RE: Tomcat 7 / Java 7
Thank you Christopher!! I understand that the message is just an INFO and not an error. Also, I haven’t installed tcnative as I am not using it. My question was regarding the difference in messages when I change JAVA version using JAVA_HOME. Is there a way I can find out which version of JAVA Tomcat is using? Thank you, -Ragini -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Monday, February 03, 2014 3:42 PM To: Tomcat Users List Subject: Re: Tomcat 7 / Java 7 -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Ragini, On 2/3/14, 4:19 PM, Singh, Ragini wrote: I upgraded Java 1.6.45 to Java 1.7.51 using java-1.7.0-oracle.x86_64 : Oracle Java Runtime Environment on RHEL 5. Used the alternatives command to make the Java 7 as Java version. Now in my custom startup script if I define JAVA_HOME as JAVA_HOME=/usr/lib/jvm/java tomcat 7 recognizes the java as 1.6 ( the previous version) and gives this message INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /usr/lib/jvm/java-1.6.0-sun-1.6.0.45 .x86_64/jre/lib/amd64/server:/usr/lib/jvm/java-1.6.0-sun-1.6.0.45.x86_ 64/jre/lib/amd64:/usr/lib/jvm/java-1.6.0-sun-1.6.0.45.x86_64/jre/../li b/amd64:/usr/java/packages/lib/amd64:/usr/lib 64:/lib64:/lib:/usr/lib I modified the JAVA_HOME to JAVA_HOME=/usr/lib/jvm/jre-1.7.0-oracle.x86_64. Now tomcat starts and gives the message as INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib I believe it is not recognizing the correct Java version which is 1.7. Am I missing anything ? Have you installed tcnative? Installing tcnative is a prerequisite for using tcnative. Note that the above is an INFO message and not an error in any way. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJS8A0eAAoJEBzwKT+lPKRYss8P/05QCOEVNmHlbjrvyZplv2yI vLb9GL+5YhzNMawHoAKOeGzs3Pjkoux0+zbV5MNrvOZKhoM9r299eaoJTD9LVNbw Udz/Ip9TYmdPmP5OczO8D9+FNQX2pfzqSVMABMlLvi0/scC3EyV7/+PAZUEc/lYv K1Xm4mXiQpxCBBeS1v7D27WLzQGuIj4hj76aEwSf1tsw0GwMT6YKGioCjtSdBSeQ hVRmVI4CcqYwVrCNDXEF9El1ZO4QDN0l4FouApJd7/mlwTT6qRE9uTP9RUFmCGKh GT7yvP+rTnJ95A+c1jUe+FNRQDbiBAK+WMmqeNUL0GF/NVbGsL/DNykt1wrT1kR/ XgMsPWS/jFCeqpEpBBucKTrJalhNFiFltI1BLa0Lpc7eKtkWHbaDhFiSff/Q+Vf5 /ONLXsCmOSdDbzub7YH8CLlfWdykLJH++MuH1LPzy3dEkiCSFtwdAcmCo1fykH38 EtT0+Go0LNWoMKSQZYPOT3O5b71e3UgoKw8p9NWRpLNtsIVRFFsZZMomgBiVldQ1 H26Ng6rIK2XP+Aieq5V2VdraAByPkGQcKjGUexykPKZ4fewuCmKpQ+gKplxDyxFx uP/VcRp0jywUv/4kHjMBZG+eOFPySZ09i6QkZB80cIcoRIcfseTiBh0LqchclKyA VVbHk5QH86nuIKTo9zYF =JVDD -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat 7 / Java 7
Hello, I upgraded Java 1.6.45 to Java 1.7.51 using java-1.7.0-oracle.x86_64 : Oracle Java Runtime Environment on RHEL 5. Used the alternatives command to make the Java 7 as Java version. Now in my custom startup script if I define JAVA_HOME as JAVA_HOME=/usr/lib/jvm/java tomcat 7 recognizes the java as 1.6 ( the previous version) and gives this message INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /usr/lib/jvm/java-1.6.0-sun-1.6.0.45 .x86_64/jre/lib/amd64/server:/usr/lib/jvm/java-1.6.0-sun-1.6.0.45.x86_64/jre/lib/amd64:/usr/lib/jvm/java-1.6.0-sun-1.6.0.45.x86_64/jre/../lib/amd64:/usr/java/packages/lib/amd64:/usr/lib 64:/lib64:/lib:/usr/lib I modified the JAVA_HOME to JAVA_HOME=/usr/lib/jvm/jre-1.7.0-oracle.x86_64. Now tomcat starts and gives the message as INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib I believe it is not recognizing the correct Java version which is 1.7. Am I missing anything ? Thank you, -Ragini
Tomcat 7 / Java 7
Hello, Is Tomcat 7.0.42 compatible with Java 7?http://stackoverflow.com/questions/9294355/is-tomcat-7-now-compatible-with-java-7 If yes, do you know if there is something special to migrate an existing installation of Tomcat 7/Java 6 to Tomcat 7/Java 7? -Ragini
Tomcat 7.0.42 Won't Start
Hello, I am trying to install and run my application Tomcat 7.0.42 on RHEL 5. Installation was correct and I was able to start Tomcat. Now when I place my application in the webapps folder and add the following to server.xml, my Tomcat doesn't start. Context path=/saebpi/SASECURITYFORM docBase=saebpi/SASECURITYFORM reloadable=true crossContext=true Valve className=org.apache.catalina.valves.AccessLogValve directory=logs/SASECURITYFORM prefix=access. suffix=.log pattern=common resolveHosts=false / /Context I have attached the log file with error. Thank you, -RS Aug 14, 2013 3:39:33 PM org.apache.catalina.core.AprLifecycleListener init INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /usr/lib/jvm/java-1.6.0-sun-1.6.0.45.x86_64/jre/lib/amd64/server:/usr/lib/jvm/java-1.6.0 -sun-1.6.0.45.x86_64/jre/lib/amd64:/usr/lib/jvm/java-1.6.0-sun-1.6.0.45.x86_64/jre/../lib/amd64:/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib Aug 14, 2013 3:39:33 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [ajp-bio-8609] Aug 14, 2013 3:39:33 PM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 595 ms Aug 14, 2013 3:39:33 PM org.apache.catalina.core.StandardService startInternal INFO: Starting service Catalina Aug 14, 2013 3:39:33 PM org.apache.catalina.core.StandardEngine startInternal INFO: Starting Servlet Engine: Apache Tomcat/7.0.42 Aug 14, 2013 3:39:34 PM org.apache.catalina.core.ContainerBase startInternal SEVERE: A child container failed during start java.util.concurrent.ExecutionException: org.apache.catalina.LifecycleException: Failed to start component [StandardEngine[Catalina].StandardHost[localhost].StandardContext[/saebpi/SASECURITYFORM]] at java.util.concurrent.FutureTask$Sync.innerGet(FutureTask.java:222) at java.util.concurrent.FutureTask.get(FutureTask.java:83) at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:1123) at org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:800) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1559) at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1549) at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303) at java.util.concurrent.FutureTask.run(FutureTask.java:138) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:895) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:918) at java.lang.Thread.run(Thread.java:662) Caused by: org.apache.catalina.LifecycleException: Failed to start component [StandardEngine[Catalina].StandardHost[localhost].StandardContext[/saebpi/SASECURITYFORM]] at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:154) ... 7 more Caused by: java.lang.NoClassDefFoundError: com/es/uh/edu/EBPI/SECFORM/InitParamsMissingException at java.lang.Class.getDeclaredFields0(Native Method) at java.lang.Class.privateGetDeclaredFields(Class.java:2300) at java.lang.Class.getDeclaredFields(Class.java:1745) at org.apache.catalina.util.Introspection.getDeclaredFields(Introspection.java:106) at org.apache.catalina.startup.WebAnnotationSet.loadFieldsAnnotation(WebAnnotationSet.java:263) at org.apache.catalina.startup.WebAnnotationSet.loadApplicationServletAnnotations(WebAnnotationSet.java:142) at org.apache.catalina.startup.WebAnnotationSet.loadApplicationAnnotations(WebAnnotationSet.java:67) at org.apache.catalina.startup.ContextConfig.applicationAnnotationsConfig(ContextConfig.java:405) at org.apache.catalina.startup.ContextConfig.configureStart(ContextConfig.java:881) at org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:376) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119) at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5322) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) ... 7 more Caused by: java.lang.ClassNotFoundException: com.es.uh.edu.EBPI.SECFORM.InitParamsMissingException at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1714) at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1559) ... 21 more Aug 14, 2013 3:39:34 PM org.apache.catalina.core.ContainerBase startInternal SEVERE: A child container failed during start java.util.concurrent.ExecutionException:
Downloading binary version of vulnerable tomcat 6.0.0 - 6.0.20 to exploit the vulnerabilty CVE-2009-2693
Hi, I want to try to exploit tomcat vulnerability CVE-2009-2693. From site it says that the affected version are from 6.0.0 to 6.0.20. I could not find any of this on official apache tomcat website. I want to do some tests on that vulnerable versions. *Could you please guide me from where I can download the tomcat version which is vulnerable to CVE-2009-2693(Arbitrary file deletion and /or alteration on deploy) ? **Pl note that I use ubuntu 12.0.4.* Basically this is how I plan to exploit that vulnerability: 1) I insert code to create a directory in user's home directory in one of the java class of my web application. 2) I deploy the war file to tomcat's web-apps dir. 3)I start the tomcat with security manager and it should then create a directory in user's home directory. I would really appreciate your help regarding this. Thanks.
Re: Downloading binary version of vulnerable tomcat 6.0.0 - 6.0.20 to exploit the vulnerabilty CVE-2009-2693
On 09/25/2012 03:42 PM, Mark Thomas wrote: On 25/09/2012 12:15, Ragini wrote: Hi, I want to try to exploit tomcat vulnerability CVE-2009-2693. From site it says that the affected version are from 6.0.0 to 6.0.20. I could not find any of this on official apache tomcat website. I want to do some tests on that vulnerable versions. Hmm. I find it hard to believe you couldn't find the Tomcat 6 download pages [1]. (Although judging by the level of competence your e-mails to this list to date have demonstrated, I suppose that is a possibility). The very first section on that page contains the text: This page provides download links for obtaining the latest version of Tomcat 6.0.x, as well as links to the archives of older releases. Did you read that section? Did you not understand that since you want an old release you need to look in the archives? The following section contains a link [2] the archives. From that point it should be obvious. *Could you please guide me from where I can download the tomcat version which is vulnerable to CVE-2009-2693(Arbitrary file deletion and /or alteration on deploy) ? **Pl note that I use ubuntu 12.0.4.* I'd suggest you use [3]. Is there a particular reason to use 6.0.20 only ? Basically this is how I plan to exploit that vulnerability: 1) I insert code to create a directory in user's home directory in one of the java class of my web application. 2) I deploy the war file to tomcat's web-apps dir. 3)I start the tomcat with security manager and it should then create a directory in user's home directory. That would be a complete waste of time. You'll be testing the security manager rather than anything to do with CVE-2009-2693. Either you have failed to read the description of CVE-2009-2693 [4] or your have failed to comprehend it. may be I have failed to understand it. could u please explain it and give me an idea about how can I exploit it actually ? You need to ask yourself whether you have the necessary skills and understanding to carry out the research you claim you want to perform. Well I asked and realized that I should not yet give up ! :-) Mark [1] http://tomcat.apache.org/download-60.cgi [2] http://archive.apache.org/dist/tomcat/tomcat-6 [3] http://archive.apache.org/dist/tomcat/tomcat-6/v6.0.20/bin/apache-tomcat-6.0.20.tar.gz [4] http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.24 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Vulnerability or a valid behavior of tomcat ?
Hi all, I wanted to exploit tomcat vulnerability CVE-2009-2693 named *Arbitrary file deletion and/or alteration on deploy* . You can have a look on it here. (http://tomcat.apache.org/security-6.html) Here they say the affected versions are Affects: 6.0.0-6.0.20. I wanted to give it a try. So I downloaded a web application insecure (insecure web application from OWASP). This application has some jsp files and some java files. So in one of the java file (DatasourceConnectionprovider.java), I added following code which deletes file named file1.txt from home directory. Pl note that I use ubuntu and I created file1.txt in home directory. The code looks like below: public void deletefile() { try{ File file = new File(../../file1.txt); // this deletes file1.txt from home dir if(file.delete()){ System.out.println(file.getName() + is deleted!); }else{ System.out.println(Delete operation is failed.); } }catch(Exception e){ e.printStackTrace(); } } I compiled the file(DatasourceConnectionprovider.java) and I replaced the default DatasourceConnectionprovider.class with the changed DatasourceConnectionprovider.class. So in short I deploy a war file in tomcat which deletes the file1.txt from home directory. I tried this with both tomcat 6.0.35 and tomcat7.0.28 and it actually deleted the file1.txt from home directory. So I guess I have succeded to exploit the said CVE-2009-2693 named *Arbitrary file deletion and/or alteration on deploy* vulnerability. So my question is: 1) They say that the affected versions are tomcat 6.0.0-6.0.20. But I could do this with tomcat 7.0.28 also. I checked for tomcat 7 vulnerability and I could not find this (*Arbitrary file deletion and/or alteration on deploy*) in the list on org.apache site. *a) the way I have tried to exploit that vulnerability is correct ? or is it something which can be considered normal behaviour ? (attempting to try to delete file from home dir or from web root dir while deploying war file)** ** **b) Is this vulnerability still exist in tomcat 7.0.28 ? I think so bcoz I could delete file form home dir with tomcat 7.0.28 version also. but I am not sure.* Should this be reported to security team of tomcat ? Ultimately I want to make sure that I have succeeded to exploit vulnerability of tomcat. This is part of my research and no intention to harm others. :-) Thanks Richa
Re: Vulnerability or a valid behavior of tomcat ?
On 09/21/2012 12:46 PM, Mark Thomas wrote: On 21/09/2012 11:23, Ragini wrote: I tried this with both tomcat 6.0.35 and tomcat7.0.28 and it actually deleted the file1.txt from home directory. So I guess I have succeded to exploit the said CVE-2009-2693 named *Arbitrary file deletion and/or alteration on deploy* vulnerability. You guess wrong. So my question is: 1) They say that the affected versions are tomcat 6.0.0-6.0.20. But I could do this with tomcat 7.0.28 also. I checked for tomcat 7 vulnerability and I could not find this (*Arbitrary file deletion and/or alteration on deploy*) in the list on org.apache site. That is because Tomcat 7 is not vulnerable to that vulnerability. a) the way I have tried to exploit that vulnerability is correct ? No, it is not correct. or is it something which can be considered normal behaviour ? Yes, the behaviour you observe is normal, expected behaviour. (attempting to try to delete file from home dir or from web root dir while deploying war file) That isn't what you are doing. b) Is this vulnerability still exist in tomcat 7.0.28 ? No. I think so bcoz I could delete file form home dir with tomcat 7.0.28 version also. Your thinking is incorrect. but I am not sure.* Should this be reported to security team of tomcat ? No. Please don't waste our time. Further, potential security vulnerabilities should not be discussed on a public mailing list. They should be reported privately to the security team. Fortunately no harm was done in this case since your supposed vulnerability was nothing of the sort. As someone claiming to be a security researcher you should be aware of that. That makes one question your claim to be a security researcher. Ultimately I want to make sure that I have succeeded to exploit vulnerability of tomcat. This is part of my research and no intention to harm others. :-) You need to re-read the description of CVE-2009-2693 on the Tomcat web site [1] and then try and exploit that rather than simply deleting a file. Unless you run under a security manager, a JSP is able to delete any file the user Tomcat is running under is able to delete. That fact that you do not understand the above adds further doubt to your claim to be a security researcher. Your previous message to this list (a security researcher who has not heard of Metasploit?) also casts serious doubt on your claims to be a security researcher. Mark [1] http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.24 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Thanks for pointing out about running tomcat under security manager. And as u have mentioned about research multiple times let me be clear :-) . I am not expert in security research. I am doing my master thesis and this is a part of it so I said as part of my research work. Before this I have not worked with tomcat or any security related things. So as a beginner it is obvious not to know about metasploit or security manager of tomcat.. ;-) One does not need to be an expert at the thing before doing research about it. knowing and learning about it is also a part of research.. Regards. Richa - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: exploting tomcat vulnerability with example
On 09/19/2012 07:55 PM, Pid * wrote: On 19 Sep 2012, at 13:20, Daniel Mikusa dmik...@vmware.com wrote: On Sep 19, 2012, at 5:02 AM, Ragini wrote: Hi all, For my research work I want to have different attacking scenarios which exploits vulnerability of JAVA based applications. This java applications can be just any web-application, desktopapplication or any other. For this, I was thinking to exploit vulnerabilities of tomcat itself (because it is in java). I went through different vulnerabilities of different versions of tomcat on apache tomcat's official site. They have provided information about what is the vulnerability and what is its consequences. But I am looking for some real time example by which I can exhibit the exploitation of tomcat’s vulnerability. The version of the tomcat can be just any. I would like to try vulnerabilities like authentication bypass, information disclosure or some other which really compromises the security. Try looking at Metasploit. +1 p Dan Could anybody please suggest some source where I can get step by step information about exploiting tomcat’s vulnerability with example ? It would be nice if the example web application used for exploitation is also in java. I would really appreciate your any kind of help regarding this. Thanks. Richa. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Thanks Dan..Metasploit sound really good... - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
exploting tomcat vulnerability with example
Hi all, For my research work I want to have different attacking scenarios which exploits vulnerability of JAVA based applications. This java applications can be just any web-application, desktopapplication or any other. For this, I was thinking to exploit vulnerabilities of tomcat itself (because it is in java). I went through different vulnerabilities of different versions of tomcat on apache tomcat's official site. They have provided information about what is the vulnerability and what is its consequences. But I am looking for some real time example by which I can exhibit the exploitation of tomcat’s vulnerability. The version of the tomcat can be just any. I would like to try vulnerabilities like authentication bypass, information disclosure or some other which really compromises the security. Could anybody please suggest some source where I can get step by step information about exploiting tomcat’s vulnerability with example ? It would be nice if the example web application used for exploitation is also in java. I would really appreciate your any kind of help regarding this. Thanks. Richa. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: exploting tomcat vulnerability with example
On 09/19/2012 01:49 PM, chris derham wrote: On Wed, Sep 19, 2012 at 10:02 AM, Ragini raginippa...@gmail.com wrote:For my research work I want to have different attacking scenarios which exploits vulnerability of JAVA based applications. This java applications can be just any web-application, desktopapplication or any other.For this, I was thinking to exploit vulnerabilities of tomcat itself (because it is in java). I went through different vulnerabilities of different versions of tomcat on apache tomcat's official site. They have provided information about what is the vulnerability and what is its consequences. But I am looking for some real time example by which I can exhibit the exploitation of tomcat’s vulnerability. The version of the tomcat can be just any. I would like to try vulnerabilities like authentication bypass, information disclosure or some other which really compromises the security. Could anybody please suggest some source where I can get step by step information about exploiting tomcat’s vulnerability with example ? It would be nice if the example web application used for exploitation is also in java. I would really appreciate your any kind of help regarding this. Thanks. Richa. Have you tried webgoat? Chris Yes Chris. I have already gone through webgoat..I am looking for some real world application exploitation. but of course it should be open source and in java... - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
org/eclipse/jdt/internal methods in tomcat 7 profilinig
Hi all, I am trying to profile tomcat 7 with java profiler. I start the tomacat run web application(small) in browser and stop the server. When I stop the server, I get the output from the profiler. Please note that I am using ubunut 12.04. I have put war file(chat.war) in webapps dir of tomcat. My confusion is here: When I see the profiler output, I see some methods of org/eclipse/jdt/internal... classes. *So where do this eclipse/jdt classes reside in tomcat ? What are they used for ? why each time they get executed when I run any web application ?** * I am new to tomcat and will appreciate your any help in finding answers to this questions. Thanks. Ragini.
Starting tomcat with catalina.sh run -security
Hi all, I am trying to run JSF-JAAS based sample application which is here. (http://www.ixtendo.com/secure-your-jsf-application-with-jaas/) I want to just use the application so just deployed jjwa.war file in web-apps directory of tomcat. Profiling tomcat:- I use tomcat 7.0 version. I try to profile tomcat so have added some parameters to setenv.sh. So I start tomcat by ./startup.sh. In browser I access web application. perform some actions in it. then I stop the server by ./shutdown.sh. After this the profiler dumps the output. This is how profiling of tomcat works for me in general. Now As I want to use this jjwa sample application I specified above, As the author has said I have added following thind to my catalina.policy file, grant codeBase file:${catalina.home}/webapps/jjwa/- { permission java.util.PropertyPermission *, read,write; permission javax.security.auth.AuthPermission modifyPrincipals; permission javax.security.auth.AuthPermission modifyPublicCredentials; permission javax.security.auth.AuthPermission modifyPrivateCredentials; permission javax.security.auth.AuthPermission createLoginContext.*; permission javax.security.auth.AuthPermission doAs; permission javax.security.auth.AuthPermission doAsPrivileged; permission javax.security.auth.AuthPermission getSubject; permission java.security.SecurityPermission setPolicy; permission java.security.SecurityPermission getPolicy; permission java.lang.RuntimePermission accessClassInPackage.*; permission java.lang.RuntimePermission getProtectionDomain; permission java.lang.RuntimePermission loadLibrary.*; permission java.lang.RuntimePermission modifyThread; permission java.lang.RuntimePermission createClassLoader; permission java.lang.RuntimePermission accessDeclaredMembers; permission java.net.SocketPermission *:*, accept,connect,resolve; permission java.lang.reflect.ReflectPermission suppressAccessChecks; permission java.lang.RuntimePermission setContextClassLoader; permission java.lang.RuntimePermission getClassLoader; permission java.io.FilePermission , read; }; I have set up my database also as said by the author. *Next the author asks to start the server by /catalina.sh run -security/. When I do that I get catalina.sh run -security catalina.sh: command not found. but when I try to run it by sh talina.sh run -security, it throws some exception but server gets started and then I am able to access the application the author has said. I end the process(to stop the server) in terminal by pressing ctrl+c and it stops. But in this way I dont get any output from the profiler I use. which I actually need. So my questions are as follow: 1) what does the/catalina.sh run -security/ or sh talina.sh run -security command exactly do ? 2) what difference it makes when I start tomcat by runninf catalina.sh or startup.sh ? 3) How should I actually start the tomcat to run the application with security ? and getting it profiles too ?* I am new to tomcat and dont understand a lot the script files of it. I would highly appreciate any help.. Thanks Ragini
Re: Starting tomcat with catalina.sh run -security
Dear Darryl Lewis, Thanks for your quick response..I corrected that silly mistake..As I told I am able to profile tomcat when I start and stop by (startup.sh and shutdown.sh). I tried to start it with security manager as following: ./startup.sh -security it runs fine and also the application executes the way it should actually. But the problem is when I stop the server by ./shutdown.sh, I dont get ouput of the profiler which I normally get when I start it without security option(like ./startup.sh). Do you know how to start it with security option and profile it as well ? I have added following things to setenv.sh to make tomacat profile. #!/bin/sh export CATALINA_OPTS=-Djava.security.auth.login.config=$(TOMCAT_HOME)/conf/jaas.config export CATALINA_OPTS=-javaagent:lib/jborat-agent.jar \ -Dch.usi.dag.jborat.exclusionList=conf/exclusion.lst \ -Dch.usi.dag.jborat.liblist=conf/lib.lst \ -Dch.usi.dag.jp2.outputFilePrefix=tomcat_output \ -Dch.usi.dag.jborat.instrumentation=ch.usi.dag.jp2.instrument.AddInstrumentation \ -Dch.usi.dag.jp2.dumpers=ch.usi.dag.jp2.dump.xml.XmlDumper \ -Dch.usi.dag.jborat.codemergerList=conf/codemerger.lst \ -Xbootclasspath/p:./lib/Thread_JP2.jar:lib/jborat-runtime.jar:lib/jp2-runtime.jar Any idea ? Ragini catalina.sh run -security Basically runs tomcat with the Security Manager. I think the talina.sh command is missing the ca in front of it :-). If not paste the script here, as it might be custom. On 31/08/12 8:18 PM, Ragini raginippa...@gmail.com wrote: Hi all, I am trying to run JSF-JAAS based sample application which is here. (http://www.ixtendo.com/secure-your-jsf-application-with-jaas/) I want to just use the application so just deployed jjwa.war file in web-apps directory of tomcat. Profiling tomcat:- I use tomcat 7.0 version. I try to profile tomcat so have added some parameters to setenv.sh. So I start tomcat by ./startup.sh. In browser I access web application. perform some actions in it. then I stop the server by ./shutdown.sh. After this the profiler dumps the output. This is how profiling of tomcat works for me in general. Now As I want to use this jjwa sample application I specified above, As the author has said I have added following thind to my catalina.policy file, grant codeBase file:${catalina.home}/webapps/jjwa/- { permission java.util.PropertyPermission *, read,write; permission javax.security.auth.AuthPermission modifyPrincipals; permission javax.security.auth.AuthPermission modifyPublicCredentials; permission javax.security.auth.AuthPermission modifyPrivateCredentials; permission javax.security.auth.AuthPermission createLoginContext.*; permission javax.security.auth.AuthPermission doAs; permission javax.security.auth.AuthPermission doAsPrivileged; permission javax.security.auth.AuthPermission getSubject; permission java.security.SecurityPermission setPolicy; permission java.security.SecurityPermission getPolicy; permission java.lang.RuntimePermission accessClassInPackage.*; permission java.lang.RuntimePermission getProtectionDomain; permission java.lang.RuntimePermission loadLibrary.*; permission java.lang.RuntimePermission modifyThread; permission java.lang.RuntimePermission createClassLoader; permission java.lang.RuntimePermission accessDeclaredMembers; permission java.net.SocketPermission *:*, accept,connect,resolve; permission java.lang.reflect.ReflectPermission suppressAccessChecks; permission java.lang.RuntimePermission setContextClassLoader; permission java.lang.RuntimePermission getClassLoader; permission java.io.FilePermission , read; }; I have set up my database also as said by the author. *Next the author asks to start the server by /catalina.sh run -security/. When I do that I get catalina.sh run -security catalina.sh: command not found. but when I try to run it by sh talina.sh run -security, it throws some exception but server gets started and then I am able to access the application the author has said. I end the process(to stop the server) in terminal by pressing ctrl+c and it stops. But in this way I dont get any output from the profiler I use. which I actually need. So my questions are as follow: 1) what does the/catalina.sh run -security/ or sh talina.sh run -security command exactly do ? 2) what difference it makes when I start tomcat by runninf catalina.sh or startup.sh ? 3) How should I actually start the tomcat to run the application with security ? and getting it profiles too ?* I am new to tomcat and dont understand a lot the script files of it. I would highly appreciate any help.. Thanks Ragini - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail
difficulty in running acegisample.war file in tomcat
Hi all, I am trying to run acegisample.war file from tomcat. I have followed all the instruction to run it from here. (http://www.ibm.com/developerworks/java/library/j-acegi1/#section6.2). When I try to run the file by (|http://localhost:8080/acegisample/|), it gives me http status- 404. catalina.log file has some exceptions. Please find the same attached herewith. Pl note that I am able to run other war files. Could anyone please tell what's going wrong while deploying acegisample.war file ? Thank you. Ragini. Aug 20, 2012 12:07:39 PM org.apache.catalina.core.AprLifecycleListener init INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /usr/lib/jvm/jdk1.6.0_33/jre/lib/i386/server:/usr/lib/jvm/jdk1.6.0_33/jre/lib/i386:/usr/lib/jvm/jdk1.6.0_33/jre/../lib/i386:/usr/java/packages/lib/i386:/lib:/usr/lib Aug 20, 2012 12:07:39 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [http-bio-8080] Aug 20, 2012 12:07:39 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [ajp-bio-8009] Aug 20, 2012 12:07:39 PM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 945 ms Aug 20, 2012 12:07:39 PM org.apache.catalina.core.StandardService startInternal INFO: Starting service Catalina Aug 20, 2012 12:07:39 PM org.apache.catalina.core.StandardEngine startInternal INFO: Starting Servlet Engine: Apache Tomcat/7.0.28 Aug 20, 2012 12:07:39 PM org.apache.catalina.startup.HostConfig deployDescriptor INFO: Deploying configuration descriptor /home/ragini/apache-tomcat-7.0.28_Profiling/conf/Catalina/localhost/predict.xml Aug 20, 2012 12:07:39 PM org.apache.catalina.startup.HostConfig deployDescriptor WARNING: A docBase /home/ragini/apache-tomcat-7.0.28_Profiling/webapps/home/ragini/Application/predictions inside the host appBase has been specified, and will be ignored Aug 20, 2012 12:07:39 PM org.apache.tomcat.util.digester.SetPropertiesRule begin WARNING: [SetPropertiesRule]{Context/Realm} Setting property 'debug' to '99' did not find a matching property. Aug 20, 2012 12:07:39 PM org.apache.catalina.core.StandardContext resourcesStart SEVERE: Error starting static Resources java.lang.IllegalArgumentException: Document base /home/ragini/apache-tomcat-7.0.28_Profiling/webapps/predict does not exist or is not a readable directory at org.apache.naming.resources.FileDirContext.setDocBase(FileDirContext.java:140) at org.apache.catalina.core.StandardContext.resourcesStart(StandardContext.java:4905) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5085) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:618) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:650) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1582) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:441) at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303) at java.util.concurrent.FutureTask.run(FutureTask.java:138) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) at java.lang.Thread.run(Thread.java:679) Aug 20, 2012 12:07:39 PM org.apache.catalina.core.StandardContext startInternal SEVERE: Error in resourceStart() Aug 20, 2012 12:07:40 PM org.apache.catalina.core.StandardContext startInternal SEVERE: Error getConfigured Aug 20, 2012 12:07:40 PM org.apache.catalina.core.StandardContext startInternal SEVERE: Context [/predict] startup failed due to previous errors Aug 20, 2012 12:07:40 PM org.apache.catalina.deploy.NamingResources cleanUp WARNING: Failed to retrieve JNDI naming context for container [StandardEngine[Catalina].StandardHost[localhost].StandardContext[/predict]] so no cleanup was performed for that container javax.naming.NameNotFoundException: Name [comp/env] is not bound in this Context. Unable to find [comp]. at org.apache.naming.NamingContext.lookup(NamingContext.java:820) at org.apache.naming.NamingContext.lookup(NamingContext.java:168) at org.apache.catalina.deploy.NamingResources.cleanUp(NamingResources.java:988) at org.apache.catalina.deploy.NamingResources.stopInternal(NamingResources.java:970) at org.apache.catalina.util.LifecycleBase.stop(LifecycleBase.java:232) at org.apache.catalina.core.StandardContext.stopInternal(StandardContext.java:5494
Fwd: required web applications which run on tomcat
Hi all, I am looking for some web applications which run on tomcat. I need them to do some experiments for my research. I would like to do some attacks, try to do some malicious behavior etc. Absolutely with no intention to harm people ! just for my research work. Could some body please mail me any application with source code which is easy to deploy and not so big in size ? That would be your great help. Thanks. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Profiling tomcat with java profiler
On 08/09/2012 08:43 PM, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ragini, On 8/9/12 5:51 AM, Ragini wrote: what my profiler profiles:- It gives me xml file containing list of methods in a proper sequence in which they were executed while running the server. *My question:* I do the above 3 steps 2 times in exactly same manner. So I have two output files say file1 and file2. I expected these files to be exactly same because I start the server, access the same application and stop the serever. But it seems that both files differ. I don't understand why. Could you please tell me why does it differ ? Are not methods of tomcat executed in exactly same manner for a same action ? Please find the files attach which I get two different files (file1.xml) and (file2.xml). I have attached differences also which it gives. I find these differences by parsing files. Instead of dropping two files on the list, why don't you tell us what the differences are (in general). It's fine to provide full the full data to us, but don't make us wade-through it just ti get our bearings. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlAkBM4ACgkQ9CaO5/Lv0PABkwCgwBrx7e3igfv6LC+hANm67WB+ 9/EAnj6epnxfOnlATp5IJmkotFXFQtDB =n8DM -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Hi Chris, Actually I could not understand the exact differences and why they exist. But in general it seems that sequence of methods which starts from org/apache/catalina/startup/HostConfig$DeployWar; name=run, and org/hsqldb/store/HashIndex; name=getNextLookup differes in both the files. I have uploaded the differences file (abranchdifferences) also. So If you kindly have look on few of it, you might get some idea. Thanks and Regards. Ragini. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org