (and
>>> 

Re: OT: Tomcat on AWS for Dummies

[Mark Eggers]

> Jerry,
> 
> On 7/19/19 13:38, Jerry Malcolm wrote:
 I have had a dedicated hosted environment with WAMP and Tomcat for
 over 15 years.  I'm very familiar with everything related to that
 environment... apache http, mysql, dns server, the file system,
 JAMES, and all of my management scripts that I've accumulated over
 the years. Everything is in the same box and basically on the same
 desktop. But now I have a client that has needs that are best met
 in an AWS environment.
> Can you explain that in a little more depth? What is it about AWS that
> meets their needs better?
> 
> I ask because you can provision a one-box wonder in AWS just like you
> do on a physical space with a single server. You just have to use
> remote-desktop to get into it, and then it's all the same.
> 
> But if they want to use RDS, auto-scaling, and other Amazon-provided
> services then things can get confusing.
>> Unfortunately, that is the precise reason we need to go AWS
>> Extremely high availability and scalability / load-balancing across
>> multiple instances.  There will need to at least one instance running at
>> all times. Even when doing maintenance/upgrades on other instances.
> 
> So the answer to your question really depends upon what the client
> thinks they'll be getting by you taking your existing product "to the
> cloud".
> 
 I understand just enough AWS to be dangerous, which is not
 much I do know that it's a bunch of different modules, and I
 believe I lose the direct file system access.
> That heavily depends upon how you do things. You can get yourself a
> server with a disk and everything, just like you are used to doing.
>> Do you mean AWS offers a 'file server' module that I can basically
>> access directly as a drive from TC?  If so, that eases my mind a bunch. 
>> I manage and serve gigabytes of videos and photos.  I don't really want
>> a full CMS implementation.  Just want a big hard drive I can get to.
> 
 I've watched an AWS intro video and a couple of youtube videos on
 setting up TC in AWS. But they always starts with "now that you
 have your AWS environment set up".   I am looking for something
 that explains the big picture of migrating an existing WAMP+TC to
 AWS.  I am not so naive to think that there won't be significant
 rip-up to what I have now. But I don't want to do unnecessary
 rip-up just because I don't understand where I'm heading.
 Basically, I don't know enough to know what I don't know But I
 need to start planning ahead and learning soon if I'm going to have
 any disasters in my code where I might have played it too loose
 with accessing the file system directly in my dedicated
 environment.

 Has anyone been down this path before and could point me to some
 tutorials targeted to migrating WAMP+TC to AWS? Or possible
 hand-hold me just a little...? I'm a pretty quick learner.  I just
 don't know where to start.
> As usual, start with your requirements :)
> 
>> Requirements are what I have now in a single box, but with the addition
>> of multiple instances of TC (and HTTPD and/or mySQL?) for HA and load
>> balancing.  Day-1 launch won't be massive traffic and theoretically
>> could be handled by my single dedicated server I have today.  But if
>> this takes off like the client predicts, I don't want to get caught
>> flat-footed and have to throw together an emergency redesign to begin
>> clustering TC to handle the traffic. Rather go live initially with
>> single instance AWS, but with a thought-out (and tested/verified) plan
>> to easily begin clustering when the need hits.
> 
>> Thanks again for the info.
> 
> 
> -chris

There are a lot of ways to approach this. I'm not sure how much is
viable under Windows, since I've only done Linux EC2 instances.

Load balancing:

You can't do multicasting (last I checked) in a cloud environment.
You'll need to use something like redis or memcache if you need to
support sessions / load balancing without sticky sessions. I recommend
steering away from sticky sessions because that complicates outages /
maintenance.

Database:

I'd look at RDS and multiple instances across availability zones. There
are some issues with fail-over and the time it takes. Look at recent AWS
forums for work-arounds.

Disks:

I think that one good design (if you can't do Docker or Elastic
Beanstalk) is to place all of your tools on an EBS volume. You can mount
this on Windows (I think - works with Linux), and access all of your
services from there.

There are several advantages to this. Backups are done by doing
snapshots of unmounted disks. You basically do the following:

1. Disconnect an instance from a load balancer
2. Unmount the driver from the instance
3. Perform the snapshot command
4. Once the snapshot command returns, remount the drive
5. Add the instance back to the load balancer

Server instances:

In a cloud environment, server 

Re: Modify web.xml in production war file

[Mark Eggers]

André:

See comments inline.

On 7/16/2019 4:37 PM, André Warnier (tomcat) wrote:
> On 16.07.2019 19:54, Martynas Jusevičius wrote:
>> Grigor,
>>
>> I think this is a use case that Docker containers at least partially
>> address.
>>
>> I find deploying containers way easier to share/deploy and more
>> platform-independent than WAR files.
>>
>> I’ve created a Tomcat-based image that accepts ENV variables and modifies
>> server.xml using their values:
>> https://github.com/AtomGraph/letsencrypt-tomcat
>>
>> I think you should be able to do the same with web.xml.
> 
> I have not seen your solution. But a question comes to mind : does this
> not just move the problem, from tomcat to the Docker container then ?
> 
> Why not provide a (shell ? perl ?) installer/updater script, along with
> the application WAR, which modifies the application's web.xml (or the
> server's web.xml) in function of some site-specific parameter file,
> which is located somewhere outside the tomcat directories and remains
> there ?

What I've done depends on how complex the target environment is.

For simple environments, I do the following:

1. Create a maven deploy job for Jenkins
2. The maven job:
   a. has the base WAR as a dependency
   b. stuff that needs replacing is in the maven job
3. Jenkins supplies environment variables used for replacing
   a. environment variables are set based on target characteristics
   b. all values are recorded in the Jenkins job log

Like I said, this works for simple changes, and obviously not for
Tomcat-related changes. I currently don't keep a copy of the WAR file,
which may lead to some challenges when trying to reproduce a deployment.
However, I've not run into any issues yet.

For more complex environments (where I have to change Tomcat), then I
think a Docker solution is reasonable. I'm currently looking at this
with using Redis as a session manager, and log4j2 for logging.

I can take a standard Tomcat Docker image, and use a Docker file to make
all the alterations. If I drive this from Maven, I can manage the WAR
and other dependencies as well.

Finally, I can take the resulting Docker image (altered Tomcat,
environment-specific WAR file), and push it to a private repository with
some suitable label. Now I have a good / reproducible way to regenerate
my environment - for example, disaster recovery.

Run this entire mess from Jenkins (or your CI/CD tool of choice), and
you get a simple way to deploy applications.

It all depends on the requirements, I guess.

. . . just my two cents.
/mde/

>>
>> Martynas
>>
>> On Fri, 12 Jul 2019 at 21.44, Grigor Aleksanyan
>>  wrote:
>>
>>> Hi Everyone,
>>>
>>> We have been shipping web application with war packaging in our
>>> production
>>> builds which contains a web.xml with few security sections.
>>> This web.xml defines security constraints that are in most cases not
>>> what
>>> the final deployment uses. This means that to update the war we need to
>>> save new web.xml somewhere, copy the new war, run the server so that it
>>> extracts the war, then shut down the server and copy web.xml back.
>>> This is
>>> a headache for our cloud based web services upgrade as well as in all
>>> other
>>> deployment scenarios, including tests.
>>>
>>> To facilitate deployment we've added a new packaging of another war
>>> file,
>>> which is the same as our original war but its web.xml doesn't contain
>>> any
>>> security sections.
>>> With an empty web.xml (in terms of security), the security can be
>>> defined
>>> via server's conf/web.xml, where it belongs, since the security is in
>>> reality defined by the server rather than the war application.
>>> It would be great if we could just replace our default web.xml but if
>>> some
>>> user uses our default web.xml, they would become unsecured after an
>>> upgrade, so we opted for a separate war.
>>>
>>> Do you guys see any other way of achieving what we aim to achieve
>>> with the
>>> new war file with default web.xml (backwards compatibility is a
>>> constraint
>>> in our case)?
>>> Maybe there is a way of ignoring security sections in the war or we can
>>> make it configurable in the code based on some config/env variable?
>>>
>>> Please let me know if you have any considerations about this, any help
>>> would be appreciated.
>>>
>>> Thank you,
>>> -Grigor
>>>
>>> -- 
>>>
>>>
>>> *
>>> *
>>> *CONFIDENTIALITY NOTE:* THIS E-MAIL MESSAGE AND ANY ATTACHMENTS MAY
>>> CONTAIN CONFIDENTIAL AND PRIVILEGED INFORMATION OF ONEMARKETDATA,
>>> LLC.  IT
>>> IS FOR THE SOLE USE OF THE INTENDED RECIPIENT(S) AND ANY UNAUTHORIZED
>>> REVIEW, USE, COPYING OR DISCLOSURE IS PROHIBITED. IF YOU ARE NOT THE
>>> INTENDED RECIPIENT, PLEASE CONTACT THE SENDER IMMEDIATELY BY REPLY
>>> E-MAIL
>>> OR BY TELEPHONE AT +1 201 710 5977, AND DESTROY ALL COPIES OF THIS
>>> MESSAGE
>>> FROM YOUR SYSTEM.
>>>
>>> E-SIGNATURE NOTICE: Unless specifically set forth
>>> herein, the transmission of this communication is not intended to be a
>>> legally 

Re: Refreshing webapps slows server

[Mark Eggers]

Jerry,

On 8/23/2017 9:29 AM, Jerry Malcolm wrote:
> I have a very weird situation.  I have a  staging server and a
> production server running on the same instance of TC (8.0).  When I'm
> doing development and testing on the staging server, I'm often replacing
> jar files and JSPs in the various webapps running on the staging server
> (I don't reupload full WAR files each time... just incremental jar/jsp
> changes).  TC recognizes the updated jar files and reloads.  Both
> production and development sites continue to function (including using
> the new updated jars, etc).  But over time, Tomcat starts getting slower
> and slower in response time, sometimes hitting an OutofMemory error. 
> Response time on a request goes from milliseconds to 20+ seconds. 
> Bouncing TC fixes everything.
> 
> This is somewhat circumstantial.  But TC will run fine for days and
> never hits OutofMemory situations.  But as soon as I start replacing
> webapp jar files, things start going bad.  So it appears that the issue
> is caused by replacing jar files.
> 
> Is this a recognized situation?  I don't want to have to bounce the
> production site every time I refresh the staging code.  But I need to
> test updates on the staging site on the same server.  Are there
> alternatives to keep this slowdown from occurring? Suggestions?
> 
> Thx.
> 
> Jerry

What version of Java are you running? What type of out of memory error
are you getting?

I don't know how big your WAR files are, so the following may not be an
option.

1. Use versioned WAR files
2. Use sessions in your application with reasonable session-timeout
3. Configure server.xml for undeployOldVersions

See the following:

http://tomcat.apache.org/tomcat-8.0-doc/config/host.html#Common_Attributes

https://tomcat.apache.org/tomcat-8.0-doc/config/context.html#Parallel_deployment

. . . just my two cents
/mde/



signature.asc
Description: OpenPGP digital signature

Re: Tomcat 9 won't start according to Eclipse

[Mark Eggers]

Roparzh,

On 8/2/2017 10:07 PM, Roparzh Hemon wrote:
> On Wed, Aug 2, 2017 at 2:30 PM, Konstantin Kolinko
>  wrote:
>> 2017-07-28 20:51 GMT+03:00 Roparzh Hemon :
>>> On Fri, Jul 28, 2017 at 6:18 PM, Konstantin Kolinko
>>>  wrote:

 Double click on the server (in "Servers" view) -> set "[x] Publish
 module context to separate XML files".
>>>  When I right-click on "Servers" in Project Explorer, I do not see
>>> any "Publish module"
>>> item. I also found a "Server" item in Preferences, which has a
>>> "Audio/Launching/Overlays/Profilers/Runtime environments" submenu.
>>
>>
>> http://help.eclipse.org/neon/topic/org.eclipse.platform.doc.user/concepts/concepts-5.htm
>> Help > Workbench User Guide > Concepts > Views
>>
>> To open the "Servers" view go to menu "Window" > "Show View" > "Other..."
>>
>> A dialog named "Show View" opens.
>> Type "ser" in the filter box at the top of the dialog.
>> Choose "Server" > "Servers", click OK.
> 
>   This simply sends me back to the Server component in Project
> Explorer (which I could attain by simply clicking on it instead of
> doing the more complicated sequence of operations you describe). I
> repeat, I do not see any "Publish module" item anywhere. All I see is,
> for each server, a list consisting of the following files :
> catalina.policy, catalina.properties, context.xml, server.out.xml,
> server.xml, tomcat-users.xml, web.xml.

When you do Window -> Show Views -> Servers and select servers, you'll
get a new pane at the bottom middle of the IDE, labeled servers.

In that pane, you'll see a list of all the servers that you have
configured in your IDE and their states.

If you double-click on one of the servers in the bottom pane, it will
open up the overview in the main editor window. This is a GUI
representation of the main configuration options for that server.

The Server Options will be found in the left hand column at the bottom.
The second checkbox is 'Publish module context to separate XML files'.
Check that box.

Then save the configuration (Ctrl-S or File -> Save) and close the
configuration.

The key here is to double-click (not right-click) the server listed in
the server pane at the bottom center of the IDE.

. . . just my two cents
/mde/



signature.asc
Description: OpenPGP digital signature

Re: Tomcat is starting but unable to launch homepage in Linux. When launched from a browser from local machine it keep on rotating.

[Mark Eggers]

Chaitanya,

On 7/31/2017 10:34 AM, Chaitanya Sabbineni wrote:
> Hi All,
> 
> Even though I use tomcat default port 8080 it's the same I am able to do
> wget and curl but when launching the ui from local Windows machine it's
> keep on rotating but never opens
> 
> Thanks in advance
> 
> On Mon, 31 Jul 2017 11:00 pm M. Manna,  wrote:
> 
>> What happens if you use the Tomcat default settings - not using 8083 port?
>> Does that work?
>>
>> On 31 July 2017 at 18:18, Chaitanya Sabbineni 
>> wrote:
>>
>>> Hi All,
>>>
>>> Can anyone please help me with the issue
>>>
>>> I installed tomcat on Linux server and I deployed my application on
>> tomcat.
>>> Tomcat is starting fine and I can confirm this as in the tomcat log I can
>>> see server started in 1234 milliseconds.
>>> When I try to launch the tomcat homepage from my local machine it not
>>> opening but keep on rotating.
>>>
>>> I configured tomcat to listen on port 8083.
>>> I executed the command curl -v http:// verb.pass.com:8083 and I am able
>> to
>>> get response.
>>>
>>> Even I tried wget http:// verb.pass.com:8083 and I got response too.
>>>
>>> When I tried telnet to the port from my local machine it's failed.
>>> telnet verb.pass.com 8083
>>>
>>> Failed on port 8083.
>>>
>>> Can anyone please let me know why I am not able to launch the home page.
>>>
>>> Thanks & Regards,
>>> Chaitanya
>>>
>>
> 

Silly question: Is verb.pass.com in DNS anywhere?

If not, you'll have to edit your Windows host file to include the IP
address.

Also, as others have pointed out you may have a firewall issue that
prevents remote connections to port 8080 (or 8083).

. . . just my two cents
/mde/



signature.asc
Description: OpenPGP digital signature

Re: Tomcat 9 won't start according to Eclipse

[Mark Eggers]

Roparzh,

On 7/28/2017 12:37 AM, Roparzh Hemon wrote:
> On Thu, Jul 27, 2017 at 5:35 PM, Mark Eggers 
> <its_toas...@yahoo.com.invalid> wrote:
> 
>> Images are stripped. Please type out the text.
> 
> Sorry about that, the full error message said
> 
> 'Starting Tomcat v9.0 Server at localhost (2)' has encountered a
> problem Server Tomcat v9.0 Server at localhost (2) failed to start.
> 
> Thanks for all the rest of your feedback. I'll try to switch to 
> Tomcat 8.15.6 and see if it works.

That's an annoyingly uninformative error message.

There are two other places to look for error messages that might be more
informative. This all depends on how you've added Tomcat to Eclipse. I
am going to assume that you picked the 'use workspace metadata' option
since it's the default.

1. Console tab

When you start Tomcat, you'll see a bunch of messages in the console tab
at the bottom of the IDE. This appears to be catalina.out.

Try starting Tomcat again, and copy / paste those messages into a mail
message.

2. Any other logs

In the console tab, one of the lines will be something similar to the
following:

-Dcatalina.base=C:\Users\username\workspace\.metadata\.plugins\org.eclipse.wst.server.core\tmp0

This is Eclipse setting $CATALINA_BASE. You' find the entire structure
of Tomcat below the directory listed above. So additional log files will
be found in (for example):

C:\Users\username\workspace\.metadata\.plugins\org.eclipse.wst.server.core\tmp0\logs

Since you're on a Macintosh, the path will obviously look different. I
doubt that there are any logs there if Tomcat does not start up, but it
doesn't hurt to look.

My initial guess is that you have Tomcat running as a service left over
from your previous attempts and that it is bound to port 8080 already.
Make sure that your Tomcat service is stopped before you start Tomcat
from within Eclipse.

. . . just my two cents
/mde/




signature.asc
Description: OpenPGP digital signature

Re: Tomcat 9 won't start according to Eclipse

[Mark Eggers]

Roparzh,

On 7/27/2017 12:08 AM, Roparzh Hemon wrote:
> Hello all, in Eclipse Neon.3 Release (4.6.3) I get the following error
> message :
> 
> 
> 
> ​
> 
> 
> Any help appreciated.
> ​

Images are stripped. Please type out the text.

I just tried 9.0.0M22 on Eclipse Oxygen and it worked as expected.

Please also note that there isn't a released version of JBoss Tools for
Eclipse Oxygen. I don't believe that Eclipse Oxygen supports Tomcat 9
out of the box, but I could be wrong.

In order to get JBoss Tools for Eclipse Oxygen, you'll have to use a
nightly build. Those can be obtained from:

http://tools.jboss.org/downloads/jbosstools/oxygen/4.5.0.AM2.html

Or as the instructions on that page state, search for JBoss Oxygen in
the Eclipse marketplace.

If I remember correctly, you're about to teach yourself J2EE development
(or more properly servlet container development). If that's the case, I
would like to recommend a less bleeding edge approach.

1. Eclipse Neon.3 - works, and the plugins are available / stable

Eclipse Oxygen seems to be OK, but you'll have to deal with milestone
plugins.

2. Apache Tomcat 8.5.16 - production-ready Tomcat

Tomcat 9 is great don't get me wrong, but it's flagged as alpha
(probably mostly because servlet spec 4 isn't finished yet).

BTW 8.5.19 is being voted on in the developers' list.

3. Head First Servlets and JSP 2nd Edition - great book

This edition covers servlet specification 2.5. I know, this means that
you don't get annotations, etc. However, I've found it to be a solid
foundation for learning the basics of servlet / jsp programming, along
with a bunch of good habits.

It all comes down to your requirements. I like bleeding edge stuff. I
run Fedora Linux on a laptop. I think that it's a great platform.

However, I would never think of running Fedora Linux as a server. I also
would think long and hard about recommending Fedora Linux to developers
who are a bit uncomfortable with systems and infrastructure.

The same goes for your development environment.

. . . just my two cents
/mde/



signature.asc
Description: OpenPGP digital signature

Re: Tomcat 9 M22 doesn't stop

[Mark Eggers]

Rainer,

On 7/22/2017 2:37 PM, Rainer Jung wrote:
> Am 22.07.2017 um 22:48 schrieb Mark Eggers:
>> On 7/22/2017 12:50 AM, Aurélien Terrestris wrote:
>>> Hello,
>>>
>>> I'm trying the latest Tomcat (9.0.0.M22) with all the default
>>> settings and
>>> applications. When shutting down, it doesn't stop and I'm staying with a
>>> java process which cannot handle any request.
>>> When setting the CATALINA_PID and trying a shutdown -force, it ends in
>>> killing the process.
>>>
>>>
>>>
>>> Here is the catalina.out, with a thread-dump done 20 minutes after the
>>> shutdown :
>>>
>>> 18-Jul-2017 08:49:50.110 INFO [main]
>>> org.apache.catalina.startup.VersionLoggerListener.log Server
>>> version:Apache Tomcat/9.0.0.M22
>>> 18-Jul-2017 08:49:50.112 INFO [main]
>>> org.apache.catalina.startup.VersionLoggerListener.log Server
>>> built:  Jun 21 2017 09:44:18 UTC
>>> 18-Jul-2017 08:49:50.112 INFO [main]
>>> org.apache.catalina.startup.VersionLoggerListener.log Server
>>> number: 9.0.0.0
>>> 18-Jul-2017 08:49:50.112 INFO [main]
>>> org.apache.catalina.startup.VersionLoggerListener.log OS
>>> Name:   Linux
>>> 18-Jul-2017 08:49:50.112 INFO [main]
>>> org.apache.catalina.startup.VersionLoggerListener.log OS
>>> Version:3.10.0-514.el7.x86_64
>>> 18-Jul-2017 08:49:50.112 INFO [main]
>>> org.apache.catalina.startup.VersionLoggerListener.log
>>> Architecture:  amd64
>>> 18-Jul-2017 08:49:50.113 INFO [main]
>>> org.apache.catalina.startup.VersionLoggerListener.log Java
>>> Home:
>>> /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-3.b12.el7_3.x86_64/jre
>>> 18-Jul-2017 08:49:50.113 INFO [main]
>>> org.apache.catalina.startup.VersionLoggerListener.log JVM
>>> Version:   1.8.0_131-b12
>>> 18-Jul-2017 08:49:50.113 INFO [main]
>>> org.apache.catalina.startup.VersionLoggerListener.log JVM
>>> Vendor:Oracle Corporation
>>> 18-Jul-2017 08:49:50.113 INFO [main]
>>> org.apache.catalina.startup.VersionLoggerListener.log
>>> CATALINA_BASE: /home/testusr/cluster/apache-tomcat-9.0.0.M22
>>> 18-Jul-2017 08:49:50.113 INFO [main]
>>> org.apache.catalina.startup.VersionLoggerListener.log
>>> CATALINA_HOME: /home/testusr/cluster/apache-tomcat-9.0.0.M22
>>> 18-Jul-2017 08:49:50.113 INFO [main]
>>> org.apache.catalina.startup.VersionLoggerListener.log Command line
>>> argument:
>>> -Djava.util.logging.config.file=/home/testusr/cluster/9/conf/logging.properties
>>>
>>> 18-Jul-2017 08:49:50.113 INFO [main]
>>> org.apache.catalina.startup.VersionLoggerListener.log Command line
>>> argument:
>>> -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
>>> 18-Jul-2017 08:49:50.113 INFO [main]
>>> org.apache.catalina.startup.VersionLoggerListener.log Command line
>>> argument: -Djdk.tls.ephemeralDHKeySize=2048
>>> 18-Jul-2017 08:49:50.113 INFO [main]
>>> org.apache.catalina.startup.VersionLoggerListener.log Command line
>>> argument: -Djava.protocol.handler.pkgs=org.apache.catalina.webresources
>>> 18-Jul-2017 08:49:50.113 INFO [main]
>>> org.apache.catalina.startup.VersionLoggerListener.log Command line
>>> argument: -Dcatalina.base=/home/testusr/cluster/9
>>> 18-Jul-2017 08:49:50.114 INFO [main]
>>> org.apache.catalina.startup.VersionLoggerListener.log Command line
>>> argument: -Dcatalina.home=/home/testusr/cluster/9
>>> 18-Jul-2017 08:49:50.114 INFO [main]
>>> org.apache.catalina.startup.VersionLoggerListener.log Command line
>>> argument: -Djava.io.tmpdir=/home/testusr/cluster/9/temp
>>> 18-Jul-2017 08:49:50.114 INFO [main]
>>> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent The APR
>>> based
>>> Apache Tomcat Native library which allows optimal performance in
>>> production
>>> environments was not found on the java.library.path:
>>> [/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib]
>>> 18-Jul-2017 08:49:50.191 INFO [main]
>>> org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler
>>> ["http-nio-127.0.0.1-8080"]
>>> 18-Jul-2017 08:49:50.210 INFO [main]
>>> org.apache.tomcat.util.net.NioSelectorPool.getSharedSelector Using a
>>> shared
>>> selector for servlet write/read
>>> 18-Jul-2017 08:49:50.213 INFO [main]
>>>

Re: Tomcat 9 M22 doesn't stop

[Mark Eggers]

On 7/22/2017 12:50 AM, Aurélien Terrestris wrote:
> Hello,
> 
> I'm trying the latest Tomcat (9.0.0.M22) with all the default settings and
> applications. When shutting down, it doesn't stop and I'm staying with a
> java process which cannot handle any request.
> When setting the CATALINA_PID and trying a shutdown -force, it ends in
> killing the process.
> 
> 
> 
> Here is the catalina.out, with a thread-dump done 20 minutes after the
> shutdown :
> 
> 18-Jul-2017 08:49:50.110 INFO [main]
> org.apache.catalina.startup.VersionLoggerListener.log Server
> version:Apache Tomcat/9.0.0.M22
> 18-Jul-2017 08:49:50.112 INFO [main]
> org.apache.catalina.startup.VersionLoggerListener.log Server
> built:  Jun 21 2017 09:44:18 UTC
> 18-Jul-2017 08:49:50.112 INFO [main]
> org.apache.catalina.startup.VersionLoggerListener.log Server
> number: 9.0.0.0
> 18-Jul-2017 08:49:50.112 INFO [main]
> org.apache.catalina.startup.VersionLoggerListener.log OS
> Name:   Linux
> 18-Jul-2017 08:49:50.112 INFO [main]
> org.apache.catalina.startup.VersionLoggerListener.log OS
> Version:3.10.0-514.el7.x86_64
> 18-Jul-2017 08:49:50.112 INFO [main]
> org.apache.catalina.startup.VersionLoggerListener.log
> Architecture:  amd64
> 18-Jul-2017 08:49:50.113 INFO [main]
> org.apache.catalina.startup.VersionLoggerListener.log Java
> Home:
> /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-3.b12.el7_3.x86_64/jre
> 18-Jul-2017 08:49:50.113 INFO [main]
> org.apache.catalina.startup.VersionLoggerListener.log JVM
> Version:   1.8.0_131-b12
> 18-Jul-2017 08:49:50.113 INFO [main]
> org.apache.catalina.startup.VersionLoggerListener.log JVM
> Vendor:Oracle Corporation
> 18-Jul-2017 08:49:50.113 INFO [main]
> org.apache.catalina.startup.VersionLoggerListener.log
> CATALINA_BASE: /home/testusr/cluster/apache-tomcat-9.0.0.M22
> 18-Jul-2017 08:49:50.113 INFO [main]
> org.apache.catalina.startup.VersionLoggerListener.log
> CATALINA_HOME: /home/testusr/cluster/apache-tomcat-9.0.0.M22
> 18-Jul-2017 08:49:50.113 INFO [main]
> org.apache.catalina.startup.VersionLoggerListener.log Command line
> argument:
> -Djava.util.logging.config.file=/home/testusr/cluster/9/conf/logging.properties
> 18-Jul-2017 08:49:50.113 INFO [main]
> org.apache.catalina.startup.VersionLoggerListener.log Command line
> argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
> 18-Jul-2017 08:49:50.113 INFO [main]
> org.apache.catalina.startup.VersionLoggerListener.log Command line
> argument: -Djdk.tls.ephemeralDHKeySize=2048
> 18-Jul-2017 08:49:50.113 INFO [main]
> org.apache.catalina.startup.VersionLoggerListener.log Command line
> argument: -Djava.protocol.handler.pkgs=org.apache.catalina.webresources
> 18-Jul-2017 08:49:50.113 INFO [main]
> org.apache.catalina.startup.VersionLoggerListener.log Command line
> argument: -Dcatalina.base=/home/testusr/cluster/9
> 18-Jul-2017 08:49:50.114 INFO [main]
> org.apache.catalina.startup.VersionLoggerListener.log Command line
> argument: -Dcatalina.home=/home/testusr/cluster/9
> 18-Jul-2017 08:49:50.114 INFO [main]
> org.apache.catalina.startup.VersionLoggerListener.log Command line
> argument: -Djava.io.tmpdir=/home/testusr/cluster/9/temp
> 18-Jul-2017 08:49:50.114 INFO [main]
> org.apache.catalina.core.AprLifecycleListener.lifecycleEvent The APR based
> Apache Tomcat Native library which allows optimal performance in production
> environments was not found on the java.library.path:
> [/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib]
> 18-Jul-2017 08:49:50.191 INFO [main]
> org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler
> ["http-nio-127.0.0.1-8080"]
> 18-Jul-2017 08:49:50.210 INFO [main]
> org.apache.tomcat.util.net.NioSelectorPool.getSharedSelector Using a shared
> selector for servlet write/read
> 18-Jul-2017 08:49:50.213 INFO [main]
> org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler
> ["ajp-nio-127.0.0.1-8009"]
> 18-Jul-2017 08:49:50.215 INFO [main]
> org.apache.tomcat.util.net.NioSelectorPool.getSharedSelector Using a shared
> selector for servlet write/read
> 18-Jul-2017 08:49:50.218 INFO [main]
> org.apache.catalina.startup.Catalina.load Initialization processed in 495 ms
> 18-Jul-2017 08:49:50.239 INFO [main]
> org.apache.catalina.core.StandardService.startInternal Starting service
> [Catalina]
> 18-Jul-2017 08:49:50.239 INFO [main]
> org.apache.catalina.core.StandardEngine.startInternal Starting Servlet
> Engine: Apache Tomcat/9.0.0.M22
> 18-Jul-2017 08:49:50.248 INFO [main]
> org.apache.catalina.startup.HostConfig.deployDirectory Deploying web
> application directory
> [/home/testusr/cluster/apache-tomcat-9.0.0.M22/webapps/ROOT]
> 18-Jul-2017 08:52:23.690 WARNING [main]
> org.apache.catalina.util.SessionIdGeneratorBase.createSecureRandom Creation
> of SecureRandom instance for session ID generation using [SHA1PRNG] took
> [153,172] milliseconds.
> 18-Jul-2017 08:52:23.705 INFO [main]

Re: Unable to run "Hello World" in Eclipse JEE on Mac 10.11.3

[Mark Eggers]

Roparzh,

This is going to be very long. I just wrote this, but have NOT done more
than a cursory proof-reading.

I hope that you find it useful.

On 7/22/2017 12:14 AM, Roparzh Hemon wrote:
> On my Mac 10.11.3 I've installed the Eclipse JEE IDE (Version: Neon.3
> Release (4.6.3)) I also installed apache-tomcat 9 on my Mac, using the
> following commands :
> 
> sudo mkdir -p /usr/local sudo mv ~/Downloads/apache-tomcat-9.0.0.M21
> /usr/local sudo rm-f /Library/Tomcat sudo ln -s
> /usr/local/apache-tomcat-9.0.0.M21/ /Library/Tomcat sudo chown -R
> roparzhhemon /Library/Tomcat sudo chmod +x /Library/Tomcat/bin/*.sh
> 
> When I try "Run as server" on a minimal html file in JEE, I get the
> following error message :
> 
> Could not load the Tomcat server configuration at /Servers/Tomcat v9.0
> Sever at localhost-config. The configuration may be corrupt or
> incomplete.

This is going to be very long, and I'm going to split this into two
parts. Part A will be a straightforward (I hope) set of instructions.
Part B will reference Part A and give some rational (I hope) reasons for
why I do the things the way I do.

Please note that I don't have a Macintosh (yet). Please also note that I
prefer NetBeans. However since the environment I build at $work has to
support both NetBeans and Eclipse, I am a little familiar with Eclipse.
I'll try to keep the soapbox stuff to a minimum.

The instructions will be for UNIX-like systems (MacOS, Linux), The
Windows instructions are similar, only the locations and commands will
be changed to reflect the operating system.

Let's get started.

Part A - Quick Installation
===

0. JDK - Needed if you use Maven

1. Install Tomcat

a. mkdir ~[user-name]/Apache
b. cp ~[user-name]Downloads/apache-tomcat-.tar.gz \
   ~[user-name]/Apache
    is the version that you want
c. cd ~[user-name]/Apache; tar xvfz apache-tomcat-.tar.gz

2. Install Maven (not required, but nice to have)

a. cp ~[user-name]/Downloads/apache-maven-3.5.0-bin.tar.gz \
   ~[user-name]/Apache
b. cd ~[user-name]/Apache; tar xvfz apache-maven-3.5.0-bin.tar.gz
c. ln -s ~[user-name]/Apache/apache-maven-3.5.0 \
   ~[user-name]/Apache/maven
d. edit .bash_profile (create if needed)
   PATH=$PATH:$HOME/Apache/maven/bin
   export PATH

3. Install Eclipse

You're on your own here. It looks like Eclipse for the Macintosh is
significantly different than Eclipse for Linux.

4. Install Eclipse Plugins

You will use the Eclipse Marketplace plugin to install the following:

a. JBoss tools (required for adding Tomcat 9 to Eclipse)
b. Log Viewer (nice to have for viewing log files)
c. Glassfish tools (nice to have for J2EE documentation)

5. Configuring Eclipse

This is going to be really difficult to show without screen captures.
However, I'll give it a shot.

a. JVM - required if you use Maven
1. Navigate to Windows->Preferences->Java->Installed JREs
2. Click on the Add button
3. Select Standard VM and clieck the Next button
4. Click on the Directory button
5. Browse to the JRE included with the JDK
   It will be underneath the JDK directory
6. Click the Finish button
7. Click the checkbox next to the new JRE (JDK) to make it the default

b. External Maven - if you use Maven
1. Navigate to Windows->Maven->Installations
2. Click on the Add button
3. Leave the External radio button selected
4. Click on the Directory button
5. Browse to ~[user]/Apache/maven
6. Click on the Finish button
7. Click the checkbox next to the new Maven to make it the default

c. Tomcat servers
1. In the bottom panel, select the Servers tab
2. Right-mouse click in the empty window (how is this done on a
   Macintosh?)
3. Select New->Server from popup menu
4. Browse to Tomcat v9.0 Server in the Select the server type
5. Change the name (not necessary) to Tomcat v9.0.0.M22
6. Click the Next button
7. Click on the Browse button
8. Browse to ~[user]/Apache/
9. Select apache-tomcat-9.0.0.M22
10. Click OK
11. Click Finish
12. Repeat the above for each type of Tomcat server you want to install

Part B - Notes
===

1. Install Tomcat

It's been my philosophy to never use a system Tomcat for development
work. You will run into multiple permissions problems, including not
being able to start / stop Tomcat easily, read log files, modify server
configurations, or have it controlled by the IDE.

If you have a system-wide Tomcat running on the default ports (8005,
8009, 8080), you'll have to change your locally installed Tomcat ports.
It's different in Eclipse, using the standard server setup.

Here's how you do this in Eclipse:

a. In the bottom panel, select the Servers tab
b. Select the server you wish to work on
c. Hit F3 to open the server configuration
d. Make sure that you are on the Overview tab
e. Find the server ports on the right hand side
f. Edit them
g. Ctrl-S to save the configuration
h. Close the file

This by default edits server metadata and DOES NOT alter your Tomcat
installation. In other words, if you launch 

Re: Unable to run "Hello World" in Eclipse JEE on Mac 10.11.3

[Mark Eggers]

Roparzh,

On 7/22/2017 12:14 AM, Roparzh Hemon wrote:
> On my Mac 10.11.3 I've installed the Eclipse JEE IDE (Version: Neon.3
> Release (4.6.3)) I also installed apache-tomcat 9 on my Mac, using the
> following commands :
> 
> sudo mkdir -p /usr/local sudo mv ~/Downloads/apache-tomcat-9.0.0.M21
> /usr/local sudo rm-f /Library/Tomcat sudo ln -s
> /usr/local/apache-tomcat-9.0.0.M21/ /Library/Tomcat sudo chown -R
> roparzhhemon /Library/Tomcat sudo chmod +x /Library/Tomcat/bin/*.sh
> 

Don't do this. You will have permissions problems partially due to the
way Eclipse runs servers by default.

Also, I don't think Eclipse Neon 3 supports Tomcat 9 out of the box.
You'll need the JBoss Tools plugins (which contain a lot of good stuff).

> When I try "Run as server" on a minimal html file in JEE, I get the
> following error message :
> 
> Could not load the Tomcat server configuration at /Servers/Tomcat v9.0
> Sever at localhost-config. The configuration may be corrupt or
> incomplete.
> 
> Any help appreciated.

I'm in the process of writing up a very long and detailed message on how
I get everything running on Linux / Windows. The Linux stuff should be
applicable to the Macintosh.

I'll post this here when I'm done. Please be aware that it's going to be
very long and have not so much to do with Tomcat. I'll label it [OT] so
other readers can pass on it.

. . . just my two cents
/mde/




signature.asc
Description: OpenPGP digital signature

Re: [OT] Unable to install Tomcat 9 on Windows 10

[Mark Eggers]

Chris,

Replies inline:

On 7/21/2017 10:01 AM, Christopher Schultz wrote:
> Roparzh,
> 
> On 7/20/17 2:16 PM, Roparzh Hemon wrote:
>> On Thu, Jul 20, 2017 at 8:03 PM, Christopher Schultz 
>>  wrote:
> 
>>> 4. Java on Windows is a nightmare. If you want to quip about
>>> moving to a "real server OS," then suggest switching to a
>>> UNIX-like OS, where the Real Servers run :)
> 
>> I am quite curious and interested in what you say here, because my 
>> feedback and experience go the opposite direction.
> 
> Problems I've had on Windows with Java-based programs as listed below.
> Not all issues are Java-specific, however. I suspect most of these
> problems are because I just "don't know Windows well enough". Fair
> enough. But they are so irritating, they have made me confident I will
> never use Windows for anything production-related.
> 
> 1. Watching a log file is not easy. No "tail". No command-line tools
> to look at text files, other than "TYPE". Want to see that log file?
> Open in Notepad. Oh, is your log file too big? Sorry, try a different
> GUI editor. Oh, does your log file have newlines instead of CRLF?
> Unreadable: must use WRITE.EXE or install another tool.

There are a lot of solutions for this:

1. My favorite - install cygwin
2. Eclipse has a plugin (since you use Eclipse)

The Eclipse Log Viewer is a non blocking IO stream reader that
can tail any number of files and eclipse consoles.
It allows to syntax color the log files with either a regular
expression or a word match.

3. Powershell command (have not tried this)

Get-Content -Path "C:\scripts\test.txt" -Wait

> 
> 2. Running as a service is a headache. First, you need a wrapper
> program, but that wrapper program needs to fit into the Windows
> Service scheme. It's like systemd except without configuration files
> and instead you need configuration programs. This program can't return
> any useful status information (e.g. exit value) because anything other
> than 0 exit status means "error" and the service looks like it failed.
> Same is true with scheduled jobs, btw (and is worse, since
> scheduled-jobs really need to be able to return status information).
> If you want to use the command-line (let's just admit that Windows is
> completely unusable from the command-line), using "NET" to start/stop
> services is particularly difficult because the service name is always
> some 90-character string with spaces and special characters that need
> to be escaped. Using GUI tools gives you carpal tunnel syndrome with
> all the clicking required.
> 

This is one of the many reasons why I don't run Tomcat as a service on
development machines.

1. "Install" Tomcat from a zip or tar.gz file
2. Configure IDE to start / stop / debug Tomcat
3. Profit (more or less)

> 3. There are a handful of programs all which launch Java in different
> ways. You need javaw.exe if you don't want to see a console window,
> java.exe will always show a console window. If you use javaw.exe,
> stdout/stderr is discarded.
> 
> 4. File paths have unexpected quirks. This is not unique to Java and
> is getting much better where Java is concerned, since URL handlers are
> improving over time. Drive letters, UNC paths, network shares, etc.
> are all a headache to use because you have to know the incantation for
> each one to make it work. Sometimes you must map a network drive
> letter. Out of drive letters? Too bad. Sometimes \\server\share works.
> Maybe? Depends on the exact versions of everything involved.
> 
> 5. Scripting is awful. I'm sure PowerShell makes it better. But there
> was solution to this invented in the 1970s that is very powerful. It's
> sad that it took Windows 25 years to get a decent shell/script
> framework. Have a look at catalina.bat versus catalina.sh if you want
> to get a sense of how awful scripting in Windows actually is.
> 

Scripting is awful. Again, I install cygwin on all of my Windows machines.

OK - I'm avoiding installing cygwin on my Windows 10 laptop. We'll see
how much pain I can endure in my effort to learn PowerShell. It's the
same way I learned vi.

1. Install vi on my Windows machine (long time ago and far away)
2. Use nothing but vi (eschewing SPF editor / mainframe - long time ago)
3. Profit (or at least learnit)

>> My goal is to self-teach myself Java in JEE for Web development. I
>> am a long-time Mac fan, but on my mac I got stuck by a
>> configuration problem in JEE and got ZERO feedback on half a dozen
>> forums and mailing lists, including this one. In contrast, in this
>> windows question I got a lot of feedback very quickly.
> 
> Well, welcome to the community. If you ever meet me in person, you'll
> see I'm not such a miserable bastard as this thread would indicate.
> 
> -chris
> 

My overall goal in all of this is to have a single way of doing things
regardless of platform (object oriented development environment design).
I figure that I have enough to learn without trying to remember 

Re: [OT] Unable to install Tomcat 9 on Windows 10

[Mark Eggers]

Roparzh,

On 7/21/2017 9:35 AM, Christopher Schultz wrote:
> Roparzh,
> 
> On 7/20/17 10:23 PM, Roparzh Hemon wrote:
>> On Thu, Jul 20, 2017 at 8:44 PM, Mark Thomas 
>> wrote:
>>> On 20/07/17 19:16, Roparzh Hemon wrote:
 I am a long-time Mac fan, but on my mac I got stuck by a
 configuration problem in JEE and got ZERO feedback on half a
 dozen forums and mailing lists, including this one.
>>>
>>> Reference please. A quick search of the archives suggests this is
>>> the first question you have asked on this list.
>>>
> 
>> You are technically correct, my bad, the question I was referring
>> to was on the Apache mailing list, not this Tomcat mailing list :
>> look at 
>> http://httpd.markmail.org/search/?q=#query:%20list%3Aorg.apache.httpd.
> users+page:13+mid:w72upzzpj4uh3bgk+state:results
> 
> I'm
> 
> not surprised you got no response: that's the list for the native
> web server. They probably just thought you were lost.
> 
> Your problem is actually with Eclipse and had nothing to do with what
> platform you are on. I've been developing Java web applications since
> 2000, and I use Eclipse, and I've never used Eclipse's "Run as
> server". So I would count myself pretty knowledgeable and even I would
> be no help.
> 
> Try re-posting your question on THIS list and see if you get better
> answers.
> 
> -chris

Although I run (mostly) on Windows and develop (mostly) using NetBeans,
I think that I can help with this.

Post your question here, and I can walk you through how I do this on
Windows and Eclipse / Oxygen.

Basically, my philosophy for development machines is the same regardless
of platform or IDE.

1. Keep the Tomcat installation in a directory that you own / control
2. Do not run Tomcat as a service (Windows, Linux, MacOS)
3. Control the start / stop / debug server commands through the IDE

Approaching a development machine in this fashion gives you lots of
flexibility, and avoids potential permissions problems.

. . . just my two cents
/mde/



signature.asc
Description: OpenPGP digital signature

Re: Unable to install Tomcat 9 on Windows 10

[Mark Eggers]

Roparzh,

On 7/20/2017 6:45 AM, Roparzh Hemon wrote:
>  Hello all,
> 
>  I am currently unable to install Tomcat 9.0 on my Windows 10
> system (I didn't install any other version of Tomcat so far).
>  I've retried several times and the same problem appears over and
> over again :
>  The install process goes on smoothly with the install wizard, up
> to the point where I see the following output :
> 
>  Installing Tomcat9 service
>  Apache Tomcat Setup
>  Failed to install Tomcate9 service.
>  Check your settings and permissions.
>  Ignore and continue anyway (not recommended) ?
>  Abort / Retry / Ignore
> 
>How exactly should I "check my settings and permissions"  ?
>Any help appreciated.

I had no issue installing Apache Tomcat 9.0.0 M22 on my Windows 10
laptop as a service.

Here are the steps that I took.
0. I already have a folder: C:\Users\[username]\Apache
1. Make a new folder in that one - called apache-tomcat-9.0.0.M22
2. download apache-tomcat-9.0.0.M22.exe
3. launch the installer
4. Agree to the UAC prompt
5. Follow the install wizard
6. Didn't automatically start the service or read the readme.txt

To run:

1. open the start menu
2. browse to Apache Tomcat 9.0 Tomcat9
3. Start the Monitor Tomcat application
4. Dig the Monitor Tomcat application out of the hidden icons
5. Right-mouse click on the running Monitor Tomcat application
6. Select Start service
7. Browse to http://localhost:8080

All that being said, I don't normally run Tomcat as a service on my
development machines. I typically download the appropriate zip file,
unpack it somewhere, and run from that.

I find that the zip file installation integrates much more nicely with
various IDEs. In particular I use NetBeans 8.2, which uses the standard
manager interface for deploying applications. Eclipse with the JBoss
Tools plugin works OK as well.

As far as Macintosh vs. Windows vs. Linux . . . running Tomcat and a
J2EE IDE should be pretty much the same across all platforms.

I prefer Linux, use Windows (7 and 10), and don't (yet) own a Macintosh
(which explains why I don't answer Macintosh questions).

. . . just my two cents
/mde/



signature.asc
Description: OpenPGP digital signature

Re: Tomcat is stopping on its own even though stop script is not executed

[Mark Eggers]

Chaitanya,

This will be long and somewhat speculative.

On 7/20/2017 9:00 AM, Christopher Schultz wrote:
> Chaitanya,
> 
> On 7/20/17 11:03 AM, Chaitanya Sabbineni wrote:
>> Stop script in the sense it's Catalina script only but we usually
>> stop tomcat using the command Catalina.sh stop. But in our case we
>> are not manually executing this script to stop tomcat and tomcat is
>> stopping on its own.
> 
>> our main problem here us tomcat is stopping on its own and it needs
>> a restart.
> 
> Right.
> 
>> If I understand you correct you are telling TimerThread that does
>> not stop when the application is shut down. Can you let me know
>> what actually the timer thread mean. And moreover if the timer
>> thread didn't stop ideally tomcat shouldn't stop but in our case
>> it's stopping.
> 
> Tomcat is stopping but the JVM is not. If your application were to
> shut-down cleanly, then the JVM would exit as well. This is unrelated
> to your real problem (unexpected Tomcat shutdown), but you might want
> to look into fixing that, because it makes your application impossible
> to reload without risking serious heap space problems.
> 
>> Yes my question is why Tomcat is being shut down at all.
> 
>> Yes when ever tomcat is stopping on own(not daily) it stops at
>> 02:00 . You mentioned that your  guess is that we are using a
>> service runner that is configured to bounce your services at
>> 02:00.Can let me know what this service runner is and how to check
>> it.
> 
> I know nothing about your environment. Until you mentioned
> "catalina.sh stop" above, I didn't even know you were on a UNIX-like
> environment. Honestly, I assumed you were on Windows because
> "mysterious service stoppage" has Microsoft Windows behavior written
> all over it.
> 
> There are two ways to trigger a Tomcat shut down:
> 
> 1. Send a TERM signal to the process
> 2. Connect to Tomcat's shutdown listener (default: port 8005) and give
> the shutdown command (default: "SHUTDOWN")
> 
> You can eliminate one of those possibilities by setting the shutdown
> port in server.xml to "" (empty) which will disable this type of shutdow
> n:
> 
>  
> You cannot disable the other type of shutdown... any user on the
> system who can send a TERM signal to your process could terminate Tomcat
> .
> 
> As for catching whoever is shutting down your Tomcat, you may want to
> look at who has administrative access to your server, and who has
> access to the user running your Tomcat server.
> 
> Check your syslog to find sudo and cron events that might be
> automatically shutting-down Tomcat.
> 
> If you want to catch a TCP connection, you will likely have to enable
> tcpwrappers, iptables, ipfw, etc. to log connections to port 8005.
> Those logs will only tell you that the command is being sent, not who
> is sending it.
> 
> -chris

I am going to go out on a limb here and try to explain things. Please
note that this is all based upon reading between the lines, and may not
at all reflect what is actually going on.

Overview


I suspect the following:

1. Logrotate of catalina.out at 2 AM
2. Tomcat JVM fails to exit, then restart

Detail
--

1. Logrotate (or other log rotation utility)

There are several ways that one can use to rotate catalina.out. See the
following:

https://wiki.apache.org/tomcat/FAQ/Logging#Q10

Some system admins actually stop Tomcat, rotate the logs, and then start
Tomcat. This has the advantage over the logrotate's copytruncate option
in that there is no possibility of partial log entries.

2. JVM fails to exit

From your error log, you have a TimeerTask thread that is not shutting
down. This prevents the JVM from exiting (see Chris's comments). I
suspect that this then prevents the start script from starting Tomcat
again (depending on the script).

Solutions
-

1. Fix your application so that the Tomcat JVM exits cleanly

Use a thread pool. Manage the thread pool in a servlet context listener
(creation, destruction).

This should be done in addition to anything else.

2. Talk to your system admin to see if log rotation is being used

Use copytruncate with logrotate rather than stopping and starting the
Tomca service.

This is assuming that you're using logrotate, and that there is a
logrotate process that kicks off every morning at 2 AM.

3. Use another method for rotating catalina.out

There are other methods for rotating catalina.out mentioned in the link
above.

Again, this is assuming that your system admin has implemented some log
rotation which is causing the problem.

4. See Chris's comments above concerning potential security issues

Finally
---

Your catalina.out file should be small, and consist of startup /
shutdown messages from Tomcat. Other (application) information should go
into application-specific log files. This means that you should
implement some sort of logging for your applications.

In other words, there should be little need to periodically rotate
catalina.out.

. . . just my two cents

Re: Problem enabling SSLv3 in Tomcat 8.5.15

[Mark Eggers]

Marc,

On 6/20/2017 4:34 PM, Marc Dorsa wrote:
> Hi Tomcat Users,
> 
> I am having a difficult time trying to enable SSLv3 in Tomcat 8.5.15.  (A 
> 3rd-party component of our product requires SSLv3 and there's no getting 
> around it!)  Our Tomcat is running on a custom Linux distribution based on 
> Centos 7, and we're running Java 1.8.0_131.  Note that I've already (and 
> correctly) enabled SSLv3 support in the JVM and verified that SSLv3 is 
> correctly enabled when running our existing Tomcat 7.0.47.  My guess is that 
> I have an incorrect server.xml configuration (for Tomcat 8), but the Tomcat 
> documentation 
> (https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support) as I 
> read it, seems to say that simply setting the "protocols" attribute of the 
> SSLHostConfig element to include "SSLv3" should do the job.
> 
> Thank you in advance for any help offered!
> Marc
> 
> --
> Here is the server.xml file that correctly enables SSLv3 for Tomcat 7.0.47:
> 
> 
> 
>  redirectPort="443" server=" "
>  acceptCount="100" connectionTimeout="66" 
> disableUploadTimeout="true" />
>  enableLookups="false" acceptCount="100"
>   scheme="https" secure="true" connectionTimeout="66" 
> disableUploadTimeout="true" server=" "
>  ciphers="SSL_RSA_WITH_RC4_128_SHA, 
> TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, 
> TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, 
> SSL_DHE_RSA_WIT
> H_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, 
> SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA"
>   clientAuth="false" sslProtocol="TLS" 
> keystoreFile="/etc/.keystore" >
> 
> 
>  unpackWARs="true" autoDeploy="true">
> 
>  className="org.apache.naming.resources.FileDirContext" allowLinking="true" 
> docBase="" />
>  
> 
> 
> 
> 
> 
> Here are the scan results showing that SSLv3 is indeed enabled (and our 
> 3rd-party component works correctly):
> # ./cipherscan MyHostName:443
> prio  ciphersuite   protocolspfs_keysize
> 1 DHE-DSS-AES128-SHASSLv3,TLSv1,TLSv1.1,TLSv1.2  DH,1024bits
> 2 EDH-DSS-DES-CBC3-SHA  SSLv3,TLSv1,TLSv1.1,TLSv1.2  DH,1024bits
> 
> --
> And here is the server.xml file that, unfortunately, does *not* enable SSLv3 
> for Tomcat 8.5.15:
> 
> 
> 
>  redirectPort="443" server=" "
>  acceptCount="100" connectionTimeout="66" 
> disableUploadTimeout="true" />
>  enableLookups="false" acceptCount="100" 
>   scheme="https" secure="true" connectionTimeout="66" 
> disableUploadTimeout="true" server=" ">
>  ciphers="SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, 
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, 
> SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, 
> SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, 
> SSL_DHE_RSA_WITH_DES_CBC_SHA">
>  certificateKeystoreType="JKS" certificateKeystorePassword="changeit" />
> 
> 
> 
> 
>  unpackWARs="true" autoDeploy="true">
> 
> 
> 
> 
> 
> 
> 
> 
> Here are the scan results showing that SSLv3 is *not* enabled (and our 
> 3rd-party component does *not* work):
> # ./cipherscan MyHostName:443
> prio  ciphersuite   protocols  pfs_keysize
> 1 DHE-DSS-AES128-SHATLSv1,TLSv1.1,TLSv1.2  DH,2048bits
> 2 EDH-DSS-DES-CBC3-SHA  TLSv1,TLSv1.1,TLSv1.2  DH,2048bits
> 
> Here is Tomcat's logging at startup (notice the SSLv3 warning):
> ..
> Tomcat started.
> -sh-4.2# Jun 20, 2017 3:38:06 PM org.apache.coyote.AbstractProtocol init
> INFO: Initializing ProtocolHandler ["http-nio-80"]
> Jun 20, 2017 3:38:06 PM org.apache.tomcat.util.net.NioSelectorPool 
> getSharedSelector
> INFO: Using a shared selector for servlet write/read
> Jun 20, 2017 3:38:06 PM org.apache.coyote.AbstractProtocol init
> INFO: Initializing ProtocolHandler ["https-jsse-nio-443"]
> Jun 20, 2017 3:38:07 PM org.apache.tomcat.util.net.SSLUtilBase getEnabled
> WARNING: Some of the specified [protocols] are not supported by the SSL 
> engine and have been skipped: [[SSLv3]]
> ..

I've not done this so I'm sure that someone will quickly correct me if
I'm wrong. I'm basing my answer from the following mailing list thread:

http://marc.info/?t=14933046478=1=2

It seems from the logs that you are using the https-jsse-nio connector.
It appears that you should list all of your desired protocols with a
plus separating them (and no comma).

Something like this (if I'm reading Mark Thomas's answer correctly):

Re: Possible bug between Apache 2.4 and Tomcat 7 via AJP when POSTing

[Mark Eggers]

On 6/1/2017 1:32 AM, Nicholas Cottrell wrote:
> yum provides /usr/lib64/httpd/modules/mod_proxy_ajp.so

OK - don't know how I missed it. I could have sworn it wasn't there
yesterday :-p.

I just checked my system and it's there (run CentOS 6 in production).

/mde/



signature.asc
Description: OpenPGP digital signature

Re: Possible bug between Apache 2.4 and Tomcat 7 via AJP when POSTing

[Mark Eggers]

Nic,

On 5/31/2017 5:42 AM, Nicholas Cottrell wrote:
> Hi All!
> 
> I'm having a problem setting up an existing webapp from Apache
> 2.2/Tomcat6 on a new server running Centos 7, and the following
> packages:
> 
> httpd 2.4.6-45.el7.centos.4 tomcat.noarch
> 7.0.69-11.el7_3 @updates tomcat-native.x86_64
> 1.1.34-1.el7@epel
> 
> For debugging I have enabled AJP/1.3 and 8009 and HTTP on 8080, then
> use Apache to ProxyPass.
> 
> With my initial configuration, data from a form POST is not available
> via request.getParameter:
> 
> ProxyPass / ajp://localhost:8009/  retry=1
> acquire=3000 timeout=600 Keepalive=On ProxyPassReverse /
> ajp://localhost:8009/ 
> 
> But changing it to this fixes everything:
> 
> ProxyPass / http://localhost:8080/  retry=1
> acquire=3000 timeout=600 Keepalive=On ProxyPassReverse /
> http://localhost:8080/ 
> 
> In the broken instance, request.getParameter("x") returned null, but
> request.getReader() returned bytes with "x=123" so seems that Apache
> is sending the POST body but Tomcat is not processing it correctly,
> yes?
> 
> Please also see
> https://stackoverflow.com/questions/44167876/problems-with-post-parameters-with-tomcat-ajp-on-apache-2-4-but-not-2-2
> 
> for my steps so far.
> 
> I would prefer to switch back to AJP for the proxy, since I
> understand it is more performant, right? Should I try forcing a
> Tomcat 8 install to see if the problem persists there too?
> 
> Best, Nic.
> 

I wasn't aware that mod_proxy_ajp was available on a stock CentOS 7 even
with epel enabled.

If you're using the ajp protocol (it's not HTTP), then you'll need to
get mod_jk (from tomcat.apache.org) and build it yourself. It's not
difficult.

However, the configuration is quite a bit different. Fortunately, there
is an excellent set of example configuration files in the source (see
the conf subdirectory).

mod_proxy_ajp.so was shipped with CentOS 6, but does not appear to be
available with CentOS 7.

Either that - or go with mod_proxy_http and proxy to the HTTP connector
(default in server.xml is port 8080).

. . . just my two cents
/mde/




signature.asc
Description: OpenPGP digital signature

Re: how to upgrade tomcat 8.5.x?

[Mark Eggers]

Chris,

On 5/24/2017 2:09 PM, Christopher Schultz wrote:
> Mark,
> 
> On 5/24/17 11:50 AM, Mark Eggers wrote:
>> True blue-green deployments would take some additional work, but
>> that's not beyond the realm of possibility. I might spend some
>> time doing this with Elastic Beanstalk, since $work wishes to move
>> to AWS.
> This was a presentation that I *really* wanted to get someone to do for
> TomcatCon, but we couldn't find anyone to do it.
> 
> If you were able to research, prepare, and present this information at
> an upcoming conference, I believe it would be well-attended.
> 
> I would certainly be there, taking notes.
> 
> -chris

Sorry about that. What I have right now is really not ready for prime time.

Most of the challenges that I've run into involve infrastructure and
process, not Tomcat per se. A lot of these issues can be solved with
suitable tools / infrastructure design. For example, Netflix seems to
have a nice freely available set of tools and processes.

Unfortunately I am under $constraints to keep the environment as generic
as possible.

Once I get most of the kinks worked out, I'll be happy to share that
with the community.

. . . just my (constrained) two cents
/mde/



signature.asc
Description: OpenPGP digital signature

Re: how to upgrade tomcat 8.5.x?

[Mark Eggers]

Chris,

On 5/23/2017 10:55 AM, Christopher Schultz wrote:
> Mark,
> 
> On 5/21/17 8:34 PM, Mark Eggers wrote:
>> I developed my own [build and deployment scripts]. I use the Ant 
>> scripts just for customizing Tomcat installations.> I do have one
>> slight issue with my current Ant scripts. The link task isn't
>> supposed to create a link if it already exists, but it does, and 
>> actually creates a link inside of the existing link. This means
>> that I have a manual cleanup step to do, which is annoying.
> 
>> Also, the Ant xml task doesn't handle namespaces well. I'll have
>> to figure out how to mangle tomcat-users.xml in a better fashion
>> for the 8.x series.
> 
> Which XML task? We use XSLT to for example customize the manager.xml
> deployment file that comes with a stock Tomcat to deploy a manager
> with our protections enabled.
> 
>> I use a custom-built init script for starting, stopping, querying,
>> and getting the version of a Tomcat services. I'll have to build
>> something soon to handle systemd.
> 
>> I use Maven, the Tomcat Maven plugin, and Jenkins to customize a
>> WAR file for a particular environment. Coupled with parallel
>> deployments, this basically allows us to update with no downtime.
> 
> Nice!
> 
> I'd love to see a TomcatCon presentation from the community about
> blue/green deployments with Tomcat. :)
> 
> -chris
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 

I use the following for XML editing in Ant:

http://www.oopsconsultancy.com/software/xmltask/

It does a lot of nice things, but there are two issues.

1. It's old - has not been released since 2009
2. Namespace handling - it's an acknowledged issue

I'll try the xslt task and see if I can get the same functionality with
a little effort.

My current setup depends on a lot of things that are either broken
(security issues with a Jenkins plugin) or not available (Nexus 3 no
longer has a REST interface, but it's coming RSN).

I should get involved to see how much effort it would be to a) help
address the security concerns, and b) expose in Nexus 3 the information
needed.

It would also be nice to set this up with other Maven repositories as
well as other CI environments.

True blue-green deployments would take some additional work, but that's
not beyond the realm of possibility. I might spend some time doing this
with Elastic Beanstalk, since $work wishes to move to AWS.

. . . just my (beleaguered) two cents
/mde/



signature.asc
Description: OpenPGP digital signature

Re: how to upgrade tomcat 8.5.x?

[Mark Eggers]

Chris,

On 5/20/2017 4:37 PM, Christopher Schultz wrote:
> Mark,
> 
> On 5/19/17 3:26 PM, Mark Eggers wrote:
>> GB,
> 
>> On 5/19/2017 8:28 AM, gkk gb wrote:
>>> If my current Tomcat is installed in
>>>
>>>
>>> /home/tomcat/dir1/apache-tomcat-8.5.9
>>>
>>>
>>> and then I install the latest Tomcat in
>>>
>>>
>>> /home/tomcat/dir1/apache-tomcat-8.5.15
>>>
>>>
>>> how does Apache web server know to connect to the newer version
>>> of Tomcat? Is this established by the definition of CATALINA_HOME
>>> in .bash_profile? Or, some other way?
>>>
> 
>> The connection is done (normally) via a port. It's either AJP and
>> the AJP port configured in server.xml, or HTTP (could be HTTPS) and
>> the HTTP (or HTTPS) port configured in server.xml
> 
>> This depends on how your Apache HTTPD server is configured.
> 
>> If you use the same ports, then only one Apache Tomcat can be
>> running at a time (can't have two processes listen on the same port
>> - technically address / port combination).
> 
>>>
>>> Can I install both Tomcat versions side by side and switch
>>> between them to verify everything works fine with the newer
>>> Tomcat before deleting the older Tomcat?
>>>
>>>
> 
>> Yep.
> 
>> 1. Install newer Tomcat 2. Make sure server.xml is set the way you
>> need it to be 3. Copy web applications over to new Tomcat
> 
> I would always recommend using separate CATALINA_HOME and
> CATALINA_BASE directories. You mention this below, but it's worth
> reinforcing the fact that upgrades become even easier once this split
> has been done.
> 
>> 4. Shut down old Tomcat 5. Start up new Tomcat 6. Test
> 
>> Then make a decision. If the your applications have difficulties
>> with the new Tomcat, shut down the new Tomcat, start the old
>> Tomcat, and debug the issues on a development / test environment.
> 
>> I do something similar to upgrade Tomcats, albeit with an Ant
>> script, separate CATALINA_HOME / CATALINA_BASE, and an appBase
>> outside of CATALINA_BASE.
> 
>> This allows me to install new Tomcat versions without taking down
>> the old Tomcat. When it comes time to upgrade, I do the following:
> 
>> 1. Shut down the Tomcat service 2. Move two links to the new Tomcat
>> version (CATALINA_HOME / CATALINA_BASE) 3. Start up the Tomcat
>> service
> 
>> If there are issues, I can easily fall back to the old Tomcat
>> with:
> 
>> 1. Shut down the Tomcat service 2. Move two links to the old Tomcat
>> version 3. Start up the Tomcat service
> 
>> All of the server.xml modification information is kept in a set of 
>> property files which are versioned. The Ant scripts use the
>> property files to configure Tomcat instances.
> 
> This is roughly what we do as well: our ant-based build scripts build
> server.xml (and context.xml for that matter) from a set of properties
> that are specific to the application (and environment).
> 
> And of course Tomcat is started/stopped with those same scripts :)
> 
> Come to think of it... did I give you my Ant scripts ages ago? Or did
> you develop your own? I think I may have promised to publish them, but
> maybe never did.
> 
> -chris

I developed my own. I use the Ant scripts just for customizing Tomcat
installations.

I do have one slight issue with my current Ant scripts. The link task
isn't supposed to create a link if it already exists, but it does, and
actually creates a link inside of the existing link. This means that I
have a manual cleanup step to do, which is annoying.

Also, the Ant xml task doesn't handle namespaces well. I'll have to
figure out how to mangle tomcat-users.xml in a better fashion for the
8.x series.

I use a custom-built init script for starting, stopping, querying, and
getting the version of a Tomcat services. I'll have to build something
soon to handle systemd.

I use Maven, the Tomcat Maven plugin, and Jenkins to customize a WAR
file for a particular environment. Coupled with parallel deployments,
this basically allows us to update with no downtime.

Mark
/mde/



signature.asc
Description: OpenPGP digital signature

Re: how to upgrade tomcat 8.5.x?

[Mark Eggers]

GB,

On 5/19/2017 8:28 AM, gkk gb wrote:
> If my current Tomcat is installed in
> 
> 
> /home/tomcat/dir1/apache-tomcat-8.5.9
> 
> 
> and then I install the latest Tomcat in
> 
> 
> /home/tomcat/dir1/apache-tomcat-8.5.15
> 
> 
> how does Apache web server know to connect to the newer version of
> Tomcat? Is this established by the definition of CATALINA_HOME in
> .bash_profile? Or, some other way?
> 

The connection is done (normally) via a port. It's either AJP and the
AJP port configured in server.xml, or HTTP (could be HTTPS) and the HTTP
(or HTTPS) port configured in server.xml

This depends on how your Apache HTTPD server is configured.

If you use the same ports, then only one Apache Tomcat can be running at
a time (can't have two processes listen on the same port - technically
address / port combination).

> 
> Can I install both Tomcat versions side by side and switch between
> them to verify everything works fine with the newer Tomcat before
> deleting the older Tomcat?
> 
> 

Yep.

1. Install newer Tomcat
2. Make sure server.xml is set the way you need it to be
3. Copy web applications over to new Tomcat
4. Shut down old Tomcat
5. Start up new Tomcat
6. Test

Then make a decision. If the your applications have difficulties with
the new Tomcat, shut down the new Tomcat, start the old Tomcat, and
debug the issues on a development / test environment.

I do something similar to upgrade Tomcats, albeit with an Ant script,
separate CATALINA_HOME / CATALINA_BASE, and an appBase outside of
CATALINA_BASE.

This allows me to install new Tomcat versions without taking down the
old Tomcat. When it comes time to upgrade, I do the following:

1. Shut down the Tomcat service
2. Move two links to the new Tomcat version (CATALINA_HOME /
   CATALINA_BASE)
3. Start up the Tomcat service

If there are issues, I can easily fall back to the old Tomcat with:

1. Shut down the Tomcat service
2. Move two links to the old Tomcat version
3. Start up the Tomcat service

All of the server.xml modification information is kept in a set of
property files which are versioned. The Ant scripts use the property
files to configure Tomcat instances.

> 
>> 
>> On May 17, 2017 at 3:58 PM Daniel Savard 
>> wrote:
>> 
>> 2017-05-17 12:58 GMT-04:00 Richard Huntrods
>> :
>> 
 
>>> On 16/05/2017 17:18, Igal @ Lucee.org wrote:
 
>>> 
>> 
 
> On 5/16/2017 8:27 AM, Kreuser, Peter wrote:
> 
>> 
> 
>> 
>> I'd say a more robust (and the documented way) is to use a
>> Tomcat-Home directory and a Tomcat-Base Directory.
>> 
>> $CATALINA_HOME holds the actual distributed
>> Tomcat-"Binaries" (ZIP/TGZ), $CATALINA_BASE holds your
>> adapted config, libs and webapps.
>> 
>> This way you can just exchange the CATALINA_HOME with a new
>> version (say 8.5.15) and restart Tomcat. In case there are
>> differences in configs between versions, adapt your conf
>> using https://tomcat.apache.org/migr 
>> ation-85.html#Tomcat_8.5.x_configuration_file_differences
>> 
>> 
> I agree that separating the CATALINA_HOME from CATALINA_BASE
> is a much better setup, but if Tomcat was not set up like
> that already then for a minor upgrade this complicates the
> process.
> 
> The simplest way to upgrade is the one I documented.
> 
 
 That simple approach is incomplete. It assumes that: a) the
 JARs in $CATALINA_HOME/bin haven't changed b) the names of the
 JARs in $CATALINA_HOME/lib haven't changed c) no configuration
 changes are required.
 
 a) sometimes happens
 
 b) happens when the JDT compiler is updated
 
 c) can be checked via the migration guides
 
 Mark
 
 Well, I just upgraded my servers from Tomcat 8..5.12 to 8.5.14.
 The complex way is to create a new tomcat directory for the new
 version, then rename webapps to webapps.orig and create a new
 webapps directory to hold my war files. Then compare all the
 config files and make appropriate changes to the stock config
 files, then test. This takes a while.
 
>> 
>>> So for the minor change from 12 to 14, I decided to try a new
>>> way. On my windows devel box, I unzipped a new download of 12 and
>>> a new download of 14 into their own new directories, then
>>> compared all the files in both (yay for the ancient program
>>> "windiff"). I then built a batch file to copy only the changed
>>> files and tested this. Once satisfied, I built a shell script to
>>> make the same changes on my devel unix server, and tested this.
>>> Once I was sure it worked without any problems, I ported the
>>> script (and virgin 8.5.14 directory) to my production servers. On
>>> scheduled maintenance I shut down each tomcat 12, ran the script
>>> and then restarted tomcat. All worked perfectly.
>>> 
>>> Here's the file changes from 8.5.12 to 8.5.14, no including the
>>> 

Re: Tomcat on macOS

[Mark Eggers]

Folks,

Beware, the following is extremely ugly Groovy. I've changed the names
to protect the guilty (I think).

Also, the *_SVR and *_URL values are environment values stored centrally
in Jenkins. That way they can be changed easily. They also show up in
the job logs, which means with a little scripting effort I can get a
history of what versions were deployed to what server when.

Please review and laugh . . . or better yet, proffer improvements :-).

On 5/19/2017 10:10 AM, Decker, Richard M wrote:
> Mark,
> 
>> -Original Message-----
>> From: Mark Eggers [mailto:its_toas...@yahoo.com.INVALID]
>> Sent: Friday, May 19, 2017 10:44 AM
>> To: Tomcat Users List <users@tomcat.apache.org>
>> Subject: Re: Tomcat on macOS
>>
>> Chris,
>>
>> On 5/19/2017 7:33 AM, Christopher Schultz wrote:
>>> Israel,
>>>
>>> On 5/18/17 10:52 AM, Israel Timoteo wrote:
>>>> Any comments from the community for ...
>>>
>>>> 1) What tools is the community using for simultaneous applications
>>>> deployment on several servers, let’s say more than 20?
>>>
>>> I am using neither of these strategies, but...
>>>
>>> a. FarmWebDeployer [1]
>>
>> Doesn't this require a cluster (and therefore multicast)? That becomes
>> challenging in a cloud environment where there's no multicast easily
>> available.
>>
>>> b. Auto-deploy + scp
>>
>> This would be nice with a little scripting.
>>
>>>
>>> Why in the world are you deploying a web application to 20+
>>> macos-based servers? Or do you have a Macos client and 20+
>>> non-macos-based servers?
>>>
>>>> 4) Is JAVA_OPTS required?
>>>
>>> JAVA_OPTS is only required if you require any java opts. Do you
>>> require such options? Usually, when people set JAVA_OPTS they really
>>> want to set CATALINA_OPTS instead.
>>>
>>> Hope that helps,
>>> -chris
>>>
>>> [1]
>>> http://tomcat.apache.org/tomcat-8.0-doc/config/cluster-deployer.html
>>
>> What I do is use Jenkins, Maven, Nexus, and a little Groovy scripting.
>>
>> 1. Maven with the Tomcat Maven Plugin [1]
>>
>> The WAR file is customized (context.xml) based on the target environment.
>>
>> 2. Jenkins
>>
>> The build is run by Jenkins, and the build number (with a little 0 padding 
>> via a
>> Groovy script) is tacked onto the WAR name as app##nn.war.
> 
> I don't mean to hijack the thread, but could you expand on this? Could you 
> please provide examples of your Groovy scripts?
> 
>>
>> This allows the parallel deploy feature to be used [2].
>>
>> 3. Nexus
>>
>> This is where all of the base artifacts are stored. Nexus 2 is used currently
>> since Nexus 3 doesn't have the REST API needed to cleanly interact with the
>> Jenkins job via a Groovy script. Maybe I should learn how to write a Nexus
>> plugin to get lists of artifact versions via REST . . .
>>
>> 4. Groovy scripting
>>
>> Groovy is used in Jenkins to do the following:
>>
>> a. Query Nexus to get a list of artifact versions b. Prevent non-production
>> artifacts from landing on production platforms c. Create the final number for
>> parallel deployment
>>
>> To expand this to multiple machines, a set of pipeline jobs could be created.
>>
>> a. Build the customized WAR for the target environment b. Multiple jobs
>> deploy to the servers in the target environment c. Multiple jobs validate the
>> deployment d. Final job sends mail to interested parties with success / 
>> failure
>>
>> I know that's a lot of infrastructure. There are certainly things that could 
>> be
>> done differently. Ant (with Ivy), or gradle could be used for the builds. A
>> different repository manager could be used (other than Nexus). A different
>> CI / CD system could be used (other than Jenkins).
>>
>> Anything that meets at least the following requirements could be strung
>> together.
>>
>> a. Reliable place to get the WAR file you need to deploy b. Reliable build
>> system that can be automated c. Build system that can deploy to Tomcat d.
>> Testing that the deployment actually worked e. Notification
>>
>> The end result is that some authorized person can log into Jenkins, select a
>> version of an application to deploy, deploy it to the target environment,
>> know that it's been successful (or not), and have notifications automatically
>> sent out.
>>
>> [1] http://tomcat.apache.org/maven-plugin.h

[OT] Re: Tomcat on macOS

[Mark Eggers]

Richard,

On 5/19/2017 10:10 AM, Decker, Richard M wrote:
> Mark,
> 
>> -Original Message-----
>> From: Mark Eggers [mailto:its_toas...@yahoo.com.INVALID]
>> Sent: Friday, May 19, 2017 10:44 AM
>> To: Tomcat Users List <users@tomcat.apache.org>
>> Subject: Re: Tomcat on macOS
>>
>> Chris,
>>
>> On 5/19/2017 7:33 AM, Christopher Schultz wrote:
>>> Israel,
>>>
>>> On 5/18/17 10:52 AM, Israel Timoteo wrote:
>>>> Any comments from the community for ...
>>>
>>>> 1) What tools is the community using for simultaneous applications
>>>> deployment on several servers, let’s say more than 20?
>>>
>>> I am using neither of these strategies, but...
>>>
>>> a. FarmWebDeployer [1]
>>
>> Doesn't this require a cluster (and therefore multicast)? That becomes
>> challenging in a cloud environment where there's no multicast easily
>> available.
>>
>>> b. Auto-deploy + scp
>>
>> This would be nice with a little scripting.
>>
>>>
>>> Why in the world are you deploying a web application to 20+
>>> macos-based servers? Or do you have a Macos client and 20+
>>> non-macos-based servers?
>>>
>>>> 4) Is JAVA_OPTS required?
>>>
>>> JAVA_OPTS is only required if you require any java opts. Do you
>>> require such options? Usually, when people set JAVA_OPTS they really
>>> want to set CATALINA_OPTS instead.
>>>
>>> Hope that helps,
>>> -chris
>>>
>>> [1]
>>> http://tomcat.apache.org/tomcat-8.0-doc/config/cluster-deployer.html
>>
>> What I do is use Jenkins, Maven, Nexus, and a little Groovy scripting.
>>
>> 1. Maven with the Tomcat Maven Plugin [1]
>>
>> The WAR file is customized (context.xml) based on the target environment.
>>
>> 2. Jenkins
>>
>> The build is run by Jenkins, and the build number (with a little 0 padding 
>> via a
>> Groovy script) is tacked onto the WAR name as app##nn.war.
> 
> I don't mean to hijack the thread, but could you expand on this? Could you 
> please provide examples of your Groovy scripts?
> 
>>
>> This allows the parallel deploy feature to be used [2].
>>
>> 3. Nexus
>>
>> This is where all of the base artifacts are stored. Nexus 2 is used currently
>> since Nexus 3 doesn't have the REST API needed to cleanly interact with the
>> Jenkins job via a Groovy script. Maybe I should learn how to write a Nexus
>> plugin to get lists of artifact versions via REST . . .
>>
>> 4. Groovy scripting
>>
>> Groovy is used in Jenkins to do the following:
>>
>> a. Query Nexus to get a list of artifact versions b. Prevent non-production
>> artifacts from landing on production platforms c. Create the final number for
>> parallel deployment
>>
>> To expand this to multiple machines, a set of pipeline jobs could be created.
>>
>> a. Build the customized WAR for the target environment b. Multiple jobs
>> deploy to the servers in the target environment c. Multiple jobs validate the
>> deployment d. Final job sends mail to interested parties with success / 
>> failure
>>
>> I know that's a lot of infrastructure. There are certainly things that could 
>> be
>> done differently. Ant (with Ivy), or gradle could be used for the builds. A
>> different repository manager could be used (other than Nexus). A different
>> CI / CD system could be used (other than Jenkins).
>>
>> Anything that meets at least the following requirements could be strung
>> together.
>>
>> a. Reliable place to get the WAR file you need to deploy b. Reliable build
>> system that can be automated c. Build system that can deploy to Tomcat d.
>> Testing that the deployment actually worked e. Notification
>>
>> The end result is that some authorized person can log into Jenkins, select a
>> version of an application to deploy, deploy it to the target environment,
>> know that it's been successful (or not), and have notifications automatically
>> sent out.
>>
>> [1] http://tomcat.apache.org/maven-plugin.html
>> [2]
>> https://tomcat.apache.org/tomcat-8.0-
>> doc/config/context.html#Parallel_deployment
>>
>> . . . just my (rather lengthy) 2 cents
>> /mde/
> 

I'll sanitize them and then send them on the list.

Please note that I currently rely on the Active Choices plugin which has
been blacklisted due to its dependency on the Scriptler plugin.

Active Choices has the security fix, but Scrip

Re: Tomcat on macOS

[Mark Eggers]

Chris,

On 5/19/2017 7:33 AM, Christopher Schultz wrote:
> Israel,
> 
> On 5/18/17 10:52 AM, Israel Timoteo wrote:
>> Any comments from the community for ...
> 
>> 1) What tools is the community using for simultaneous applications 
>> deployment on several servers, let’s say more than 20?
> 
> I am using neither of these strategies, but...
> 
> a. FarmWebDeployer [1]

Doesn't this require a cluster (and therefore multicast)? That becomes
challenging in a cloud environment where there's no multicast easily
available.

> b. Auto-deploy + scp

This would be nice with a little scripting.

> 
> Why in the world are you deploying a web application to 20+
> macos-based servers? Or do you have a Macos client and 20+
> non-macos-based servers?
> 
>> 4) Is JAVA_OPTS required?
> 
> JAVA_OPTS is only required if you require any java opts. Do you
> require such options? Usually, when people set JAVA_OPTS they really
> want to set CATALINA_OPTS instead.
> 
> Hope that helps,
> -chris
> 
> [1] http://tomcat.apache.org/tomcat-8.0-doc/config/cluster-deployer.html

What I do is use Jenkins, Maven, Nexus, and a little Groovy scripting.

1. Maven with the Tomcat Maven Plugin [1]

The WAR file is customized (context.xml) based on the target environment.

2. Jenkins

The build is run by Jenkins, and the build number (with a little 0
padding via a Groovy script) is tacked onto the WAR name as app##nn.war.

This allows the parallel deploy feature to be used [2].

3. Nexus

This is where all of the base artifacts are stored. Nexus 2 is used
currently since Nexus 3 doesn't have the REST API needed to cleanly
interact with the Jenkins job via a Groovy script. Maybe I should learn
how to write a Nexus plugin to get lists of artifact versions via REST . . .

4. Groovy scripting

Groovy is used in Jenkins to do the following:

a. Query Nexus to get a list of artifact versions
b. Prevent non-production artifacts from landing on production platforms
c. Create the final number for parallel deployment

To expand this to multiple machines, a set of pipeline jobs could be
created.

a. Build the customized WAR for the target environment
b. Multiple jobs deploy to the servers in the target environment
c. Multiple jobs validate the deployment
d. Final job sends mail to interested parties with success / failure

I know that's a lot of infrastructure. There are certainly things that
could be done differently. Ant (with Ivy), or gradle could be used for
the builds. A different repository manager could be used (other than
Nexus). A different CI / CD system could be used (other than Jenkins).

Anything that meets at least the following requirements could be strung
together.

a. Reliable place to get the WAR file you need to deploy
b. Reliable build system that can be automated
c. Build system that can deploy to Tomcat
d. Testing that the deployment actually worked
e. Notification

The end result is that some authorized person can log into Jenkins,
select a version of an application to deploy, deploy it to the target
environment, know that it's been successful (or not), and have
notifications automatically sent out.

[1] http://tomcat.apache.org/maven-plugin.html
[2]
https://tomcat.apache.org/tomcat-8.0-doc/config/context.html#Parallel_deployment

. . . just my (rather lengthy) 2 cents
/mde/



signature.asc
Description: OpenPGP digital signature

Re: MaxThread Configurations Issue

[Mark Eggers]

Shailesh,

On 5/15/2017 8:22 AM, Shailesh Jain wrote:
> We have updated the maxThread configuration to 10 at below place in
> server.xml of DEV environment. However I was able to see more than 10
> threads. I have also attached the server.xml
> 
> I need your help to understand if I am doing something wrong or it is an
> expected behaviour?
> 
> 
>  redirectPort="8443" maxThreads="10"/>
> 
> 

Tomcat uses other threads besides the connector threads. This
configuration only limits the number of connector threads.

. . . just my two cents
/mde/



signature.asc
Description: OpenPGP digital signature

Re: need help with websocket

[Mark Eggers]

Sharat,

On 3/29/2017 9:23 AM, Sharat Jagannath wrote:
> I get a 404 error when I call my server endpoint with wss.
> I'm using tomcat 9 which sits behind ngnix. Does that make a difference?
> here's how my server.xml looks like-
> 
> 
> 
> 
> 
> 
>   
>   
>   
>SSLEngine="on" />
>   
>className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
>className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
>className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
> 
> 
>   
>   
> 
>type="org.apache.catalina.UserDatabase"
>   description="User database that can be updated and saved"
>   factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
>   pathname="conf/tomcat-users.xml" />
>   
> 
>   
>   
> 
> 
> 
> 
> 
> 
> 
> 
> connectionTimeout="2"
>redirectPort="8443" URIEncoding="UTF-8"
> useBodyEncodingForURI="true" compression="on" compressionMinSize="2048"
> noCompressionUserAgents="gozilla, traviata"
> compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript"
> />
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
>   
>   
> 
>   
>   
> 
> resourceName="UserDatabase"/>
>   
> 
>unpackWARs="true" autoDeploy="true">
> 
> 
> 
> 
> 
>  directory="logs"
>prefix="localHost_access_log" suffix=".txt"
>pattern="%h %l %u %t %r %s %b" />
> 
>   
> 
>   
> 
> 
> 
> 
> On Mar 29, 2017 6:24 AM, "calder"  wrote:
> 
>> On Tuesday, March 28, 2017, Sharat Jagannath  wrote:
>>
>>> how do i setup websocket on server side for using wss with tomcat config?
>>> is there any config i need to do with tomcat? any certification to setup?
>>
>>
>>>
>>
>> Read up using the How-to:
>>
>> https://tomcat.apache.org/tomcat-8.0-doc/web-socket-howto.html
>>
>>
>>  http://tomcat-configure.blogspot.com/2014/05/tomcat-websock
>> et-example.html
>>
> 

Two things to try:

1. Have you tried to connect without using NGINX as a front end proxy?

2. Have you configured your NGINX server appropriately?

See the following for configuring NGINX to act as a websocket proxy:

http://nginx.org/en/docs/http/websocket.html
https://www.nginx.com/blog/websocket-nginx/

Also, see the following:

http://tomcat.apache.org/tomcat-9.0-doc/web-socket-howto.html

and follow the links to look at both the server and client side code.

Please note that I've not done any of this, since I have Tomcat sitting
behind Apache HTTPD 2.2. I have not ported the proxy_wstunnel module
from Apache HTTPD 2.4 to 2.2.

. . . just my two cents
/mde/

Please note that I've not done any of this.




signature.asc
Description: OpenPGP digital signature

Re: Tomcat 8/Redhat Linux 6.6 /Kernal 2.6.32 - Memory Won't Release

[Mark Eggers]

Eric,

On 3/16/2017 8:01 PM, Eric Chua wrote:
> I am running tomcat 8.0.121.  When I start my tomcat, it seems to be
> eating up all the memory on my system.  I have 16 GB, and it keeps on
> going.  Then when I try to kill the process, it dies but 12 GB is
> still being used even though everything is turn off.  The only way to
> reclaim the memory is to reboot.  I am running on redhat 6.5 and
> can't figure out what could be causing this.  I run the tomcat as a
> local user, and I know there aren't any other processes running as
> the local user.  I am running a spring MVC 4/Java 8/ struts web
> application. I have two of them with the same issue.  Any help would
> be appreciated. When I try to view all the running processes I cannot
> see where most of the 12 gb are being used.   The system came up with
> 2.2 gb used and after I start one web application it goes to 14-15gb.
> The funny thing is that I can kill it to reclaim the memory. Only a
> reboot works.  I am running a VMware instance with vcenter version
> 6.5.  This does not happen with Java 7 with tomcat 7. Any help would
> be appreciate.

I don't see this with any of my systems running the following configuration:

OS: CentOS 6.8
kernel: 2.6.32-642.15.1.el6.x86_64
JRE:1.8.0_121-b13
Tomcat: 8.0.41.0 (from tomcat.apache.org)

I'm slated to update these systems to 8.0.42 once I complete my tests. I
don't anticipate any issues, but a process is only good if you follow it.

Some of my VM systems run on VMWare, and others run on Xen.

I also have a lot of systems running on AWS Elastic Beanstalk, but right
now those systems are stock AWS AMI images.

They're running AWS's repackaged Tomcat 8.0.41, and OpenJDK 1.8.0_121-b13.

I don't see any issues there as well. I run a lot of microservices on
t2.micro EC2 instances. t2.micro instances are very memory-constrained.
I would see a lot of EC2 churn if I had memory issues.

Please get some sar / top / vmstat information from your system
administrator and post it to the list.

Also, does your application make use of native libraries? If so, what
are they, and are they compatible with Java 8?

. . . just my two cents
/mde/







signature.asc
Description: OpenPGP digital signature

Re: java.lang.IllegalArgumentException: Invalid character found in the request target. The valid characters are defined in RFC 7230 and RFC 3986

[Mark Eggers]

First of all, sorry for the wrapping. Hint - turn on message wrapping
when writing to the mailing list.

Anyway, responses are at the end.

On 3/13/2017 8:23 AM, Chandrashekar H.S wrote:
> Hi All,
> We have recently upgraded tomcat from 8.0.30 to 8.5.11.
> 
> The tomcat 8.5.11 rejects the requested URI with below error.
> Requested URI: 
> /poc-root/resource-lists/users/tel:+918197119913/index/~~/resource-lists/list[@name="oma_pocbuddylist"]/entry[@uri="tel:+919742700996"]
> 
> Mar 13, 2017 5:05:20 PM org.apache.coyote.http11.Http11Processor service
> INFO: Error parsing HTTP request header
> Note: further occurrences of HTTP header parsing errors will be logged at 
> DEBUG level.
> java.lang.IllegalArgumentException: Invalid character found in the request 
> target. The valid characters are defined in RFC 7230 and RFC 3986
>at 
> org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:471)
> at 
> org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:667)
> at 
> org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
> at 
> org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:798)
> at 
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1434)
> at 
> org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
> at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at 
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
> at java.lang.Thread.run(Thread.java:745)
> 
> The server accepts the request if the DQUOTE(") is replaced with text %22 as 
> mentioned below
> /poc-root/resource-lists/users/tel:+918197119913/index/~~/resource-lists/list[@name=%22oma_pocbuddylist%22]/entry[@uri=%22tel:+
>  919742700996%22]
> 
> Please help me to fix this at the server side, since the client or URI 
> requester is already in production/field.
> 
> Regards,
> Chandra
> 
> 

There are two ways to this issue.

1. Front your Apache Tomcat with Apache HTTPD and mod_jk

This is the least invasive to your code. However, it depends on Apache
HTTPD being lenient with RFC 7230 and RFC 3986. How ling that lasts is
up to that project.

a. Read the docs on how to configure Apache HTTPD / Tomcat / mod_jk

https://tomcat.apache.org/connectors-doc/
https://tomcat.apache.org/connectors-doc/webserver_howto/apache.html

b. Use the excellent uriworkers.properties file found in the source at:

[distribution-root]/conf

where [distribution-root] is tomcat-connectors-1.2.42-src as I write this.

c. Note the defaults with respect to encoding

From the second link above:

Using JkOptions ForwardURIProxy, the forwarded URI will be partially
reencoded after processing inside Apache and before forwarding to
Tomcat. This will be compatible with local URL manipulation by
mod_rewrite and with URL encoded session ids.

JkOptions +ForwardURIProxy

This is the default as of version 1.2.24.

This may solve your problem. It solved ours, but our issue is with a
request parameter, not the entire URI.

Note that this is not a fix - and may NOT work for your use case.

2. Fix the code

If you are sending this GET via AJAX and javascript, there is a very
simple solution - encode the URI.

For an entire URL, the following function call is all you need:

var encoded_uri = encodeURI("unencoded uri);

Then use the encoded_uri value to make the request.

As I said above, our issue is with a request parameter, so the
developers will use the following:

var encoded_param = encodeURIComponent("unencoded request paramenter");

Then use the encoded_param value to make the request.

3. If you're not using AJAX / javascript

Then you have a lot of work to do, especially if method 1 above does not
solve your problem.

. . . just my two cents.
/mde/



signature.asc
Description: OpenPGP digital signature

Re: tomcat code=exited status=203/EXEC

[Mark Eggers]

Mary,

On 1/13/2017 4:36 PM, Mary Wiegand wrote:
> I'm getting the following error when I try to run tomcat8.
> tomcat code=exited status=203/EXEC
> 
> I've done a bunch of searching for things that might work but haven't had
> any luck with anything and nothing seems to be straight forward.
> 
> I'm using ubuntu server 14.06 and tomcat8.
> 
> Any ideas would be awesome.
> 
> Thanks,
> 
> -Mary
> 

A quick search on Google led me to this link:

https://www.digitalocean.com/community/tutorials/how-to-install-apache-tomcat-8-on-ubuntu-16-04

Check the permissions on the directory.

. . . just my (run Tomcat on CentOS) two cents
/mde/



signature.asc
Description: OpenPGP digital signature

Re: How many instances Tomcat?

[Mark Eggers]

Edwin,

On 12/16/2016 1:35 PM, Edwin Quijada wrote:
> 
> 
> 
>  From: Daniel Savard
>  Sent: Friday, December 16, 2016 9:01 PM To:
> Tomcat Users List Subject: Re: How many instances Tomcat?
> 
> 2016-12-16 14:48 GMT-05:00 Edwin Quijada
> :
> 
>> Hi! I have 2 different projects in the same server. My server has
>> 16GB Ram and 8 core so I am not sure if I need to up 2 instance of
>> Tomcat or just one instace and Tomcat server both projects.
>> 
>> 
>> What is the best configuration ? I have too ApacheWeb Sserver like
>> proxy and SSL and virtual server.
>> 
>> 
>> Any cluees or ideas? Pro and cons about each solution
>> 
>> 
>> TIA
>> 
>> 
> It depends on the application. On some of my servers, the
> application provider recommend a limit on the number of concurrent
> connections per instance. I am even not sure it is justified,
> however, since we get support from this provider we have to conform
> to its directives. However, something good about having more than one
> instance is you can shutdown the application without interrupting the
> service.
> 
> For ressources consumption, you need to look at what your specific 
> applications need and what kind of workload you expect. Giving the
> amount of RAM and the number of cores is useless. I run 9 instances
> of Tomcat on a single server with 16 GB of RAM and 2 cores.
> 
> OK, sounds good.! So I think use two instances is not a problem. I
> wanna use apache webserver in front of these Tomcats with virtual
> servers but I dont know if will be a good idea because I use
> websockets and I dont know if websockets can pass throught webserver
> to tomcat
> 
> 

I believe Apache HTTPD 2.4 has a mod_proxy_wstunnel that may work:

https://httpd.apache.org/docs/2.4/mod/mod_proxy_wstunnel.html

I have not tried this, with or without Tomcat.

. . . just my two cents
/mde/



signature.asc
Description: OpenPGP digital signature

Re: URGENT: Tomcat 7 Aliases

[Mark Eggers]

Victor,

Please do not top post.

Anyway (see at the bottom).


On 12/9/2016 8:28 AM, Victor Rodriguez wrote:
> Chris, I really don't want double deployment.  I'm trying to have a single
> abc.war and avoid having to install apache to redirect/rewrite
> http://host:8082/xyz to http://host:8082/abc.  I was hoping there was a way
> to have tomcat send /xyz to abc.war.  I suppose I could also just copy
> abc.war to xyz.war and have both in the webapps directory, but I'm trying
> to avoid that.
> 
> On Fri, Dec 9, 2016 at 8:23 AM, Christopher Schultz <
> ch...@christopherschultz.net> wrote:
> 
> Victor,
> 
> On 12/9/16 11:17 AM, Victor Rodriguez wrote:
 Chris, a little more progress this morning...

 This is what I currently have in my xyz.xml

 >>> docBase="wfsservice.war">

 And, this is what I get in my catalina.out...

 INFO: Deploying configuration descriptor
 /dg/local/cots/tomcat/tomcat_8082/conf/Catalina/localhost/xyz.xml

 ...then...

 WARNING: A docBase
 /dg/local/cots/tomcat/tomcat_8082/webapps/abc.war inside the host
 appBase has been specified, and will be ignored
> 
> Aah, yes. This is probably because specifying a docBase inside the
> appBase usually indicates a mistake that will result in
> double-deployment of a web application. But double-deployment is
> precicely what you are requesting.
> 
> We'll need to do this then:
> 
> 1. Put abc.war somewhere else
> 2. Change the path in xyz.xml to match #1
> 3. Copy xyz.xml to abc.xml in the same directory
> 4. Profit
> 
 ...then...

 SEVERE: Error starting static Resources

 java.lang.IllegalArgumentException: Document base
 /dg/local/cots/tomcat/tomcat_8082/webapps/xyz does not exist or is
 not a readable directory

 So, it looks like it's looking for an exploded xyz directory.
> 
> It might be. But there isn't a stack trace so I have no idea if that
> is even being produced by Tomcat.
> 
> -chris
> 
 On Fri, Dec 9, 2016 at 8:07 AM, Christopher Schultz <
 ch...@christopherschultz.net> wrote:

 Victor,

 On 12/8/16 7:57 PM, Victor Rodriguez wrote:
>>> On Thu, Dec 8, 2016 at 2:50 PM, Christopher Schultz <
>>> ch...@christopherschultz.net> wrote:
>>>
 Victor,

 On 12/8/16 4:59 PM, Victor Rodriguez wrote:
>>> THANKS IN ADVANCE FOR YOUR HELP!  (not yelling, just
>>> emphasizing!)
>>>
>>> I have abc.war and I want both /abc and /xyz to work
>>> for it.  I've tried adding
>>> aliases="/abc=abc.war,/xyz=abc.war" and
>>> aliases="/abc=abc,/xyz=abc" but neither of those
>>> worked.  This is how my original context.xml looked
>>> like.
>>>
>>>   
>>> WEB-INF/web.xml
>>>  
>>>
>>>  
>>>
>>> 
>>>

 Tomcat 7 aliases are intended to map URLs within a single
 web application. You can't use it to duplicate the web
 application on two base paths.

 Here's what you need to do:

 1. Put your WAR file in webapps/abc.war. This will deploy
 as usual.

 2. Copy webapps/abc.war/META-INF/context.xml into
 conf/Catalina/localhost/xyz.xml and modify the 
 element like this:

 >>> docBase="webapps/abc.war "> ... 
>>>
>>> Thanks Chris!  I now get "Document base
>>> /dg/local/cots/tomcat/tomcat_8082/webapps/xyz does not exist
>>> or is not a readable directory"

 Is that path correct? What is the stack trace of that error?

 I would have expected the path to be pointing to abc.war, not
 .../xyz

 -chris

What Chris is saying is the following:

Suppose the user you're running Tomcat under is called tomcat, with a
home directory of /home/tomcat.

Make a directory under /home/tomcat - call it Apps (probably too
generic, but you get the idea).

Now copy abc.war into that directory.

Then you'll create two context.xml files.

Call one abc.xml

Call the other xyz.xml

In both abc.xml and xyz.xml, specify the complete path to abc.war as the
docBase - like this (using the layout above)





Now copy both of these xml files to

$CATALINA_BASE/conf/Catalina/localhost/

More properly:

$CATALINA_BASE/conf/[Engine name]/[Host name]/

where [Engine name] is the name attribute from the Engine element in
server.xml, and Host name is the name attribute from the Host element in
server.xml.

I haven't tried this, but I don't see why it shouldn't work.

The basis for this can be found here:

http://tomcat.apache.org/tomcat-7.0-doc/config/context.html

. . . just my two cents (and no coffee)
/mde/



signature.asc
Description: OpenPGP digital signature

Re: Apache/Tomcat vulnerability

[Mark Eggers]

Artur,

On 11/30/2016 10:41 AM, Jaaz Portal wrote:
> no it looks like dos, its dos
> 
> i told you they dosed before bind server until we changed it to other
> vendor,
> and later was scanning my host for apache vulnerabilities
> 
> configuration is standard, the only thing i changed (after your guidance)
> is connection_timeout
> but this does not work for this exploit
> 
> workers.properties
> worker.list=ajp13_worker
> 
> #
> #-- ajp13_worker WORKER DEFINITION --
> #-
> #
> 
> #
> # Defining a worker named ajp13_worker and of type ajp13
> # Note that the name and the type do not have to match.
> #
> worker.ajp13_worker.port=8009
> worker.ajp13_worker.host=localhost
> worker.ajp13_worker.socket_timeout=6
> worker.ajp13_worker.type=ajp13
> #
> # Specifies the load balance factor when used with
> # a load balancing worker.
> # Note:
> #  > lbfactor must be > 0
> #  > Low lbfactor means less work done by the worker.
> worker.ajp13_worker.lbfactor=1
> 
> #
> # Specify the size of the open connection cache.
> #worker.ajp13_worker.cachesize
> 
> #
> #-- DEFAULT LOAD BALANCER WORKER DEFINITION --
> #-
> #
> 
> #
> # The loadbalancer (type lb) workers perform wighted round-robin
> # load balancing with sticky sessions.
> # Note:
> #  > If a worker dies, the load balancer will check its state
> #once in a while. Until then all work is redirected to peer
> #workers.
> worker.loadbalancer.type=lb
> worker.loadbalancer.balance_workers=ajp13_worker
> 
> 
> server.xml
> 
> 
>   redirectPort="8443" maxConnections="256" keepAliveTimeout="3"/>
> 
> best,
> artur

From the following fine documentation (which André has posted before):

http://tomcat.apache.org/connectors-doc/reference/workers.html

connection_pool_timeout (lots of stuff) . . . last paragraph:

You should keep this time interval in sync with the keepAliveTimeout
attribute (if it is set explicitly) or connectionTimeout attribute of
your AJP connector in Tomcat's server.xml. Note however, that the value
for mod_jk is given in seconds, the one in server.xml has to use
milliseconds.

The last line of the above snippet of the documentation is very important.

Now let's look at your values.

From workers.properties:
worker.ajp13_worker.socket_timeout=6

From server.xml
connectionTimeout="6"

So your socket_timeout value from workers.properties is 60,000 seconds
(16 hours, 40 minutes), while your connectionTimeout value is 60,000
milliseconds (1 minute).

And your keepAliveTimeout (30,000 = 30 seconds) is not in sync with
either value.

So . . .

1. remove keepAliveTimeout from your AJP connector
2. change worker.ajp13_worker.socket_timeout to 60

This will at least get you in line with the documentation. You can then
proceed to diagnose whether you have a DOS (or DDOS) attack, an
application issue, or if this solved the problem.

. . . just my two cents (if I've done the math right)
/mde/

> 
> 2016-11-30 19:21 GMT+01:00 Mark Eggers <its_toas...@yahoo.com.invalid>:
> 
>> Artur,
>> On 11/30/2016 8:36 AM, Jaaz Portal wrote:
>>> hi,
>>> they has tried again with success despite setting connection_timeout and
>>> limiting number of clients by mod_bw
>>> the tomcat has frozen again.
>>>
>>> netstat does not showed any connections on port 80 but plenty of
>>> connections from apache to localhost:8009
>>> so it was not an attack that you has described (no slowlaris)
>>>
>>> im looking into debug files of mod_jk and forensic for some hints. If you
>>> want i can share them (they have 4mb compressed)
>>>
>>> best wishes
>>> artur
>>
>> This is beginning to look like an application or a configuration issue
>> and not a DOS (or DDOS) attack.
>>
>> One the issues that may cause this is a mismatched timeout value between
>> connection_pool_timeout in workers.properties (mod_jk) and the
>> connectionTimeout in server.xml (Tomcat) for the AJP connector.
>>
>> Also, at least for the mod_jk version that I'm running, there is no
>> limit for reply_timeout (mod_jk) by default.
>>
>> Can you post your workers.properties file and the AJP connector portion
>> of your server.xml?
>>
>> In the conf directory of the mod_jk source code, there is a very nice
>> workers.properties file that has sensible defaults. If you've not done
>> so, I suggest that you start

Re: Apache/Tomcat vulnerability

[Mark Eggers]

ou did not really
>>>> change anything in that respect, because any proxy module would do the
>>>> same.
>>>>
>>>> But in all cases, what did not change, was the tomcat behind the
>>>> front-end, and the application running on that tomcat.  So the presumed
>>>> attackers did not have to change anything, they just kept on sending the
>>>> same requests, because they were really targeting your back-end tomcat or
>>>> the tomcat application in it, no matter /how/ you were forwarding
>>>> requests
>>>> from Apache httpd to tomcat.
>>>>
>>>> So either it is tomcat itself, which has a problem with some request URLs
>>>> which do not bother Apache httpd (possible, but statistically unlikely),
>>>> or
>>>> it is the application which runs in tomcat that has such a problem
>>>> (statistically, much more likely).
>>>>
>>>> we do not know yet
>>>>
>>>>>
>>>>> we have setup more logging and are waiting for them to attack once again
>>>>>
>>>>>
>>>> Yes, that is the right thing to do.  Before deciding what the problem may
>>>> be, and what you can do about it, the first thing you need is *data*.
>>>> You
>>>> need to know
>>>> - which request URL(s?) cause that problem
>>>> - which IPs these requests come from (always the same ? multiple IPs that
>>>> change all the time ? how many ? can these IPs be valid/expected clients
>>>> or
>>>> not ? do these IPs look like some "coordinated group" ?)
>>>> - how many such requests there may be during some period of time (10,
>>>> 100,
>>>> 1000, more ?)
>>>> - if these URLs result in passing the request to tomcat
>>>> - what tomcat application (if any) they are directed to
>>>> - if so, when that application receives such a request, what is it
>>>> supposed to do ? does it do it properly ? how long does it need, to
>>>> respond
>>>> to such a request ?
>>>>
>>>> You also need to ask yourself a question : is the application which you
>>>> run inside tomcat something that you designed yourself (and which hackers
>>>> are unlikely to know well-enough to find such a URL which paralyses your
>>>> server) ? or is it some well-known third-party java application which you
>>>> are running (and for which would-be attackers would be much more likely
>>>> to
>>>> know exactly such a bug) ?
>>>>
>>>>
>>>> anyway, thank you for all informations, it was very useful and
>>>>> educational
>>>>> reading for all of us
>>>>>
>>>>> best wishes,
>>>>> artur
>>>>>
>>>>> 2016-11-28 19:46 GMT+01:00 Mark Eggers <its_toas...@yahoo.com.invalid>:
>>>>>
>>>>> Jaaz,
>>>>>
>>>>>>
>>>>>> On 11/27/2016 2:46 PM, André Warnier (tomcat) wrote:
>>>>>>
>>>>>> On 27.11.2016 19:03, Jaaz Portal wrote:
>>>>>>>
>>>>>>> 2016-11-27 18:30 GMT+01:00 André Warnier (tomcat) <a...@ice-sa.com>:
>>>>>>>>
>>>>>>>> On 27.11.2016 14:26, Jaaz Portal wrote:
>>>>>>>>
>>>>>>>>>
>>>>>>>>> hi,
>>>>>>>>>
>>>>>>>>>> everything i know so far is just this single log line that appeared
>>>>>>>>>> in
>>>>>>>>>> apache error.log
>>>>>>>>>>
>>>>>>>>>> [Fri Nov 25 13:08:00.647835 2016] [mpm_event:error] [pid 13385:tid
>>>>>>>>>> 1397934896385
>>>>>>>>>> 92] AH00484: server reached MaxRequestWorkers setting, consider
>>>>>>>>>>
>>>>>>>>>> raising
>>>>>>>>>
>>>>>>>>
>>>>>> the
>>>>>>>
>>>>>>>> MaxR
>>>>>>>>>> equestWorkers setting
>>>>>>>>>>
>>>>>>>>>> there was nothing else, just this strange line
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> This is not a

Re: Apache/Tomcat vulnerability

[Mark Eggers]

orwarding these requests to a back-end tomcat; and it is at
>>>>>> the
>>>>>> level of that back-end tomcat that the requests never seem to end, and
>>>>>> in
>>>>>> the end paralyse your tomcat server (and later on maybe your Apache
>>>>>> httpd
>>>>>> server too, because it is also waiting for tomcat to respond).
>>>>>>
>>>>>> So your very way of describing the problem, in terms of "first we used
>>>>>> this proxy module, and then they exploited the vulnerability so and so;
>>>>>> then we changed the proxy module, and they exploited that too; etc.."
>>>>>> seems to not have anything to do with the problem per se, and (I
>>>>>> believe)
>>>>>> confuses everyone, including yourself.
>>>>>>
>>>>>> It is not that "they" exploited different vulnerabilities of various
>>>>>> httpd
>>>>>> proxy modules, one after the other. Each of these proxy modules was
>>>>>> doing
>>>>>> its job properly, and forwarding valid HTTP requests properly to
>>>>>> tomcat.
>>>>>> When you changed from one proxy module to another, you did not really
>>>>>> change anything in that respect, because any proxy module would do the
>>>>>> same.
>>>>>>
>>>>>> But in all cases, what did not change, was the tomcat behind the
>>>>>> front-end, and the application running on that tomcat.  So the presumed
>>>>>> attackers did not have to change anything, they just kept on sending
>>>>>> the
>>>>>> same requests, because they were really targeting your back-end tomcat
>>>>>> or
>>>>>> the tomcat application in it, no matter /how/ you were forwarding
>>>>>> requests
>>>>>> from Apache httpd to tomcat.
>>>>>>
>>>>>> So either it is tomcat itself, which has a problem with some request
>>>>>> URLs
>>>>>> which do not bother Apache httpd (possible, but statistically
>>>>>> unlikely), or
>>>>>> it is the application which runs in tomcat that has such a problem
>>>>>> (statistically, much more likely).
>>>>>>
>>>>>> we do not know yet
>>>>>>
>>>>>>>
>>>>>>> we have setup more logging and are waiting for them to attack once
>>>>>>> again
>>>>>>>
>>>>>>>
>>>>>> Yes, that is the right thing to do.  Before deciding what the problem
>>>>>> may
>>>>>> be, and what you can do about it, the first thing you need is *data*.
>>>>>> You
>>>>>> need to know
>>>>>> - which request URL(s?) cause that problem
>>>>>> - which IPs these requests come from (always the same ? multiple IPs
>>>>>> that
>>>>>> change all the time ? how many ? can these IPs be valid/expected
>>>>>> clients or
>>>>>> not ? do these IPs look like some "coordinated group" ?)
>>>>>> - how many such requests there may be during some period of time (10,
>>>>>> 100,
>>>>>> 1000, more ?)
>>>>>> - if these URLs result in passing the request to tomcat
>>>>>> - what tomcat application (if any) they are directed to
>>>>>> - if so, when that application receives such a request, what is it
>>>>>> supposed to do ? does it do it properly ? how long does it need, to
>>>>>> respond
>>>>>> to such a request ?
>>>>>>
>>>>>> You also need to ask yourself a question : is the application which you
>>>>>> run inside tomcat something that you designed yourself (and which
>>>>>> hackers
>>>>>> are unlikely to know well-enough to find such a URL which paralyses
>>>>>> your
>>>>>> server) ? or is it some well-known third-party java application which
>>>>>> you
>>>>>> are running (and for which would-be attackers would be much more
>>>>>> likely to
>>>>>> know exactly such a bug) ?
>>>>>>
>>>>>>
>>>>>> anyway, than

Re: Apache/Tomcat vulnerability

[Mark Eggers]

Jaaz,

On 11/27/2016 2:46 PM, André Warnier (tomcat) wrote:
> On 27.11.2016 19:03, Jaaz Portal wrote:
>> 2016-11-27 18:30 GMT+01:00 André Warnier (tomcat) :
>>
>>> On 27.11.2016 14:26, Jaaz Portal wrote:
>>>
 hi,
 everything i know so far is just this single log line that appeared in
 apache error.log

 [Fri Nov 25 13:08:00.647835 2016] [mpm_event:error] [pid 13385:tid
 1397934896385
 92] AH00484: server reached MaxRequestWorkers setting, consider raising
 the
 MaxR
 equestWorkers setting

 there was nothing else, just this strange line

>>>
>>> This is not a "strange" line. It is telling you something.
>>> One problem is that you seem convinced in advance, without serious
>>> proof,
>>> that there is a "bug" or a vulnerability in httpd or tomcat.
>>> Read the explanation of the httpd parameter, here :
>>> http://httpd.apache.org/docs/2.4/mod/mpm_common.html#maxrequestworkers
>>> and try to understand it.
>>>
>>
>> I understand it very well. We are serving no more that 500 clients per
>> day
>> so there was no other option that some kind of attack.
>>
>>
>> About the "bug" or "vulnerability" : a webserver is supposed to serve
>> HTTP
>>> requests from clients.  That is what you expect of it. It has no
>>> choice but
>>> to accept any client connection and request, up to the maximum it can
>>> handle considering its configuration and the capacity of the system on
>>> which it runs. That is not a bug, it is a feature.
>>>
>>>
>> We have some weeks ago come under attack from some Polish group. It was
>> first bind that was DoS'ed, we was running on stable Debian so i updated
>> bind to latest version. It did not helped. They has dos'ed it so we
>> switched to other dns provider. That has helped.
>>
>> Then they exploited some well know vulnerability in mod_proxy. We have
>> updated apache to the latest but again they has exploited it, so we have
>> switched to mod_jk. And then guess what. They exploited it too so i
>> decided
>> to write to this list looking for help before trying jetty.
>>
>>
>>>
>>> The normal Apache httpd access log, will log a request only when it is
>>> finished.  If the request never finishes, it will not get logged.
>>> That may be why you do not see these requests in the log.
>>> But have a look at this Apache httpd module :
>>> http://httpd.apache.org/docs/2.4/mod/mod_log_forensic.html
>>>
>>
>> ok, thanks, will take care
>>
>> Note : that is also why I was telling you to enable the mod_jk log,
>> and to
>>> examine it.
>>> Because mod_jk will also log information before the request produces a
>>> response.
>>>
>>>
>>> and server hanged.
>>>
>>> Again, /what/ is "hanged" ? Apache httpd, or tomcat ?
>>>
>>
>> Apache was accepting connection but not processed it. After restart of
>> tomcat server it worked again.
>>
>>
>>> Also in
>>>
 access logs there are no clues that it was under any heavy load.

 after around hour after discovering that our server hanged-out we have
 restarted tomcat server
 and it worked again

>>>
>>> Yes, because that will close all connections between Apache httpd and
>>> tomcat, and abort all requests that are in the process of being
>>> processed
>>> by tomcat. So mod_jk will get an error from tomcat, and will report an
>>> error to httpd, and httpd will communicate that error to the clients,
>>> and
>>> close their connection.
>>> It still does not tell you what the problem was.
>>> The only thing that it suggests, is that the "bad" requests actually
>>> make
>>> it all the way to tomcat.
>>>
>>
>> correct
>>
>> i will enable logs that you has pointed out and we will look what i will
>> catch
>> however i think we have only one chance, as if the solution we has found
>> out (connection_timeout + mod_bn)
>> will work they will stop exploiting it
>>
>> thank you very much for all the help and explanations
>> i will report to the list new facts once they will attack us again
>>
>> best regards,
>> artur
>>
> 
> Ok, but also read this e.g. :
> https://www.corero.com/blog/695-going-after-the-people-behind-ddos-attacks.html
> 
> Attempts to bring down a site by DoS attacks is a crime, in most places.
> You can report it, while at the same time trying to defend yourself
> against it.
> 
> It is also relatively easy, and quite inexpensive in terms of system
> resources, to run a small shell script which takes a list every few
> seconds of the connections to the port of your webserver, and which IPs
> they are coming *from*.
> E.g.
> First try the netstat command, to see what it lists, like :
> # netstat -n --tcp | more
> 
> Then you will want to filter this a bit, to only consider established
> connections to your webserver, for example :
> # netstat -n --tcp | grep ":80" | grep "ESTABLISHED"
> 
> Then you will want to send this to a logfile, regularly, like this :
> 
> # date >> some_file.log
> # netstat -n --tcp | grep ":80" | grep "ESTABLISHED" >> some_file.log
> 

Re: Tomcat 8.0.39 and tomcat 8.5.8 fails handling requsest

[Mark Eggers]

Mark,

On 11/17/2016 1:06 PM, Mark Thomas wrote:
> On 17/11/2016 21:29, Mark Eggers wrote:
>> Mark,
>>
>>
>> On 11/17/2016 2:00 AM, Mark Thomas wrote:
>>> On 16/11/2016 20:05, Mark Eggers wrote:
>>>> Mark,
>>>>
>>>> On 11/16/2016 12:23 AM, Mark Thomas wrote:
>>>>> On 15/11/2016 22:36, Zdeněk Henek wrote:
>>>>>> Hi,
>>>>>>
>>>>>> we are using tomcat 8.0.30 without problems.
>>>>>>
>>>>>> I have tested upgrade to 8.0.38 today and I got this error
>>>>>> More env. details JDK 8, tested on both Linux and Windows using different
>>>>>> JDK 8 updates (71, 111).
>>>>>>
>>>>>> 15-Nov-2016 17:14:51.189 INFO [http-nio-8080-exec-2]
>>>>>> org.apache.coyote.http11.AbstractHttp11Processor.process Error parsing 
>>>>>> HTTP
>>>>>> request header
>>>>>>  Note: further occurrences of HTTP header parsing errors will be logged 
>>>>>> at
>>>>>> DEBUG level.
>>>>>>  java.lang.IllegalArgumentException: Invalid character found in the 
>>>>>> request
>>>>>> target. The valid characters are defined in RFC 7230 and RFC 3986
>>>>>
>>>>> 
>>>>>
>>>>>> The parameter in the request is this
>>>>>>
>>>>>> /list?criteria={%22$type%22:%22Equal%22,%22attr%22:%22id%22,%22value%22:101}
>>>>>
>>>>> Neither '{' nor '}' are permitted characters in a URI and that includes
>>>>> the query string.
>>>>>
>>>>>> Looks like this commit caused the exception
>>>>>> https://github.com/apache/tomcat80/commit/779d5d34e68e50d2f721897050b147106992f566
>>>>>>
>>>>>> The commit message says:
>>>>>> Add additional checks for valid characters to the HTTP request line
>>>>>> parsing so invalid request lines are rejected sooner.
>>>>>>
>>>>>> We don't get any error in 8.0.30 using same request.
>>>>>>
>>>>>> The state in 8.0.30 was bug or 8.0.38 should process parameter
>>>>>>
>>>>>> criteria={%22$type%22:%22Equal%22,%22attr%22:%22id%22,%22value%22:101}
>>>>>>
>>>>>> ?
>>>>>
>>>>> Technically, 8.0.30 should have rejected the request but didn't.
>>>>>
>>>>> As per the commit message, Tomcat has tightened up validation of
>>>>> incoming HTTP requests to reject any that are not specification compliant.
>>>>>
>>>>> For the query string, the relevant extracts from RFC 3986 are:
>>>>>
>>>>> query   = *( pchar / "/" / "?" )
>>>>>
>>>>> pchar = unreserved / pct-encoded / sub-delims / ":" / "@"
>>>>>
>>>>> unreserved= ALPHA / DIGIT / "-" / "." / "_" / "~"
>>>>>
>>>>> sub-delims= "!" / "$" / "&" / "'" / "(" / ")"
>>>>>   / "*" / "+" / "," / ";" / "="
>>>>>
>>>>>
>>>>> Hence, '{' and '}' are rejected.
>>>>>
>>>>> Mark
>>>>
>>>> Based on your explanation above, shouldn't the following query parameter
>>>> be rejected?
>>>>
>>>> http://somehost/someurl?plist=tagA=valueA|tagB=valueB|tagC=valueC
>>>>
>>>> where tagA, tagB, tagC, valueA, valueB, valueC are all ALPHA or DIGIT.
>>>>
>>>> I didn't see "|" listed as acceptable anywhere in RFC 3986.
>>>
>>> I agree, such a request should be rejected.
>>>
>>>> However, above URL works in Tomcat 8.0.39.
>>>
>>> I've just tested 9.0.x and 8.0.x and both rejected it. I don't think
>>> there have been any changes since those releases. Are you sure that:
>>> a) you are using 8.0.39
>>> b) the client isn't encoding the '|' before it is sent to Tomcat
>>>
>>>> I ask this because a developer has used the pipe symbol to separate
>>>> components. It plays havoc with mod_security rules, among other things.
>>>>
>>>> . . . a bit puzzled
>>>
>

Re: Tomcat 8.0.39 and tomcat 8.5.8 fails handling requsest

[Mark Eggers]

Mark,


On 11/17/2016 2:00 AM, Mark Thomas wrote:
> On 16/11/2016 20:05, Mark Eggers wrote:
>> Mark,
>>
>> On 11/16/2016 12:23 AM, Mark Thomas wrote:
>>> On 15/11/2016 22:36, Zdeněk Henek wrote:
>>>> Hi,
>>>>
>>>> we are using tomcat 8.0.30 without problems.
>>>>
>>>> I have tested upgrade to 8.0.38 today and I got this error
>>>> More env. details JDK 8, tested on both Linux and Windows using different
>>>> JDK 8 updates (71, 111).
>>>>
>>>> 15-Nov-2016 17:14:51.189 INFO [http-nio-8080-exec-2]
>>>> org.apache.coyote.http11.AbstractHttp11Processor.process Error parsing HTTP
>>>> request header
>>>>  Note: further occurrences of HTTP header parsing errors will be logged at
>>>> DEBUG level.
>>>>  java.lang.IllegalArgumentException: Invalid character found in the request
>>>> target. The valid characters are defined in RFC 7230 and RFC 3986
>>>
>>> 
>>>
>>>> The parameter in the request is this
>>>>
>>>> /list?criteria={%22$type%22:%22Equal%22,%22attr%22:%22id%22,%22value%22:101}
>>>
>>> Neither '{' nor '}' are permitted characters in a URI and that includes
>>> the query string.
>>>
>>>> Looks like this commit caused the exception
>>>> https://github.com/apache/tomcat80/commit/779d5d34e68e50d2f721897050b147106992f566
>>>>
>>>> The commit message says:
>>>> Add additional checks for valid characters to the HTTP request line
>>>> parsing so invalid request lines are rejected sooner.
>>>>
>>>> We don't get any error in 8.0.30 using same request.
>>>>
>>>> The state in 8.0.30 was bug or 8.0.38 should process parameter
>>>>
>>>> criteria={%22$type%22:%22Equal%22,%22attr%22:%22id%22,%22value%22:101}
>>>>
>>>> ?
>>>
>>> Technically, 8.0.30 should have rejected the request but didn't.
>>>
>>> As per the commit message, Tomcat has tightened up validation of
>>> incoming HTTP requests to reject any that are not specification compliant.
>>>
>>> For the query string, the relevant extracts from RFC 3986 are:
>>>
>>> query   = *( pchar / "/" / "?" )
>>>
>>> pchar = unreserved / pct-encoded / sub-delims / ":" / "@"
>>>
>>> unreserved= ALPHA / DIGIT / "-" / "." / "_" / "~"
>>>
>>> sub-delims= "!" / "$" / "&" / "'" / "(" / ")"
>>>   / "*" / "+" / "," / ";" / "="
>>>
>>>
>>> Hence, '{' and '}' are rejected.
>>>
>>> Mark
>>
>> Based on your explanation above, shouldn't the following query parameter
>> be rejected?
>>
>> http://somehost/someurl?plist=tagA=valueA|tagB=valueB|tagC=valueC
>>
>> where tagA, tagB, tagC, valueA, valueB, valueC are all ALPHA or DIGIT.
>>
>> I didn't see "|" listed as acceptable anywhere in RFC 3986.
> 
> I agree, such a request should be rejected.
> 
>> However, above URL works in Tomcat 8.0.39.
> 
> I've just tested 9.0.x and 8.0.x and both rejected it. I don't think
> there have been any changes since those releases. Are you sure that:
> a) you are using 8.0.39
> b) the client isn't encoding the '|' before it is sent to Tomcat
> 
>> I ask this because a developer has used the pipe symbol to separate
>> components. It plays havoc with mod_security rules, among other things.
>>
>> . . . a bit puzzled
> 
> Me too. Any light you can shed would be helpful.

I did a Wireshark capture. The client is not encoding '|' before
sending. The '=' is not being encoded either.

I figured it out. I have Apache 2.2 (on Linux) or Apache 2.4 (on
Windows) in front of Tomcat.

I connect the two using mod_jk. When going through the following:

browser --> apache httpd (2.2, 2.4) -->(AJP) Tomcat (8.0.39, 8.5.8)

the request works ('|', '=', and other hideousness).

When going through the following:

browser --> Tomcat (8.0.39, 8.5.8)

the request fails with the error message as posted by the original author.

I'll go through the Apache HTTPD and mod_jk configurations carefully to
see what's going on.

However, both are pretty stock configurations.

. . . thanks for your patience
/mde/



signature.asc
Description: OpenPGP digital signature

Re: Tomcat 8.0.39 and tomcat 8.5.8 fails handling requsest

[Mark Eggers]

Mark,

On 11/16/2016 12:23 AM, Mark Thomas wrote:
> On 15/11/2016 22:36, Zdeněk Henek wrote:
>> Hi,
>>
>> we are using tomcat 8.0.30 without problems.
>>
>> I have tested upgrade to 8.0.38 today and I got this error
>> More env. details JDK 8, tested on both Linux and Windows using different
>> JDK 8 updates (71, 111).
>>
>> 15-Nov-2016 17:14:51.189 INFO [http-nio-8080-exec-2]
>> org.apache.coyote.http11.AbstractHttp11Processor.process Error parsing HTTP
>> request header
>>  Note: further occurrences of HTTP header parsing errors will be logged at
>> DEBUG level.
>>  java.lang.IllegalArgumentException: Invalid character found in the request
>> target. The valid characters are defined in RFC 7230 and RFC 3986
> 
> 
> 
>> The parameter in the request is this
>>
>> /list?criteria={%22$type%22:%22Equal%22,%22attr%22:%22id%22,%22value%22:101}
> 
> Neither '{' nor '}' are permitted characters in a URI and that includes
> the query string.
> 
>> Looks like this commit caused the exception
>> https://github.com/apache/tomcat80/commit/779d5d34e68e50d2f721897050b147106992f566
>>
>> The commit message says:
>> Add additional checks for valid characters to the HTTP request line
>> parsing so invalid request lines are rejected sooner.
>>
>> We don't get any error in 8.0.30 using same request.
>>
>> The state in 8.0.30 was bug or 8.0.38 should process parameter
>>
>> criteria={%22$type%22:%22Equal%22,%22attr%22:%22id%22,%22value%22:101}
>>
>> ?
> 
> Technically, 8.0.30 should have rejected the request but didn't.
> 
> As per the commit message, Tomcat has tightened up validation of
> incoming HTTP requests to reject any that are not specification compliant.
> 
> For the query string, the relevant extracts from RFC 3986 are:
> 
> query   = *( pchar / "/" / "?" )
> 
> pchar = unreserved / pct-encoded / sub-delims / ":" / "@"
> 
> unreserved= ALPHA / DIGIT / "-" / "." / "_" / "~"
> 
> sub-delims= "!" / "$" / "&" / "'" / "(" / ")"
>   / "*" / "+" / "," / ";" / "="
> 
> 
> Hence, '{' and '}' are rejected.
> 
> Mark

Based on your explanation above, shouldn't the following query parameter
be rejected?

http://somehost/someurl?plist=tagA=valueA|tagB=valueB|tagC=valueC

where tagA, tagB, tagC, valueA, valueB, valueC are all ALPHA or DIGIT.

I didn't see "|" listed as acceptable anywhere in RFC 3986.

However, above URL works in Tomcat 8.0.39.

I ask this because a developer has used the pipe symbol to separate
components. It plays havoc with mod_security rules, among other things.

. . . a bit puzzled
/mde/





signature.asc
Description: OpenPGP digital signature

Re: Setting up a Context outside of webapps

[Mark Eggers]

Replying inline and at the end of the most recently posted message:

On 10/21/2016 10:31 AM, Igal @ Lucee.org wrote:
> I'm asking my question differently since it didn't get much traction
> when I asked it before.
> 
> I want to set up a Web Context outside of %CATALINA_BASE%/webapps, e.g.
> at C:\WebRoot\myapp.  I prefer to configure it in server.xml, because I
> like it that all of my config files are at %CATALINA_BASE%/conf.
> 
> So for example, to set up an app for myapp.tld, with contents in
> C:\WebRoot\myapp, I use the following snippet:
> 
> 
> 
> 
> 
> I don't want to specify Host appBase to C:\WebRoot because it contains
> separate sites (Contexts) in different directories, and each site is
> configured to run at the root directory of the site, e.g.
> http://myapp.tld/.  I also clear the contents of %CATALINA_BASE%/webapps.
> 
> Is that the right way to do it?  Is there a better way?  Anything wrong
> with this set up?

1. In my opinion, no
2. In my opinion, yes
3. Read the docs concerning docBase, appBase, and ROOT.war

> 
> It'd be great if the docs had contained some real examples.
> 
> Thanks,
> 
> Igal Sapir
> Lucee Core Developer
> Lucee.org 
> 

1. Create separate Host entries for each host that you wish to serve.
   See:

http://tomcat.apache.org/tomcat-8.5-doc/virtual-hosting-howto.html

2. Name your WAR file ROOT.war (case is important even on Windows)

3. Navigate to http://hostname/

The appropriate site will come up with the default application being
ROOT.war.

There are a lot of examples - here's an old one:

http://wiki.apache.org/tomcat/TomcatDevelopmentVirtualHosts

One of these days I'll get around to revising, rewriting, and updating
the document for a production environment.

We use a variant of that setup with CATALINA_BASE and CATALINA_HOME for
production. It makes managing hosts and doing upgrades simple. Most of
the work can be done without taking the system offline.

. . . just my two cents
/mde/


> On 10/21/2016 1:21 AM, r.bott...@afterbit.com wrote:
>> Hello,
>> did you received some real config?
>> Roberto.
>>   -Messaggio originale-
>> Da: Igal @ Lucee.org [mailto:i...@lucee.org]
>> Inviato: venerdì 7 ottobre 2016 21:57
>> A: Tomcat Users List 
>> Oggetto: Re: Host appBase vs. Context docBase
>>
>>> Suppose you tell us your Tomcat version.
>> I'm using Tomcat 8.5.5 -- not sure how relevant that is since AFAIK
>> this has
>> not changed in years.
>>
>>> It is highly unlikely that you want the  name to be App1
>> Of course that my host name is not App1, that was to remove fluff and to
>> keep only the relevant information in the email.
>>
>>> The path attribute of the  element must not be used unless
>>> the  element is in server.xml, which it should not be
>> I actually prefer it to be in server.xml
>>
>>> The docBase attribute is used only when the  element is
>>> located in conf/Catalina/[host]/[appName].xml
>> That is definitely not true.  I've set up Tomcat many many times like
>> this
>> and it works.  I may have not set it up the best way, hence my question
>> here, but the docBase attribute is indeed, used.
>>
>>> You need to read the documentation for , , and deployment
>> for the Tomcat version you're using.
>> It would have been nice to see some real life examples of complete
>> configurations.
>>
>> Igal Sapir
>> Lucee Core Developer
>> Lucee.org 
>>
>> On 10/7/2016 12:39 PM, Caldarale, Charles R wrote:
 From: Igal @ Lucee.org [mailto:i...@lucee.org]
 Subject: Host appBase vs. Context docBase Suppose that I have an
 application at C:\WebApps\App1
>>> Suppose you tell us your Tomcat version.
>>>
 
 
 
 
 
  
>>> Both of the above are incorrect.  It is highly unlikely that you want
>>> the
>>  name to be App1.  The appBase attribute of  must point to a
>> directory where one or more webapps are located for automatic deployment.
>> It must never point to a specific webapp.  The path attribute of the
>>  element must not be used unless the  element is in
>> server.xml, which it should not be.  The docBase attribute is used
>> only when
>> the  element is located in conf/Catalina/[host]/[appName].xml.
>>> You need to read the documentation for , , and deployment
>> for the Tomcat version you're using.
>>>- Chuck
>>>
>>>
>>> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
>> MATERIAL and is thus for use only by the intended recipient. If you
>> received
>> this in error, please contact the sender and delete the e-mail and its
>> attachments from all computers.
>>> -
>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>
>>
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For 

Re: Context Dependency Injection with Tomcat 7.0 x / 8.0 x

[Mark Eggers]

Kiran,

On 10/5/2016 5:15 PM, Kiran Badi wrote:
> Hi All,
> 
> I wanted to check if their is a way to do CDI with Tomcat for 7x and 8x
> version as per JEE spec ?
> 
> I have a project for which I wanted to use CDI the way spring does it.
> 
> Appreciate if someone can suggest something.
> 
> 
> - Kiran
> 

Probably the easiest way to do this is to use TomEE:

http://tomee.apache.org/

. . . just my two cents
/mde/



signature.asc
Description: OpenPGP digital signature

Re: Websocket endpoint on Tomcat 8

[Mark Eggers]

Astor,

On 9/27/2016 12:45 PM, Astor John Pinto wrote:
> Hi all,
> 
> We have been trying to set up a websocket end point on Tomcat 8.
> 
> The dependency in the pom.xml is
> 
> 
> 
> 
> 
> commons-logging
> 
> commons-logging
> 
> 1.2
> 
> jar
> 
> provided
> 
> 
> 
> 
> 
> javax.websocket
> 
> javax.websocket-api
> 
> 1.0
> 
> provided
> 
> 
> 
> 
> 
> The handshake and connection works fine, while deploying the war file on
> localhost, but the handshake fails when we deploy(using aws elastic
> beanstalk) the war file on the Tomcat server.
> 
> The handshake (http) url returns a 404 Not Found Error.
> 
> What would be going wrong here?
> 
> Thanks
> 

It's been a while since I've played with the AWS Elastic Beanstalk
Tomcat AMI.

However if I remember correctly, the AMI fronts Tomcat with an Apache
HTTPD server and uses mod-proxy-http to forward requests.

In that case, the websocket connection won't work.

If the AMI is using Apache HTTPD 2.4, then you can possibly use
mod_proxy_wstunnel. It also depends on whether or not mod_proxy_wstunnel
is available on the AMI.

If so, then you'll have to provide the appropriate configuration files
in your Beanstalk bundle when you deploy.

Please note I have not tried any of this. I hope to get back to working
with AWS Elastic Beanstalk in a week or so for $work.

. . . just my two cents
/mde/



signature.asc
Description: OpenPGP digital signature

Re: AT WITS END regarding JVM arguments

[Mark Eggers]

James,

On 9/1/2016 11:36 AM, James H. H. Lampert wrote:
> Ladies and Gentlemen:
> 
> One of our Tomcat servers (refreshed from
> apache-tomcat-7.0.67-windows-x86.zip) is running AS A SERVICE on a
> Windows box.
> 
> And we need to set JVM Options of
>  -Djavax.servlet.request.encoding=UTF-8
>  -Dfile.encoding=UTF-8
>  -Djava.awt.headless=true
> 
> Unlike IBM Midrange boxes, on which I can, with a simple OS command,
> list all the JVMs currently running on the system, and look up the
> arguments, environment variables, system properties, , I can't find
> any way to verify the JVM arguments (this box has only a JRE, not a
> JDK), other than what gets sent to the log file. I even tried installing
> a trial of JProfiler, but if checking arguments is in there, it's
> well-hidden!
> 
> I just tried adding a "setenv.bat" to the "bin" directory, containing
> 
>> SET CATALINA_OPTS=-Djava.awt.headless=true
>> -Djavax.servlet.request.encoding=UTF-8 -Dfile.encoding=UTF-8
> 
> and after stopping and starting the service, even after rebooting the
> Windows box, "headless" cannot be found in the log file, and neither can
> I find "UTF."
> 
> WHAT COULD BE GOING WRONG HERE?
> 
> -- 
> JHHL

I'm not a Windows person, but here's how I did it:

1. Do a normal installation of Tomcat with service.bat
   service.bat install
2. Start up the Windows monitor service
   tomcat7w.exe
3. Navigate to the Java tab
4. Select the Java Options: window
5. Add your additional requirements 1 per line:
   -Djavax.servlet.request.encoding=UTF-8
   -Dfile.encoding=UTF-8
   -Djava.awt.headless=true
6. Start Tomcat
7. Observe logs in %CATALINA_BASE%\logs
   tomcat7-stderr.2016-09-01.log

INFO: Command line argument: -Djavax.servlet.request.encoding=UTF-8
INFO: Command line argument: -Dfile.encoding=UTF-8
INFO: Command line argument: -Djava.awt.headless=true

Now you could probably add these with tomcat7 //US//Tomcat7 with the
suitable ++JvmOptions arguments, but it looks like it replaces the
original ++JvmOptions. That means you'd have to duplicate the original
options (see service.bat) as well as add the above three options.

tomcat7w.exe seems easier, but if you're doing unattended installations
modifying service.bat (or creating your own tomcat7.exe command line)
might be easier.

See the following:

https://tomcat.apache.org/tomcat-7.0-doc/windows-service-howto.html

as a reference.

. . . just my two cents
/mde/




signature.asc
Description: OpenPGP digital signature

Re: Tomcat7 / Axis2

[Mark Eggers]

Matthias,

On 8/22/2016 8:32 AM, Matthias Schmitt wrote:
> Hello everybody,
> 
> We have a Tomcat 7 and Axis 2 for our Java SOAP web service over
> https on our Ubuntu server. We also use C3PO connection pooling (also
> in other web services which is working fine). However, I´m not sure
> if this is related to the topic.
> 
> The web service is working for about two/three days and after that
> time period it´s not working anymore. Then our consuming customer
> receives a Read Timeout Exception. After restarting the Tomcat
> servlet everything is working fine again. Processing the request has
> a duration of about 3 seconds. The Axis 2 has a default socket
> timeout of 30 seconds. Our customer has a wait timeout of 60 seconds.
> The strange thing about the problem is that it´s working for amount
> of time and then the problem occurs. Even if we increase the client
> timeout it seems like the request will be not processed. Also
> increasing the socket timeout value in axis configuration does not
> take effect. There is no exception message in the log that could help
> us to reproduce the problem.
> 
> Thanks for your help,
> 
> Mit besten Grüßen/with best regards
> 
> Matthias Schmitt

A thread dump when things are stuck would probably tell you a bit.

That being said, I did a quick search on connection pooling
implementations for Java, and found an interesting article:

http://www.trustiv.co.uk/2014/06/battle-connection-pools

It seems (at least in 2014) that if there are too few cp30 helper
threads, you might end up with the behavior that you're seeing.

It's just a thought. I have no experience with cp30 in this scenario.

. . . just my two cents.
/mde/



signature.asc
Description: OpenPGP digital signature

Re: Tomcat 8.5 Resource Setting Says it's being ignored but documentation shows it is supported

[Mark Eggers]

On 8/17/2016 10:34 AM, McKenzie, Mitch wrote:
> Seeing the following  warning for all of my datasources when tomcat 8.5.4 
> starts up : Ignoring unknown property: value of "3" for 
> "validationInterval" property
> 
> I see validationInterval in the docs here: 
> https://tomcat.apache.org/tomcat-8.5-doc/jdbc-pool.html
> 
> Here is one of my resource defs:
> 
>  name="jdbc/XYZAPP"
> auth="Container"
> type="javax.sql.DataSource"
> factory="org.apache.tomcat.dbcp.dbcp2.BasicDataSourceFactory"
> username="?"
> password="?"
> driverClassName="some.driver"
> url="jdbc:xyz://xyzapp:12345/SomeDB"
> initialSize="10"
> maxTotal="100"
> maxIdle="50"
> minIdle="10"
> timeBetweenEvictionRunsMillis="3"
> minEvictableIdleTimeMillis="6"
> testOnBorrow="true"
> testWhileIdle="false"
> testOnReturn="false"
> validationQuery="SELECT 1"
> validationInterval="3"
> validationQueryTimeout="3"/>
> 
> 
> This message has been scanned for malware by Websense. www.websense.com
> 

I believe that the configuration above is for Tomcat's database
connection pooling factory, and not the default repackaged Apache
Commons DBCP 2.x factory.

In order to use the Tomcat factory, you'll have to add the following
line to your context.xml:

factory="org.apache.tomcat.jdbc.pool.DataSourceFactory"

See the following for more information:

https://tomcat.apache.org/tomcat-8.5-doc/jdbc-pool.html

. . . just my two cents
/mde/



signature.asc
Description: OpenPGP digital signature

Re: Set up postgresql on tomcat7

[Mark Eggers]

Replies at the end:

Andrew:

On 8/17/2016 7:15 AM, Andrew Davis wrote:
> Its a redhat ..  i don't think tomcat 7 or later will run on this.
> 
> On Aug 17, 2016 9:14 AM, "André Warnier (tomcat)" 
> wrote:
> 
>> On 17.08.2016 16:06, Andrew Davis wrote:
>> 
>>> Thanks for the prompt..
>>> 
>>> I have been looking at the doc s and have my .jar file for
>>> postgres in the lib folder.
>>> 
>>> I do not understand where the  >> name="jdbc/postgres..."
>>> 
>>> Is supposed to go.
>>> 
>>> Im reading at 
>>> https://tomcat.apache.org/tomcat-6.0-doc/jndi-datasource- 
>>> examples-howto.html
>>> 
>> 
>> If your version is Tomcat 7, then maybe you should look at the
>> Tomcat 7 documentation, not the v 6 one.
>> 
>> In any case, even Tomcat 7 is somewhat old now.  Can you upgrade to
>> a later version ? That might increase your chances of getting help
>> here.
>> 
>> 
>>> This author has not had success here...
>>> 
>>> This doesn't inspire confidence  here,  but that's what the
>>> documentation shows...
>>> 
>>> 
>> Sorry, but personally my expertise in these matters is nil, so I
>> hope someone else here can pick this up now.
>> 
>> Andy
>>> 
>>> On Aug 17, 2016 4:43 AM, "André Warnier (tomcat)" 
>>> wrote:
>>> 
>>> On 17.08.2016 11:32, Andrew Davis wrote:
>>> 
>>> Thanks.
 
 I can now deploy my servlets and they work ok, but..
 
 I had hoped to just deploy one copy of the postgres jar to my
 server and then be able to consume it inside multiple
 applications, instead of having multiple copies of the jar in
 multiple apps.
 
 I've been through the JNDI portion of the docs on Tomcat and
 found it still somewhat confusing.
 
 Andy...
 
 
>>> I am far from an expert on this kind of thing, but have you
>>> looked at this :
>>> 
>>> http://tomcat.apache.org/tomcat-8.0-doc/config/globalresources.html
>>>
>>>
>>> 
Maybe that is the missing link in your understanding ?
>>> 
>>> 
>>> 
>>> 
>>> On Aug 17, 2016 4:06 AM, "André Warnier (tomcat)" 
>>> wrote:
 
 Andrew,
 
> this list strips most kinds of attachments, so nobody saw
> your screenshots or whatever was in them. You need to
> copy/paste that text right into your message to the list 
> (amd make sure that you send your message as "plain text",
> not HTML, otherwise it will be unreadable.
> 
> On 17.08.2016 02:10, Andrew Davis wrote:
> 
> Well,
> 
>> This has not turned out how I wanted it to .
>> 
>> I have 'a solution' but it isnt what I wanted to do.  I
>> went back and re added the .jar file to the 'WEB-INF'
>> folder and then deployed a new WAR file.
>> 
>> Now things work just 'fine' BUT I suspect that this is not
>> what a real coder would do and suspect I am still in the
>> realms of hackery..
>> 
>> [image: Inline image 1]
>> 
>> Andy.
>> 
>> 
>> 
>> On Tue, Aug 16, 2016 at 6:53 PM, Andrew Davis
>>  wrote:
>> 
>> I found the following in my logs..
>> 
>> 
>>> from command line in Putty...
>>> 
>>> cd /var/lib/tomcat7 tail -f logs/catalina.out
>>> 
>>> [image: Inline image 1]
>>> 
>>> I do have the jar file located in the following location
>>> on the machine..
>>> 
>>> /usr/share/tomcat7/lib
>>> 
>>> https://tomcat.apache.org/tomcat-7.0-doc/jndi-resources-howt
>>>
>>> 
o.html#JDBC_Data_Sources  is confusing to me.  It shouldnt but it is..
>>> at this point..
>>> 
>>> Andy..
>>> 
>>> 
>>> 
>>> On Tue, Aug 16, 2016 at 3:01 PM, George Sexton < 
>>> geor...@mhsoftware.com> wrote:
>>> 
>>> The best place to start would be to look at tomcat's logs
>>> for exceptions
>>> 
>>> or errors.
 
 
 
 On 8/16/2016 12:44 PM, Andrew Davis wrote:
 
 Hello,
 
 Im working on getting java servlets to run on my
 instance of Ububtu
> with tomcat7.
> 
> I write my applications in Eclipse.. when i run my
> apps localhost i see everything just fine.
> 
> When i export my WAR files i check the includ source
> files.
> 
> I deploy the WAR file through tomcat manager.
> 
> I can see the java classes which i use to insert
> records into my postgresql database. However,  there
> is nothing happening.  When i attempt  to run them,
> no joy.
> 
> I have the postgresql .jar file installed on my
> headless ubuntu server , but no luck.
> 
> Aside from the .jar file is there anything else i
> need to configure?
> 
> Any advice is welcome
> 
> Andy

AD: Its a redhat ..  i don't think tomcat 7 or later will run on this.

From your first message, I thought that 

Re: Log4j Issue

[Mark Eggers]

Syed,

Please do not top post. See:

http://tomcat.apache.org/lists.html#tomcat-users

item 6.


My responses are inline.

On 8/10/2016 1:43 AM, Syed Mudassir Ahmed wrote:
> Mark,
>   Thanks for the response.
>   Indeed I am using Log4j-2.  Below is my xml file:
> 
> 
> 
>   
>  
>  filePattern="/home/syed/logs/ssp-log-%d{MM-dd-}-%i.txt">
>   
> date:%d, millisecs:%r, level:%p, logger:%c, thread:[%t],
> file:%F, method:%M, line:%L, message:%m%n%n
>   
>   
> 
>   
>   
> 
>   
>   
> 
>
> 
> 
>   
> 
>   
> 

You really need to read the log4j2 documentation. In particular, pay
attention to the logger documentation.

> 
> And in my web app, I have the following statement that will set the system
> property to where the above file is located at:
> 
> System.setProperty("log4j.configurationFile", "file://" + rootPath +
> "/log4j-2.xml");

You really need to read the link I gave you on how log4j2 is configured
with web applications.

Again, the link is:

https://logging.apache.org/log4j/2.x/manual/webapp.html

Follow it slavishly until you get things working.

You really need to follow the documentation on where to place log4j2.xml
and how that file is found.

http://logging.apache.org/log4j/2.x/manual/configuration.html

In particular, pay attention to Automatic Configuration, item 9. I
recommend this until you do a little more reading / research, and
understand how things work.

That's why I recommended to place log4j2.xml in WEB-INF/classes or in a
JAR file in WEB-INF/lib. It's then on the web application classpath. No
other configuration is necessary.

In particular, pay attention to what happens when you do not configure
log4j2 correctly, notably Automatic Configuration, item 10.

10. If no configuration file could be located the DefaultConfiguration
will be used. This will cause logging output to go to the console.

This will dump your log output to the console, which ends up in
catalina.out when running in Tomcat.

> 
> 
> Thanks,
> 
> 
> On Wed, Aug 10, 2016 at 11:59 AM, Mark Eggers <its_toas...@yahoo.com.invalid
>> wrote:
> 
>> Syed,
>>
>> On 8/9/2016 10:08 PM, Syed Mudassir Ahmed wrote:
>>> I am using Log4j in my web app to write the logs to a separate file.
>>> Surprisingly, that log file is not at all getting created.  I run
>>> the logger logic as a standalone application and the log file indeed
>>> gets created.  I am assuming tomcat is not allowing me to write my
>>> logs to a file.  It is simply redirecting all the log messages to
>>> catalina.out.  Any suggestions on how to direct my logs to a separate
>>> file and not to catalina.out.
>>>
>>> Thanks,
>>>
>>
>> Hmm,
>>
>> Works for me . . .
>>
>> 
>> >   'PUBLIC:-//log4j/log4j Configuration//EN'
>>   'http://logging.apache.org/log4j/1.2/apidocs/org/apache/log4j/xml/doc-
>>   files/log4j.dtd'>
>> 
>>   
>> 
>> 
>>   
>> 
>>   
>>   
>> 
>> 
>>   
>> 
>>
>> (sorry for the word wrap for the !DOCTYPE line).
>>
>> Since log4j 1.x was retired in April of 2015, maybe you should move to
>> log4j2.
>>
>> Read the following:
>>
>> https://logging.apache.org/log4j/2.x/manual/webapp.html
>>
>> A (more or less) corresponding log4j2.xml file (different app):
>>
>> 
>> 
>> 
>> > immediateFlush="true"
>> fileName="${sys:catalina.base}/logs/logstwo.log"
>> filePattern=
>>  "${sys:catalina.base}/logs/logstwo-%d{-MM-dd}.log.gz">
>> 
>> %d %-5p %c.%M:%L - %m%n
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>>
>> Note, the log4j2.xml does log rotation, as well as compression of the
>> rotated log files. It also logs at a package level one higher than the
>> log4j.xml configuration.
>>
>> The XML file (log4j.xml or log4j2.xml) goes into WEB-INF/classes, or in
>> a JAR file in WEB-INF/lib.
>>
>> The appropriate log4j jar files (different between log4j and log4j2) go
>> in WEB-INF/lib.
>>
>> Quite frankly, your question is very broad and without writing a
>> tutorial it's difficult to answer.
>>
>> I suggest reading the following as well:
>>
>> http://www.catb.org/~esr/faqs/smart-questions.html
>>

. . . just my two cents
/mde/






signature.asc
Description: OpenPGP digital signature

Re: Log4j Issue

[Mark Eggers]

Syed,

On 8/9/2016 10:08 PM, Syed Mudassir Ahmed wrote:
> I am using Log4j in my web app to write the logs to a separate file. 
> Surprisingly, that log file is not at all getting created.  I run
> the logger logic as a standalone application and the log file indeed
> gets created.  I am assuming tomcat is not allowing me to write my
> logs to a file.  It is simply redirecting all the log messages to
> catalina.out.  Any suggestions on how to direct my logs to a separate
> file and not to catalina.out.
> 
> Thanks,
> 

Hmm,

Works for me . . .


http://logging.apache.org/log4j/1.2/apidocs/org/apache/log4j/xml/doc-
  files/log4j.dtd'>

  


  

  
  


  


(sorry for the word wrap for the !DOCTYPE line).

Since log4j 1.x was retired in April of 2015, maybe you should move to
log4j2.

Read the following:

https://logging.apache.org/log4j/2.x/manual/webapp.html

A (more or less) corresponding log4j2.xml file (different app):






%d %-5p %c.%M:%L - %m%n
















Note, the log4j2.xml does log rotation, as well as compression of the
rotated log files. It also logs at a package level one higher than the
log4j.xml configuration.

The XML file (log4j.xml or log4j2.xml) goes into WEB-INF/classes, or in
a JAR file in WEB-INF/lib.

The appropriate log4j jar files (different between log4j and log4j2) go
in WEB-INF/lib.

Quite frankly, your question is very broad and without writing a
tutorial it's difficult to answer.

I suggest reading the following as well:

http://www.catb.org/~esr/faqs/smart-questions.html

. . . just my two cents
/mde/



signature.asc
Description: OpenPGP digital signature

Re: Strange MySQL error when starting tomcat 8 on boot

[Mark Eggers]

Sean,


On 8/9/2016 1:55 PM, Sean Son wrote:
> On Mon, Aug 8, 2016 at 11:31 AM, Mark Eggers
> <its_toas...@yahoo.com.invalid> wrote:
> 
>> Sean,
>> 
>> On 8/8/2016 7:10 AM, Sean Son wrote:
>>> On Fri, Aug 5, 2016 at 5:34 PM, Mark Eggers
>> <its_toas...@yahoo.com.invalid>
>>> wrote:
>>> 
>>>> On 8/5/2016 2:19 PM, Sean Son wrote:
>>>>> Hello!
>>>>> 
>>>>> I am currently running Tomcat 8 on RHEL 7.2 with one web
>>>>> application called AppVet (A mobile Application  Vetting
>>>>> program).  The application works well but when I tried to use
>>>>> a script to allow tomcat to start up at boot, the webapp
>>>>> gives an authentication error. I saw the following error in
>>>>> the logs for appvet:
>>>>> 
>>>>> 
>>>>> [ERROR] Could not connect to database: 
>>>>> com.mysql.jdbc.exceptions.jdbc4.CommunicationsException: 
>>>>> Communications link failure
>>>>> 
>>>>> The last packet sent successfully to the server was 0
>>>>> milliseconds ago. The driver has not received any packets
>>>>> from the server. Make sure your MySQL password in your
>>>>> AppVetProperties.xml file is correct
>>>>> 
>>>>> 
>>>>> I know for a fact that the MySQL password is correct in that
>>>>> XML file. I double checked it already.  Any ideas on how I
>>>>> should fix this error?
>>>>> 
>>>>> This is the script that I am using for startup/shutdown of
>>>>> Tomcat8 on boot:
>>>>> 
>>>>> http://pastebin.com/mrvfDtTD
>>>>> 
>>>>> Thanks!
>>>>> 
>>>>> Sean
>>>>> 
>>>> 
>>>> It appears that your Tomcat process is running as root. Do not
>>>> do this.
>>>> 
>>>> Is your MySQL server up and running before Tomcat is started?
>>>> 
>>>> . . . just my two cents /mde/
>>>> 
>>>> 
>>> Hello thank you for your response
>>> 
>>> I created a user account for Tomcat, I will set the script to use
>>> that account instead of the root account.   Question though, does
>>> this account need a password?
>> 
>> Yes, especially since you'll be running a service.
>> 
>> Note that if you're running Tomcat on a privileged port (less than 
>> 1024), a non-root account will not be able to bind to this port.
>> 
>> You have three choices.
>> 
>> 1. iptables
>> 
>> route port 80 to port 8080 (Tomcat default) internally. Take a look
>> at the iptables documentation.
>> 
>> 2. jsvc
>> 
>> jsvc from the Apache Commons Daemon project allows you to run a
>> service such as Tomcat more easily. I don't remember if there is an
>> RPM for RHEL or not (possible in EPEL). It's configuration and
>> startup script are different, but the documentation is a good start
>> (there are Tomcat examples).
>> 
>> https://commons.apache.org/proper/commons-daemon/jsvc.html
>> 
>> 3. Apache HTTPD front end with mod_proxy_ajp or mod_jk
>> 
>> I'd do this if you need Apache HTTPD for other web applications (a
>> PHP application, perhaps). There is good documentation available on
>> the Tomcat web site, as well as a ton of discussion on the mailing
>> list to get this running.
>> 
>> If you don't feel like building software, I'd recommend
>> mod_proxy_ajp. I find mod_jk more flexible and a little easier to
>> use (opinions on easy of use vary), but you'd have to build mod_jk
>> from source. It's easy to do, but some people find that a little
>> more challenging.
>> 
>>> 
>>> Also, I cant tell if the MySQL server is up and running prior to
>>> Tomcat being started. I know that mysqld is enabled to start at
>>> boot, but I dont know if Tomcat starts prior to MySQL.  How would
>>> I figure that out?
>>> 
>> 
>> I thought REHL 7 uses systemd and not init scripts?
>> 
>> There have been many discussions on the mailing list concerning
>> systemd and Tomcat. I think someone has posted appropriate systemd
>> scripts.
>> 
>> If not, then look at /etc/rc3.d. Start and stop scripts are
>> executed in numerical order. Start scripts start with S, stop
>> scripts start with K.
>> 
>> Adjust the numbers in your Tomcat init script (/etc/initinit.d)