RE: Tomcat SecurityListener [EXTERNAL]

2020-10-13 Thread Beard, Shawn 
No they are not user provided files. There is an application running in tomcat 
that does some batch processing and it generates files to be published to other 
systems. However we are migrating from WebSphere to Tomcat and they need to see 
the files for now to make sure the content of the file is correct.



Shawn​  Beard

Sr. Systems Engineer |
BTS

Middleware Engineering   |  +1-515-564-2528 |  
sbe...@wrberkley.com









-Original Message-
From: Mark Eggers 
Sent: Monday, October 12, 2020 3:35 PM
To: users@tomcat.apache.org
Subject: Re: Tomcat SecurityListener [EXTERNAL]

Shawn,

On 10/12/2020 12:59 PM, Beard, Shawn wrote:
> Tomcat 9.0.31.0 loads a org.apache.catalina.security.SecurityListener by 
> default in the catalina.sh file.
>
> This SecurityListener also sets the UMASK of files to 0027. This has
> the effect of any file tomcat creates or the app running in tomcat
> creates with permissions or -rw-r-
>
> This is causing a problem for us as it prevents certain people from being 
> able to read log files or read any file the application might create. Putting 
> these users in the group of the user that tomcat runs as is not an option.
>
> I’ve tried changing the catalina.sh to set the UMASK to something like 0022 
> but that prevents tomcat from starting with an error that it has to me at 
> least as restrictive as 0027.
>
> I’ve also tried setting the UMASK to 0022 in the setenv.sh with same results.
>
> I’m hesitant to comment out the loading of the security listener in 
> catalina.sh as I don’t want to disable anything else important that it may be 
> doing from a security standpoint.
>
> Does anyone have any ideas as to a workaround?
> ​
>
> Shawn Beard ‑ Sr. Systems Engineer
>
> Middleware Engineering
>
> [cid:image624238.png@1BC27BA2.B6427C15]
> 3840 109th Street , Urbandale , IA 50322
>
> Phone: +1-515-564-2528
> Email: sbe...@wrberkley.com
>
> Website: https://berkleytechnologyservices.com/
>
>
>
>
> [cid:image040736.jpg@BA9411B9.333ADE5A]
>
> Technology Leadership Unleashing Business Potential
>
>
>
>
>
>
>
> CONFIDENTIALITY NOTICE: This e-mail and the transmitted documents contain 
> private, privileged and confidential information belonging to the sender. The 
> information therein is solely for the use of the addressee. If your receipt 
> of this transmission has occurred as the result of an error, please 
> immediately notify us so we can arrange for the return of the documents. In 
> such circumstances, you are advised that you may not disclose, copy, 
> distribute or take any other action in reliance on the information 
> transmitted.
>

I don't know what your security or audit requirements are. These are some 
options off the top of my head.

1. Service account for the user that runs Tomcat You don't run Tomcat as root, 
correct?

You could then have a list of authorized sudoers, use two factor authentication 
(maybe for both the users and the service account), and audit both the service 
account and the sudoers accounts.

Prevent the service account from being accessed directly.

2. Remote logging
This would take care of needing to access log files on the server, but it would 
not allow anyone to audit application-created files.

Speaking of application-created files, I hope that these are not user-provided 
files that are then directly accessible. Without careful auditing, that can 
lead to some pretty serious security breaches.

. . . just my two cents.
/mde/
CONFIDENTIALITY NOTICE: This e-mail and the transmitted documents contain 
private, privileged and confidential information belonging to the sender. The 
information therein is solely for the use of the addressee. If your receipt of 
this transmission has occurred as the result of an error, please immediately 
notify us so we can arrange for the return of the documents. In such 
circumstances, you are advised that you may not disclose, copy, distribute or 
take any other action in reliance on the information transmitted.

FW: HTTP2: memory filled up fast on increasing the connections to 1000/2000 (Embedded tomcat 9.0.38)

2020-10-13 Thread Arshiya Shariff 
Hi ,

Please find the answers in-line Mark.

Http2 requests with message payload of  34KB are pumped from JMeter at 20 TPS 
with 700 connections to an application with Embedded tomcat - 9.0.39 
(max-Threads : 200, all other values are the tomcat defaults)

What does that URL do with the POSTed content? Ignore it? Read it from an 
InputStream? Read it via getParameter()?
The posted content is read via BufferedReader reader = request.getReader() and  
processed asynchronously.

Is JMeter run on the same machine as Tomcat?
JMeter is run from a different machine.

Do you use the JMeter GUI or the command line?
Launched via Command line (JMeter heap increased to 10 GB )

What are the specs of the server(s) being used?
The server is a VM with 12 CPUs and 120 GB RAM

Please let us know  if you require more details.

Thanks and Regards
Arshiya Shariff
-Original Message-
From: Mark Thomas  
Sent: Monday, October 12, 2020 7:28 PM
To: users@tomcat.apache.org
Subject: Re: HTTP2: memory filled up fast on increasing the connections to 
1000/2000 (Embedded tomcat 9.0.38)

On 12/10/2020 08:02, Arshiya Shariff wrote:
> Hi Mark ,
> 
> The issue is reproduced with version 9.0.39 as well. Max threads in Tomcat is 
> 200.
> 
> Please find the case:
> Client:JMeter 5.2.1 (With http2 plugin)
> TPS: around 20
> No of users from JMeter : 700
> Message payload size: 6 KB to 34 KB
> Loop: Infinite
> We let the loop run infinitely and see the java.lang.StackOverflowError trace 
> printed multiple times in the log within few minutes of starting the test.

POSTing to what URL?

What does that URL do with the POSTed content? Ignore it? Read it from an 
InputStream? Read it via getParameter()?

Is JMeter run on the same machine as Tomcat?

Do you use the JMeter GUI or the command line?

What are the specs of the server(s) being used?

You need to provide the exact steps to recreate this issue on a clean install 
of Tomcat 9.0.39 as provided by the ASF.

Mark


> Please help us with this . What is the impact of StackOverflowError ?
> 
> Thanks and Regards
> Arshiya Shariff
> 
> -Original Message-
> From: Mark Thomas 
> Sent: Friday, October 9, 2020 5:31 PM
> To: users@tomcat.apache.org
> Subject: Re: HTTP2: memory filled up fast on increasing the 
> connections to 1000/2000 (Embedded tomcat 9.0.38)
> 
> On 09/10/2020 12:32, Arshiya Shariff wrote:
>> Hi,
>>
>> Mark , with the test runs that I performed over clean 9.0.x branch I was not 
>> able to reproduce this.
> 
> Good. But I'd really like to understand why...
> 
>> But with 9.0.38 and the jars built from 9.0.x with hash: 
>> c8ec2d4cde3a31b0e9df9a30e7915d77ba725545  , with 700 or 1000 users 
>> (connections) and on sending 1000 Requests per second (or even lesser) , 
>> payload of 16K  from JMeter I can see that this Exception occurs within few 
>> minutes of starting the test . The maxThreads configured in tomcat is 200 .
>>
>> How often do you see these errors in your test run?
>> Randomly, at times 2 or 3 such traces.
> 
> OK. Definitely a timing issue then.
> 
>> Do you have the other end of that stack trace?
>> It is only the two lines that is recursively printed till the end about  
>> ~500 times in one trace  :
>> at 
>> org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper$NioOperationState.run(NioEndpoint.java:1511)
>> at
>> org.apache.tomcat.util.net.SocketWrapperBase$VectoredIOCompletionHand
>> l
>> er.completed(SocketWrapperBase.java:1100)
> 
> Doesn't tell me much unfortunately.
> 
>> I see the trace starting with :
>> Exception in thread "http-nio-x.y.z-1090-exec-107" 
>> java.lang.StackOverflowError 
>> at sun.nio.ch.SocketChannelImpl.read(SocketChannelImpl.java:446)
>> at org.apache.tomcat.util.net.NioChannel.read(NioChannel.java:174)
>> at 
>> org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper$NioOperationState.run(NioEndpoint.java:1468)
>> at
>> org.apache.tomcat.util.net.SocketWrapperBase$VectoredIOCompletionHand
>> l
>> er.completed(SocketWrapperBase.java:1100)
>>
>>  (OR)
>>
>> Exception in thread "http-nio-x.y.z-1090-exec-87" 
>> java.lang.StackOverflowError
>> at sun.nio.ch.IOVecWrapper.get(IOVecWrapper.java:96)
>> at sun.nio.ch.IOUtil.read(IOUtil.java:240)
>> at sun.nio.ch.SocketChannelImpl.read(SocketChannelImpl.java:440)
>> at org.apache.tomcat.util.net.NioChannel.read(NioChannel.java:174)
>> at 
>> org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper$NioOperationState.run(NioEndpoint.java:1468)
>> at 
>> org.apache.tomcat.util.net.SocketWrapperBase$VectoredIOCompletionHandler.completed(SocketWrapperBase.java:1100)
>> at 
>> org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper$NioOperationState.run(NioEndpoint.java:1511)
>> at 
>> org.apache.tomcat.util.net.SocketWrapperBase$VectoredIOCompletionHandler.completed(SocketWrapperBase.java:1100)
>> .
>> .
>> .
>> .
>