Re: Tomcat 8.5.51 fails
Thank you for your links. Now, I fully understand what I should make a change to server.xml. Thank you. Yours truly, Kazuhiko Kohmoto On 2020/02/13 19:17, Olaf Kock wrote: On 13.02.20 10:36, kohm...@iris.eonet.ne.jp wrote: On 2020/02/13 18:25, André Warnier (tomcat/perl) wrote: Check in the file (tomcat_dir)/conf/server.xml, the Connector : The setting is the same as mine. I have use server.xml used in 8.5.50. In case of 8.5.50, I have no problem. Please notice, I have been using Tomcat for 5 years with updates. Why this time? Because this time, security relevant defaults changed: See these recent commits on the git mirror: https://github.com/apache/tomcat/commit/b962835f98b905286b78c414d5aaec2d0e711f75#diff-8dc0090e11bd1ca2caa389bb79d52262 https://github.com/apache/tomcat/commit/2becbfd3228942a18b663ca715ee9c9b80743120#diff-8dc0090e11bd1ca2caa389bb79d52262 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 8.5.51 fails
Thank you for your kind response to my mail. I read the changinglog. I might understand the contents. Thank you. Yours truly, Kazuhiko Kohmoto On 2020/02/13 19:26, Olaf Kock wrote: On 13.02.20 11:17, Olaf Kock wrote: On 13.02.20 10:36, kohm...@iris.eonet.ne.jp wrote: On 2020/02/13 18:25, André Warnier (tomcat/perl) wrote: Check in the file (tomcat_dir)/conf/server.xml, the Connector : The setting is the same as mine. I have use server.xml used in 8.5.50. In case of 8.5.50, I have no problem. Please notice, I have been using Tomcat for 5 years with updates. Why this time? Because this time, security relevant defaults changed: See these recent commits on the git mirror: https://github.com/apache/tomcat/commit/b962835f98b905286b78c414d5aaec2d0e711f75#diff-8dc0090e11bd1ca2caa389bb79d52262 https://github.com/apache/tomcat/commit/2becbfd3228942a18b663ca715ee9c9b80743120#diff-8dc0090e11bd1ca2caa389bb79d52262 Or, even better digestible (I hit 'send' too early): Mark's announcement of the availability contained: - AJP defaults changed to listen the loopback address, require a secret and to be disabled in the sample server.xml And the changelog on http://tomcat.apache.org/tomcat-8.5-doc/changelog.html for 8.5.51 contains this information on AJP: * Update: Disable (comment out in server.xml) the AJP/1.3 connector by default. (markt) * Update: Change the default bind address for the AJP/1.3 connector to be the loopback address. (markt) * Add: Rename the |requiredSecret| attribute of the AJP/1.3 Connector to |secret| and add a new attribute |secretRequired| that defaults to |true|. When |secretRequired| is |true| the AJP/1.3 Connector will not start unless the |secret| attribute is configured to a non-null, non-zero length String. (markt) * Add: Add a new attribute, |allowedRequestAttributesPattern| to the AJP/1.3 Connector. Requests with unrecognised attributes will be blocked with a 403. (markt) There's also a discussion on the "Re: [ANN] Apache Tomcat 9.0.31 available" thread on this changed default that might give you some background. I hope, this helps, Olaf - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 8.5.51 fails
Dear André Warnier, Thank you for the following-up. I now am understanding what I should make a change on server.xml. Thank you for your kind response and Tomcat Users List's conversation. Yours truly, Kazuhiko Kohmoto PS. Sorry, not response to you quickly, because in Japan time was night. Thank you. On 2020/02/13 20:21, André Warnier (tomcat/perl) wrote: In any case, it seems that for now, you will have to modify the AJP Connector configuration in server.xml, to make it work with 8.5.51 and above, and add an explicit - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 8.5.51 fails
On 13.02.2020 10:36, kohm...@iris.eonet.ne.jp wrote: On 2020/02/13 18:25, André Warnier (tomcat/perl) wrote: Check in the file (tomcat_dir)/conf/server.xml, the Connector : The setting is the same as mine. I have use server.xml used in 8.5.50. In case of 8.5.50, I have no problem. Please notice, I have been using Tomcat for 5 years with updates. Why this time? Yes, you are right, and I am sorry for my previous short answer. (I thought that you were a "newbie" installing tomcat 8.5 for the firdst time, and that you had just not configured the Connector correctly.) But Remy's answer, and the other thread "Re: [ANN] Apache Tomcat 9.0.31 available" seems to indicate that this was due to a *change* in behaviour between 8.5.50 and 8.5.51. In any case, it seems that for now, you will have to modify the AJP Connector configuration in server.xml, to make it work with 8.5.51 and above, and add an explicit secretRequired="false" attribute. And maybe also an explicit listening address.. It looks like these changes are documented here : http://tomcat.apache.org/tomcat-8.5-doc/changelog.html --> Coyote Update: Disable (comment out in server.xml) the AJP/1.3 connector by default. (markt) Update: Change the default bind address for the AJP/1.3 connector to be the loopback address. (markt) Add: Rename the requiredSecret attribute of the AJP/1.3 Connector to secret and add a new attribute secretRequired that defaults to true. When secretRequired is true the AJP/1.3 Connector will not start unless the secret attribute is configured to a non-null, non-zero length String. (markt) I think that the first change above is ok, because it only affects the distribution of newly-downloaded server.xml files. But the other two also impact existing installations just being updated, and in a way that is not very clearly indicated in the on-line documentation. That looks a bit more iffy.. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 8.5.51 fails
On 13.02.20 11:17, Olaf Kock wrote: > On 13.02.20 10:36, kohm...@iris.eonet.ne.jp wrote: >> On 2020/02/13 18:25, André Warnier (tomcat/perl) wrote: >>> Check in the file (tomcat_dir)/conf/server.xml, the Connector : >>> >>> >> The setting is the same as mine. >> >> I have use server.xml used in 8.5.50. In case of 8.5.50, I have no >> problem. >> >> Please notice, I have been using Tomcat for 5 years with updates. >> Why this time? > > Because this time, security relevant defaults changed: See these recent > commits on the git mirror: > > https://github.com/apache/tomcat/commit/b962835f98b905286b78c414d5aaec2d0e711f75#diff-8dc0090e11bd1ca2caa389bb79d52262 > > https://github.com/apache/tomcat/commit/2becbfd3228942a18b663ca715ee9c9b80743120#diff-8dc0090e11bd1ca2caa389bb79d52262 Or, even better digestible (I hit 'send' too early): Mark's announcement of the availability contained: > - AJP defaults changed to listen the loopback address, require a secret and to be disabled in the sample server.xml And the changelog on http://tomcat.apache.org/tomcat-8.5-doc/changelog.html for 8.5.51 contains this information on AJP: * Update: Disable (comment out in server.xml) the AJP/1.3 connector by default. (markt) * Update: Change the default bind address for the AJP/1.3 connector to be the loopback address. (markt) * Add: Rename the |requiredSecret| attribute of the AJP/1.3 Connector to |secret| and add a new attribute |secretRequired| that defaults to |true|. When |secretRequired| is |true| the AJP/1.3 Connector will not start unless the |secret| attribute is configured to a non-null, non-zero length String. (markt) * Add: Add a new attribute, |allowedRequestAttributesPattern| to the AJP/1.3 Connector. Requests with unrecognised attributes will be blocked with a 403. (markt) There's also a discussion on the "Re: [ANN] Apache Tomcat 9.0.31 available" thread on this changed default that might give you some background. I hope, this helps, Olaf
Re: Tomcat 8.5.51 fails
On 13.02.20 10:36, kohm...@iris.eonet.ne.jp wrote: > On 2020/02/13 18:25, André Warnier (tomcat/perl) wrote: >> Check in the file (tomcat_dir)/conf/server.xml, the Connector : >> >> > > The setting is the same as mine. > > I have use server.xml used in 8.5.50. In case of 8.5.50, I have no > problem. > > Please notice, I have been using Tomcat for 5 years with updates. > Why this time? Because this time, security relevant defaults changed: See these recent commits on the git mirror: https://github.com/apache/tomcat/commit/b962835f98b905286b78c414d5aaec2d0e711f75#diff-8dc0090e11bd1ca2caa389bb79d52262 https://github.com/apache/tomcat/commit/2becbfd3228942a18b663ca715ee9c9b80743120#diff-8dc0090e11bd1ca2caa389bb79d52262 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 8.5.51 fails
On 2020/02/13 18:22, Rémy Maucherat wrote: need to adjust your server.xml to that I think this time problem seems not due to server.xml. The server.xml works well with 8.5.50. Thank you. Yours truly, Kazuhiko Kohmoto - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 8.5.51 fails
On 2020/02/13 18:25, André Warnier (tomcat/perl) wrote: Check in the file (tomcat_dir)/conf/server.xml, the Connector : The setting is the same as mine. I have use server.xml used in 8.5.50. In case of 8.5.50, I have no problem. Please notice, I have been using Tomcat for 5 years with updates. Why this time? Thank you. Yours truly, Kazuhiko Kohmoto - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 8.5.51 fails
On 13.02.2020 10:13, kohmoto wrote: Hi, I have install Tomcat 8.5.51 today and found something wrong. I have been using tomcat for last 5 years and never met this kind of problem. It would be appreciated if I could be advised. Thank you. System: CentOS 7.7.1908 httpd 2.4.41 (community version) httpd.conf: (LoadModule proxy_ajp_module lib64/httpd/modules/mod_proxy_ajp.so) httpd-proxy.conf: ProxyPass ajp://localhost:8009/manager/ tomcat 8.5.* error log--- 13-Feb-2020 17:13:12.523 重大 [main] org.apache.catalina.core.StandardService.startInternal Failed to start connector [Connector[AJP/1.3-8009]] org.apache.catalina.LifecycleException: プロトコルハンドラの起動に失敗しました ( 'fail to start protocolhandler' in English ) at org.apache.catalina.connector.Connector.startInternal(Connector.java:1057) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.core.StandardService.startInternal(StandardService.java:440) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:766) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.startup.Catalina.start(Catalina.java:688) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:567) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474) Caused by: java.lang.IllegalArgumentException: The AJP Connector is configured with secretRequired="true" but the secret attribute is either null or "". This combination is not valid. at org.apache.coyote.ajp.AbstractAjpProtocol.start(AbstractAjpProtocol.java:274) at org.apache.catalina.connector.Connector.startInternal(Connector.java:1055) ... 12 more Hi. The log message above : Caused by: java.lang.IllegalArgumentException: The AJP Connector is configured with secretRequired="true" but the secret attribute is either null or "". This combination is not valid. seems pretty clear. Check in the file (tomcat_dir)/conf/server.xml, the Connector : and the associated on-line documentation : http://tomcat.apache.org/tomcat-8.5-doc/config/ajp.html search for "secretRequired". - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 8.5.51 fails
On Thu, Feb 13, 2020 at 10:13 AM kohmoto wrote: > Hi, > > I have install Tomcat 8.5.51 today and found something wrong. > > I have been using tomcat for last 5 years and never met this > kind of problem. > > It would be appreciated if I could be advised. > Ok, so ... > Caused by: java.lang.IllegalArgumentException: The > AJP Connector is configured with secretRequired="true" but > the secret attribute is either null or "". This combination > is not valid. > > The error message gives the explanation. The AJP defaults changed so you need to adjust your server.xml to that. Rémy
Tomcat 8.5.51 fails
Hi, I have install Tomcat 8.5.51 today and found something wrong. I have been using tomcat for last 5 years and never met this kind of problem. It would be appreciated if I could be advised. Thank you. System: CentOS 7.7.1908 httpd 2.4.41 (community version) httpd.conf: (LoadModule proxy_ajp_module lib64/httpd/modules/mod_proxy_ajp.so) httpd-proxy.conf: ProxyPass ajp://localhost:8009/manager/ tomcat 8.5.* error log--- 13-Feb-2020 17:13:12.523 重大 [main] org.apache.catalina.core.StandardService.startInternal Failed to start connector [Connector[AJP/1.3-8009]] org.apache.catalina.LifecycleException: プロトコルハンドラの起動に失敗しました ( 'fail to start protocolhandler' in English ) at org.apache.catalina.connector.Connector.startInternal(Connector.java:1057) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.core.StandardService.startInternal(StandardService.java:440) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:766) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.startup.Catalina.start(Catalina.java:688) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:567) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474) Caused by: java.lang.IllegalArgumentException: The AJP Connector is configured with secretRequired="true" but the secret attribute is either null or "". This combination is not valid. at org.apache.coyote.ajp.AbstractAjpProtocol.start(AbstractAjpProtocol.java:274) at org.apache.catalina.connector.Connector.startInternal(Connector.java:1055) ... 12 more Yours truly, Kazuhiko Kohmoto - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org