Hey thanks. Before I go through your recommendations with a fine tooth comb, do you think it will be there same amount of work trying to go straight to the latest Apache version?
I started thinking of this since your mentioned the vul. Thanks, David On Tue, Jul 24, 2018 at 12:41 PM -0400, "Christopher Schultz" <ch...@christopherschultz.net<mailto:ch...@christopherschultz.net>> wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 David, On 7/24/18 10:54 AM, David Babooram wrote: > I will try to be as clear as possible. :) > The files that were originally in > /usr/local/tomcat/jakarta-tomcat-5.5.17/webapps/MYAPP/WEB-INF/lib > were copied by default when I migrated the app to > /usr/local/tomcat/apache-tomcat-6.0.53/webapps/ Good, that's what you probably should have done. > When I ran MYAPP I got the error from my previous email. > > I then mv all the files from > /usr/local/tomcat/apache-tomcat-6.0.53/webapps/MYAPP/WEB-INF/lib > into a temp directory , in attempt to make it use the global lib , > but still the same error. Hmm. I'd expect lots of problems when removing all required libraries from your application. Did you copy the "work" directory from the Tomcat 5.5 installation? (I'm guessing not.) > My next idea was to place the files from > /usr/local/tomcat/apache-tomcat-6.0.53/webapps/MYAPP/WEB-INF/lib > into /usr/local/tomcat/apache-tomcat-6.0.53/lib , but with the new > structure I am unsure what belongs where. Definitely undo that... it's likely to break your Tomcat installation. You should basically never add anything other than maybe a JDBC driver to your CATALINA_BASE/lib directory. Definitely nothing application-specific. I'd recommend removing all the files from CATALINA_BASE/lib and re-extracting the distro package you downloaded just to reset things back to the way they were. > FYI : in my original /usr/local/tomcat/jakarta-tomcat-5.5.17/common > I have the following directories > > classes endorsed i18n lib > > > > > activation.jar antlr-2.7.2.jar I think something got lost in the copy/paste. If you had files in the "common" loader in Tomcat 5.5 then you might have a bit of work figuring out which files are required by the application and which are expected to be supplied by the container (Tomcat). I'm going to attempt to group these files into 2 categories: things that ought to be in your web application's WEB-INF/lib directory and which files should be ignored (because Tomcat and/or the JVM should be supplying them). Here goes: 1. Files supplied by the JVM and/or Tomcat (and should be ignored from your old installation): > activation.jar (Modern JVMs supply this) > el-api-2.2.1-b04.jar (Tomcat is required to supply the EL APIs) 2. Files that ought to be in WEB-INF/lib in your application: > antlr-2.7.2.jar axis-ant.jar axis.jar bsf-2.3.0.jar > commons-beanutils-1.8.0.jar commons-chain-1.2.jar > commons-codec-1.3.jar commons-collections.jar > commons-dbcp-1.2.1.jar commons-digester-1.8.jar > commons-discovery-0.2.jar commons-fileupload-1.1.1.jar > commons-io-1.1.jar commons-lang.jar commons-logging-1.0.4.jar > commons-pool-1.2.jar commons-validator-1.3.1.jar edtftpj.jar > ibatis-common-2.jar ibatis-dao-2.jar ibatis-sqlmap-2.jar > invoice-generator.jar itext-1.3.jar iText-2.1.0.jar > j2ssh-ant-0.2.9.jar j2ssh-common-0.2.9.jar j2ssh-core-0.2.9.jar > j2ssh-daemon-0.2.9.jar jakarta-oro.jar jaxrpc.jar jsch-0.1.20.jar > jstl-1.0.2.jar jstl-1.2.jar junit.jar log4j-1.2.11.jar mailapi.jar > ojdbc14.jar oro-2.0.8.jar poi-2.5.1-final-20040804.jar quartz.jar > saaj.jar smtp.jar standard-1.0.6.jar stringtemplate.jar > struts-core-1.3.10.jar struts-el-1.3.10.jar > struts-extras-1.3.10.jar struts-faces-1.3.10.jar > struts-mailreader-dao-1.3.10.jar struts-scripting-1.3.10.jar > struts-taglib-1.3.10.jar struts-tiles-1.3.10.jar wsdl4j-1.5.1.jar > xmlrpc-2.0.jar 3. Wait, there is another category. You appear to have some conflicts in your existing libraries: > jstl-1.0.2.jar jstl-1.2.jar and > jakarta-oro.jar oro-2.0.8.jar If those files have the same classes in each of them, you might be looking at some problems. Check the contents to see if they are distinct or if you have duplicate libraries. 4. Things you might want to look into. > mailapi.jar Is that javamail? > smtp.jar Is that *also* javamail? > ojdbc14.jar Is that the Oracle JDBC driver? If the container (Tomcat) is managing your connection-pool, then you'll want to put this file into CATALINA_BASE/lib and *nowhere else*. > junit.jar Are you sure you need the junit runtime in your running application? My guess is "no" and you might want to see if things still work is you remove this. But it can wait until later. Finally (and I say this as a proud Apache Struts 1.x user) it's important that you understand that (a) Apache Struts 1.x has reached EOL and (b) there are unpatched, publicly-reported security vulnerabilities in the version you are using (1.3.10). You should really research those vulnerabilities and make sure that you have mitigated them all, or you risk exposing your users and servers to exploitation. Hope that helps, - -chris > -----Original Message----- From: Christopher Schultz > [mailto:ch...@christopherschultz.net] Sent: Monday, 23 July 2018 > 2:29 PM To: email@example.com Subject: [EXTERNAL] Re: Tomcat > 5.5.17 migration to 6.0.53 > > David, > > On 7/23/18 12:51 PM, David Babooram wrote: >> Hello > >> I have begun a migration from 5.5 to 6. Yes I know 6 is EOL but >> the migration from 5.5 to 6 has some more documentation compared >> to 5.5 to the latest version. > >> I followed the standard migration of libs and classes from >> /common /shared etc to the new /lin directory for 6.. > >> The server engine runs and I can see the examples web pages come >> up. > >> When I migrated my production webapps to the 6.0 instance however >> I get the following error. > >> HTTP Status 500 - java.lang.LinkageError: loader constraint >> violation: when resolving interface method >> "javax.servlet.jsp.JspApplicationContext.getExpressionFactory()Ljavax / > >> el/ExpressionFactory;" > > > the class loader (instance of > org/apache/jasper/servlet/JasperLoader) >> of the current class, org/apache/jsp/index_jsp, and the class >> loader (instance of >> org/apache/catalina/loader/StandardClassLoader) for resolved >> class, javax/servlet/jsp/JspApplicationContext, have different >> Class objects for the type javax/el/ExpressionFactory used in the >> signature > >> Any insight on this is welcomed. > >> I notice in that my app has its own lib directory, does this >> means that there is a conflict with the lib files from the base >> directory ? > > Possibly. What files do you have in your app's WEB-INF/lib > directory? > > -chris > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > ________________________________ > > Notice of Confidentiality: > > The information contained in this communication is intended solely > for the use of the individual or entity to whom it is addressed and > others authorized to receive it. It may contain confidential or > legally privileged information. If you are not the intended > recipient you are hereby notified that any disclosure, copying, > distribution or taking any action in reliance on the contents of > this information is strictly prohibited and may be unlawful. If you > have received this communication in error, please notify us > immediately by responding to this email and then delete it from > your system. > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAltXVrkACgkQHPApP6U8 pFjcsQ//WUXouVFgM8NPUITsDPr0IgH13queyAy9tE0QwzFgyGfaaMK9hqmeL9DM 86sWfWAuG1eNXZ3h1ttDMY9afjFHrIynJB8UHDRtDKQwU2d+MaoyuB+mRyOKaSY1 pKG4mAYnDNuZCnUxQaIt4R51tYVV2OJHhQEMZvPW2nrxTqgSHQjiaVG1Xk/XpsOl 6FA0BGfxWPD0Pxeu4FnYS/w1cwRoOWB1rWYkuW/HZkUtdgyVZKf7jp5PLBJ433FB 3q1ls5kFNOvWImkJ8eX0OsCpqjT0j11EvSjGMu5j9oTSpkWMQ096vtoSZIQFY5a0 Lq67Np+p3riaChaT2+vyRb7mlhpUPESmYUb6P3MiZe5nSe11stejezpW2EtUgbul eHH9Jjgz05wTPo3u24rgo5Lx+scbklTATQSRj5QxI1slS1VCetkPODzFqcufQY7Z /dv8gpnCiUBeZew/iLLwj7JlZjYvLpyizrxgtqhZJc5H5wC6xW+Wht80jEzgldGj 0oSeEHjJft2AFHch2iQGDtapRRWpXKU+eNYYXXfIIwH2tIdACRZq9H75bRBxJgFn UBMl78am5Y4VjhCjfpxPFuGuZTfgxmL5xyPPNpXalA/WPWJRpc3ZQ1UNLtOsSTsK l4fo0pkTGO/aWVkTFw385bJ0oxODK2PJwolid23oEJK7ywLN7Rk= =b8Sz -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org