Tomcat does not unpack WAR file (Tomcat 5.5.20)

2008-08-22 Thread Peter

Hi

When I drop a WAR file into the webapps folder on my dev machine - 
running Tomcat 6.0.16 - Tomcat unpacks it on startup.


When I do the same on the production box - running Tomcat 5.5.20 - 
nothing happens.


The WAR file that I am deploying is ROOT.war; there is a corresponding 
ROOT.xml under conf\Catalina\localhost. (I'm not sure if those details 
have any bearing on the problem - according to one archived post, there 
may be a connection.)


On both machines, the  tags look identical:

 

Any assistance would be appreciated. :)

Pete

--
Peter Cimring
Software Developer
(: +972 52-545-9364
*: [EMAIL PROTECTED]

"/"Any sufficiently advanced technology is indistinguishable from 
magic."/ - Arthur C. Clarke


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Tomcat does not unpack WAR file (Tomcat 5.5.20)

2008-08-23 Thread Peter

Thanks Johnny

On the production server, Tomcat is actually being started up by another 
'parent' application. Since this does not appear to be a (pure) 'Tomcat' 
issue, I will take it up with the guys who manage the 'parent' app.


Thanks for the assistance.

Johnny Kewl wrote:


- Original Message - From: "Peter" <[EMAIL PROTECTED]>
To: 
Sent: Friday, August 22, 2008 4:07 PM
Subject: Tomcat does not unpack WAR file (Tomcat 5.5.20)



Hi

When I drop a WAR file into the webapps folder on my dev machine - 
running Tomcat 6.0.16 - Tomcat unpacks it on startup.


When I do the same on the production box - running Tomcat 5.5.20 - 
nothing happens.


The WAR file that I am deploying is ROOT.war; there is a 
corresponding ROOT.xml under conf\Catalina\localhost. (I'm not sure 
if those details have any bearing on the problem - according to one 
archived post, there may be a connection.)


On both machines, the  tags look identical:

 

Any assistance would be appreciated. :)

Pete

--
Peter Cimring
Software Developer
(: +972 52-545-9364
*: [EMAIL PROTECTED]


Pete, nothing comes to mind, you seem to have the bases covered...
One possibility is that the existing ROOT web ap is busy...
Maybe a thread running or something... TC will not start up the new 
guy, if the old one cant let go..


possibly from the manager console /manager/html tell the old one to 
undeploy first maybe...


Also just make sure from you dev environment that the ROOT context 
path is ""

really empty and not "root" which it maybe doing... wild guess ;)

--- 


HARBOR : http://www.kewlstuff.co.za/index.htm
The most powerful application server on earth.
The only real POJO Application Server.
See it in Action : http://www.kewlstuff.co.za/cd_tut_swf/whatisejb1.htm
--- 




-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




--
Peter Cimring
Software Developer
(: +972 52-545-9364
*: [EMAIL PROTECTED]

"/"Any sufficiently advanced technology is indistinguishable from 
magic."/ - Arthur C. Clarke


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Tomcat does not unpack WAR file (Tomcat 5.5.20)

2008-08-23 Thread Peter

Yes - they are. (as I stated in my original post)

Martin Gainty wrote:

check your unpackWARS and autoDeploy parameters are both set to 'true' e.g.
$TOMCAT_HOME/conf/server.xml

Martin 
__ 
Disclaimer and confidentiality note 
Everything in this e-mail and any attachments relates to the official business of Sender. This transmission is of a confidential nature and Sender does not endorse distribution to any party other than intended recipient. Sender does not necessarily endorse content contained within this transmission. 



  

Date: Sat, 23 Aug 2008 23:40:06 +0300
From: [EMAIL PROTECTED]
To: users@tomcat.apache.org
Subject: Re: Tomcat does not unpack WAR file (Tomcat 5.5.20)

Thanks Johnny

On the production server, Tomcat is actually being started up by another 
'parent' application. Since this does not appear to be a (pure) 'Tomcat' 
issue, I will take it up with the guys who manage the 'parent' app.


Thanks for the assistance.

Johnny Kewl wrote:
    

- Original Message - From: "Peter" <[EMAIL PROTECTED]>
To: 
Sent: Friday, August 22, 2008 4:07 PM
Subject: Tomcat does not unpack WAR file (Tomcat 5.5.20)


  

Hi

When I drop a WAR file into the webapps folder on my dev machine - 
running Tomcat 6.0.16 - Tomcat unpacks it on startup.


When I do the same on the production box - running Tomcat 5.5.20 - 
nothing happens.


The WAR file that I am deploying is ROOT.war; there is a 
corresponding ROOT.xml under conf\Catalina\localhost. (I'm not sure 
if those details have any bearing on the problem - according to one 
archived post, there may be a connection.)


On both machines, the  tags look identical:

 

Any assistance would be appreciated. :)

Pete

--
Peter Cimring
Software Developer
(: +972 52-545-9364
*: [EMAIL PROTECTED]


Pete, nothing comes to mind, you seem to have the bases covered...
One possibility is that the existing ROOT web ap is busy...
Maybe a thread running or something... TC will not start up the new 
guy, if the old one cant let go..


possibly from the manager console /manager/html tell the old one to 
undeploy first maybe...


Also just make sure from you dev environment that the ROOT context 
path is ""

really empty and not "root" which it maybe doing... wild guess ;)

--- 


HARBOR : http://www.kewlstuff.co.za/index.htm
The most powerful application server on earth.
The only real POJO Application Server.
See it in Action : http://www.kewlstuff.co.za/cd_tut_swf/whatisejb1.htm
--- 




-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


  

--
Peter Cimring
Software Developer
(: +972 52-545-9364
*: [EMAIL PROTECTED]

"/"Any sufficiently advanced technology is indistinguishable from 
magic."/ - Arthur C. Clarke


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




_
Be the filmmaker you always wanted to be—learn how to burn a DVD with Windows®.
http://clk.atdmt.com/MRT/go/108588797/direct/01/
  


--
Peter Cimring
Software Developer
(: +972 52-545-9364
*: [EMAIL PROTECTED]

"/"Any sufficiently advanced technology is indistinguishable from 
magic."/ - Arthur C. Clarke


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Tomcat does not unpack WAR file (Tomcat 5.5.20)

2008-08-24 Thread Peter
It turns out that the problem IS connected to the ROOT.xml file under 
conf\Catalina\localhost.


As soon as I remove ROOT.xml, the ROOT.war unpacks.

This is what my ROOT.xml file looks like:



There has been some prior discussion around this topic. For example, see:

http://marc.info/?l=tomcat-user&m=116107471021645&w=2
http://marc.info/?l=tomcat-user&m=116302992202121&w=2

Is this a known issue / 'bug' with Tomcat 5?

:)

Pete

Johnny Kewl wrote:


- Original Message - From: "Peter" <[EMAIL PROTECTED]>
To: 
Sent: Friday, August 22, 2008 4:07 PM
Subject: Tomcat does not unpack WAR file (Tomcat 5.5.20)



Hi

When I drop a WAR file into the webapps folder on my dev machine - 
running Tomcat 6.0.16 - Tomcat unpacks it on startup.


When I do the same on the production box - running Tomcat 5.5.20 - 
nothing happens.


The WAR file that I am deploying is ROOT.war; there is a 
corresponding ROOT.xml under conf\Catalina\localhost. (I'm not sure 
if those details have any bearing on the problem - according to one 
archived post, there may be a connection.)


On both machines, the  tags look identical:

 

Any assistance would be appreciated. :)

Pete

--
Peter Cimring
Software Developer
(: +972 52-545-9364
*: [EMAIL PROTECTED]


Pete, nothing comes to mind, you seem to have the bases covered...
One possibility is that the existing ROOT web ap is busy...
Maybe a thread running or something... TC will not start up the new 
guy, if the old one cant let go..


possibly from the manager console /manager/html tell the old one to 
undeploy first maybe...


Also just make sure from you dev environment that the ROOT context 
path is ""

really empty and not "root" which it maybe doing... wild guess ;)

--- 


HARBOR : http://www.kewlstuff.co.za/index.htm
The most powerful application server on earth.
The only real POJO Application Server.
See it in Action : http://www.kewlstuff.co.za/cd_tut_swf/whatisejb1.htm
--- 




-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




--
Peter Cimring
Software Developer
(: +972 52-545-9364
*: [EMAIL PROTECTED]

"/"Any sufficiently advanced technology is indistinguishable from 
magic."/ - Arthur C. Clarke


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Tomcat does not unpack WAR file (Tomcat 5.5.20)

2008-08-24 Thread Peter
I may be going slightly off-topic for this thread, but I have 2 
questions regarding the ROOT.xml ROOT.xml fragment file...



As a test, I removed ROOT.xml and tested the app behavior. Specifically, 
I performed these steps to remove the ROOT.xml fragment file:


=> I removed ROOT.xml from ...conf\Catalina\localhost.

=> I stopped Tomcat, deleted the 'work' folder and started Tomcat again.

=> I cleared all cookies from the client machine's web browser.


The ROOT.xml file that I removed looked like this:




What puzzles me is this:


1. In order to map the ROOT web context to the root URI ('/'), I 
included the (path="") attribute in ROOT.xml.


However, even after removing the ROOT.xml fragment file, the ROOT web 
app is still mapped to the root URI ('/') i.e. when I navigate to the 
server's root domain name, the ROOT wabapp is invoked.


Was I mistaken in thinking that the (path="") attribute is required?


2. Similarly, I included the (cookies="false") attribute to enable URL 
rewriting for browsers that do not support cookies.


However, even after removing the ROOT.xml fragment file, URL rewriting 
takes place - IF the web browser does not support cookies.


Have I missed something - or does the (cookies="false") do something 
slightly different to what I thought?



Just to re-iterate, I am runningTomcat 5..5.20

Thanks
Pete

Johnny Kewl wrote:


- Original Message - From: "Peter" <[EMAIL PROTECTED]>
To: 
Sent: Friday, August 22, 2008 4:07 PM
Subject: Tomcat does not unpack WAR file (Tomcat 5.5.20)



Hi

When I drop a WAR file into the webapps folder on my dev machine - 
running Tomcat 6.0.16 - Tomcat unpacks it on startup.


When I do the same on the production box - running Tomcat 5.5.20 - 
nothing happens.


The WAR file that I am deploying is ROOT.war; there is a 
corresponding ROOT.xml under conf\Catalina\localhost. (I'm not sure 
if those details have any bearing on the problem - according to one 
archived post, there may be a connection.)


On both machines, the  tags look identical:

 

Any assistance would be appreciated. :)

Pete

--
Peter Cimring
Software Developer
(: +972 52-545-9364
*: [EMAIL PROTECTED]


Pete, nothing comes to mind, you seem to have the bases covered...
One possibility is that the existing ROOT web ap is busy...
Maybe a thread running or something... TC will not start up the new 
guy, if the old one cant let go..


possibly from the manager console /manager/html tell the old one to 
undeploy first maybe...


Also just make sure from you dev environment that the ROOT context 
path is ""

really empty and not "root" which it maybe doing... wild guess ;)

--- 


HARBOR : http://www.kewlstuff.co.za/index.htm
The most powerful application server on earth.
The only real POJO Application Server.
See it in Action : http://www.kewlstuff.co.za/cd_tut_swf/whatisejb1.htm
--- 




-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




--
Peter Cimring
Software Developer
(: +972 52-545-9364
*: [EMAIL PROTECTED]

"/"Any sufficiently advanced technology is indistinguishable from 
magic."/ - Arthur C. Clarke


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



hi,wired problem? add 0 into alist but get 1 as a result!

2007-05-20 Thread Peter

hi all,

I have come into a very wired problem.

here it is.
my project using JBuilder 2006 and tomcat 5.5.20.
when i put a 0 into a list and get 1 as a result.
simple code for testing!

List alist =new ArrayList();
alist.add(0);  put 0 into it
alist.get(0);   get 1 as result.

it occurs when i using JBuilder2006 to complie it and run under tomcat
5.5.20.
i choose Jbuilder 2006 builder property: language features ( java 2
SDK V5.0generic enable) ; target VM  java 2 SDK
V5.0 and later

but if i choose target VM   target VM  java 2 SDK V1.4 and later   it works
fine, put 0 get 0.
and if i donot run under the tomcat it still fine

so i create another small  project, in a jsp only doing  List alist =new
ArrayList();
alist.add(0);  alist.get(0);
and it works fine as well under the same tomcat.


i wonder what happens here?
my project using many other jar file , i wonder if there is  something
wrong there.
does anyone has a idea?

thanks in advanced!


Re: hi,wired problem? add 0 into alist but get 1 as a result!

2007-05-21 Thread Peter

hi all
i put it in the jsp, and here is the code generate by  tomcat
i did not see if there is any wrong there.

package org.apache.jsp;

import javax.servlet.*;
import javax.servlet.http.*;
import javax.servlet.jsp.*;
import java.util.*;

public final class jsp1_jsp extends org.apache.jasper.runtime.HttpJspBase
   implements org.apache.jasper.runtime.JspSourceDependent {

 private static java.util.List _jspx_dependants;

 public Object getDependants() {
   return _jspx_dependants;
 }

 public void _jspService(HttpServletRequest request, HttpServletResponse
response)
   throws java.io.IOException, ServletException {

   JspFactory _jspxFactory = null;
   PageContext pageContext = null;
   HttpSession session = null;
   ServletContext application = null;
   ServletConfig config = null;
   JspWriter out = null;
   Object page = this;
   JspWriter _jspx_out = null;
   PageContext _jspx_page_context = null;


   try {
 _jspxFactory = JspFactory.getDefaultFactory();
 response.setContentType("text/html; charset=GB2312");
 pageContext = _jspxFactory.getPageContext(this, request, response,
null, true, 8192, true);
 _jspx_page_context = pageContext;
 application = pageContext.getServletContext();
 config = pageContext.getServletConfig();
 session = pageContext.getSession();
 out = pageContext.getOut();
 _jspx_out = out;

 out.write("\r\n");
 out.write("\r\n");
 out.write("\r\n");
 out.write("\r\n");
 out.write("\r\n");
 out.write("\r\n");
 out.write("\r\n");
 out.write("jsp1\r\n");
 out.write("\r\n");
 out.write("\r\n");
 out.write("\r\n");
 out.write("\r\n");
 out.write("JBuilder Generated JSP\r\n");

List alist =new ArrayList();
alist.add(0);
out.print(alist.get(0));
//Gentest gt=new Gentest();
//gt.addalist();
//gt.addlist();

 out.write("\r\n");
 out.write("\r\n");
 out.write("\r\n");
 out.write("\r\n");
 out.write("\r\n");
 out.write("\r\n");
 out.write("\r\n");
 out.write("\r\n");
 out.write("\r\n");
   } catch (Throwable t) {
 if (!(t instanceof SkipPageException)){
   out = _jspx_out;
   if (out != null && out.getBufferSize() != 0)
 out.clearBuffer();
   if (_jspx_page_context != null)
_jspx_page_context.handlePageException(t);
 }
   } finally {
 if (_jspxFactory != null)
_jspxFactory.releasePageContext(_jspx_page_context);
   }
 }
}


On 5/21/07, Leon Rosenberg <[EMAIL PROTECTED]> wrote:


On 5/21/07, Peter <[EMAIL PROTECTED]> wrote:
> hi all,
>
> I have come into a very wired problem.
>
> here it is.
> my project using JBuilder 2006 and tomcat 5.5.20.
> when i put a 0 into a list and get 1 as a result.
> simple code for testing!
>
> List alist =new ArrayList();
> alist.add(0);  put 0 into it
> alist.get(0);   get 1 as result.
>
> it occurs when i using JBuilder2006 to complie it and run under tomcat
> 5.5.20.
> i choose Jbuilder 2006 builder property: language features ( java 2
> SDK V5.0generic enable) ; target VM  java 2 SDK
> V5.0 and later

hmm, do you use this code in a jsp? Could you possible check the
source code generated by tomcat for this jsp and inspect it / send it
to us? Sounds like your jsp compiler is buggy.

regards
Leon

>
>  but if i choose target VM   target VM  java 2 SDK V1.4 and later   it
works
> fine, put 0 get 0.
> and if i donot run under the tomcat it still fine
>
> so i create another small  project, in a jsp only doing  List alist =new
> ArrayList();
> alist.add(0);  alist.get(0);
> and it works fine as well under the same tomcat.
>
>
> i wonder what happens here?
>  my project using many other jar file , i wonder if there is  something
> wrong there.
> does anyone has a idea?
>
> thanks in advanced!
>

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




Re: hi,wired problem? add 0 into alist but get 1 as a result!

2007-05-21 Thread Peter

in the mail before, i put 0 in a list and get 1 as result.



On 5/21/07, Leon Rosenberg <[EMAIL PROTECTED]> wrote:


On 5/21/07, Peter <[EMAIL PROTECTED]> wrote:
> hi all,
>
> I have come into a very wired problem.
>
> here it is.
> my project using JBuilder 2006 and tomcat 5.5.20.
> when i put a 0 into a list and get 1 as a result.
> simple code for testing!
>
> List alist =new ArrayList();
> alist.add(0);  put 0 into it
> alist.get(0);   get 1 as result.
>
> it occurs when i using JBuilder2006 to complie it and run under tomcat
> 5.5.20.
> i choose Jbuilder 2006 builder property: language features ( java 2
> SDK V5.0generic enable) ; target VM  java 2 SDK
> V5.0 and later

hmm, do you use this code in a jsp? Could you possible check the
source code generated by tomcat for this jsp and inspect it / send it
to us? Sounds like your jsp compiler is buggy.

regards
Leon

>
>  but if i choose target VM   target VM  java 2 SDK V1.4 and later   it
works
> fine, put 0 get 0.
> and if i donot run under the tomcat it still fine
>
> so i create another small  project, in a jsp only doing  List alist =new
> ArrayList();
> alist.add(0);  alist.get(0);
> and it works fine as well under the same tomcat.
>
>
> i wonder what happens here?
>  my project using many other jar file , i wonder if there is  something
> wrong there.
> does anyone has a idea?
>
> thanks in advanced!
>

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




Re: hi,wired problem? add 0 into alist but get 1 as a result!

2007-05-21 Thread Peter

thanks

i am sure that i put 0 in to a list and i am not badly display result and it
is the same list
and it is only occur in this project.
thanks for any idea


On 5/21/07, David Delbecq <[EMAIL PROTECTED]> wrote:


Never heard of such problem. Check your code. Either you add 1 to list,
not 0, either you badly display result, either it's not the same list.
Peter a écrit :
> hi all,
>
> I have come into a very wired problem.
>
> here it is.
> my project using JBuilder 2006 and tomcat 5.5.20.
> when i put a 0 into a list and get 1 as a result.
> simple code for testing!
>
> List alist =new ArrayList();
> alist.add(0); put 0 into it
> alist.get(0); get 1 as result.
>
> it occurs when i using JBuilder2006 to complie it and run under tomcat
> 5.5.20.
> i choose Jbuilder 2006 builder property: language features ( java 2
> SDK V5.0generic enable) ; target VM java 2 SDK
> V5.0 and later
>
> but if i choose target VM target VM java 2 SDK V1.4 and later it works
> fine, put 0 get 0.
> and if i donot run under the tomcat it still fine
>
> so i create another small project, in a jsp only doing List alist =new
> ArrayList();
> alist.add(0); alist.get(0);
> and it works fine as well under the same tomcat.
>
>
> i wonder what happens here?
> my project using many other jar file , i wonder if there is something
> wrong there.
> does anyone has a idea?
>
> thanks in advanced!
>

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




Re: hi,wired problem? add 0 into alist but get 1 as a result!

2007-05-21 Thread Peter

hi all
i try to do like

List alist =new ArrayList();
alist.add(0L);
alist.get(0);
and it is fine. donot know why?



On 5/21/07, Peter <[EMAIL PROTECTED]> wrote:


hi all,

I have come into a very wired problem.

here it is.
my project using JBuilder 2006 and tomcat 5.5.20.
when i put a 0 into a list and get 1 as a result.
simple code for testing!

List alist =new ArrayList();
alist.add(0);  put 0 into it
alist.get(0);   get 1 as result.

it occurs when i using JBuilder2006 to complie it and run under tomcat
5.5.20.
i choose Jbuilder 2006 builder property: language features ( java 2 SDK
V5.0 generic enable) ; target VM  java 2 SDK V5.0 and later

 but if i choose target VM   target VM  java 2 SDK V1.4 and later   it
works fine, put 0 get 0.
and if i donot run under the tomcat it still fine

so i create another small  project, in a jsp only doing  List alist =new
ArrayList();
alist.add(0);  alist.get(0);
and it works fine as well under the same tomcat.


i wonder what happens here?
 my project using many other jar file , i wonder if there is  something
wrong there.
does anyone has a idea?

thanks in advanced!






Re: hi,wired problem? add 0 into alist but get 1 as a result!

2007-05-21 Thread Peter

hi all
thanks for the reply;
things getting a litter  clear.
when i remove the jar file 'antlr-2.7.5H3.jar' , it work fine, put 0 in and
get 0 out.
but when i put the jar file back, it still put 0 in and get 1 out.

the jar is in the \tomcat\webapps\'myproject'\WEB-INF\lib\

it seems like the there is something wrong in the jar file.this jar is
shipped with hibernate. And i try the newest jar file from the newest
hiberbate,but it is still has the same problem.

does anyone has a idea?

the test code in a jsp file in my project:

java.util.List alist =new java.util.ArrayList();
alist.add(0);
out.print(alist.get(0));

Regards

On 5/22/07, Christopher Schultz <[EMAIL PROTECTED]> wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Felix,

Felix Schumacher wrote:
> Am Montag, den 21.05.2007, 13:54 +0800 schrieb Peter:
>> hi all,
>>
>> I have come into a very wired problem.
>>
>> here it is.
>> my project using JBuilder 2006 and tomcat 5.5.20.
>> when i put a 0 into a list and get 1 as a result.
>> simple code for testing!
>>
>> List alist =new ArrayList();
>> alist.add(0);  put 0 into it
>> alist.get(0);   get 1 as result.
> Have you tried to put an Object into ArrayList?
> Like
> alist.add(Integer.valueOf(0));
> System.out.println((Integer)alist.get(0));
>
> I don't think it is possible to store an int into an ArrayList.

Generics + autoboxing ought to allow you to put ints into an ArrayList
(at least syntactically, though it's really just syntactic sugar).

- -chris

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGUhdv9CaO5/Lv0PARAmKMAJ9DjxpSf4zZmIdM+WQx8+q0fSRf7ACgjTAl
MBXxUu/ld4Aanpt9gQ8IXGg=
=38QU
-END PGP SIGNATURE-

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




Re: hi,wired problem? add 0 into alist but get 1 as a result!

2007-05-21 Thread Peter

hi all;
only get problem when put 0 into the list, put 1 or any number is ok, put
new Integer(0) is ok as well;

i think it may be a bug.
does anyone has a idea?
regards


On 5/21/07, Peter <[EMAIL PROTECTED]> wrote:


hi all,

I have come into a very wired problem.

here it is.
my project using JBuilder 2006 and tomcat 5.5.20.
when i put a 0 into a list and get 1 as a result.
simple code for testing!

List alist =new ArrayList();
alist.add(0);  put 0 into it
alist.get(0);   get 1 as result.

it occurs when i using JBuilder2006 to complie it and run under tomcat
5.5.20.
i choose Jbuilder 2006 builder property: language features ( java 2 SDK
V5.0 generic enable) ; target VM  java 2 SDK V5.0 and later

 but if i choose target VM   target VM  java 2 SDK V1.4 and later   it
works fine, put 0 get 0.
and if i donot run under the tomcat it still fine

so i create another small  project, in a jsp only doing  List alist =new
ArrayList();
alist.add(0);  alist.get(0);
and it works fine as well under the same tomcat.


i wonder what happens here?
 my project using many other jar file , i wonder if there is  something
wrong there.
does anyone has a idea?

thanks in advanced!






Tomcat 6 NIO consumes all CPU until restarted

2007-10-27 Thread Peter
Hi

We are having a problem with Tomcat 6 using the NIO (running on linux with Java 
HotSpot(TM) 64-Bit Server VM (build 1.5.0_12-b04, mixed mode) that it consumes 
all CPU after a few hours in production, prior to that we ran Tomcat 6 with AJP 
and Apache 2.0 with mod_jk in front of it for over a month without any 
problems. While it is consuming all CPU it still serves requests but obviously 
much slower. During the last "episode" I collected some thread dumps over the 
period of 10 - 15 minutes and found 3 runnable threads that were present in all 
the dumps and were doing the exact same thing:

"http-8080-exec-41" daemon prio=1 tid=0x002ae320dad0 nid=0x12ac runnable 
[0x45c18000..0x45c18c10]
at 
org.apache.coyote.http11.InternalNioOutputBuffer.access$000(InternalNioOutputBuffer.java:44)
at 
org.apache.coyote.http11.InternalNioOutputBuffer$SocketOutputBuffer.doWrite(InternalNioOutputBuffer.java:794)
at 
org.apache.coyote.http11.filters.ChunkedOutputFilter.doWrite(ChunkedOutputFilter.java:126)
at 
org.apache.coyote.http11.filters.GzipOutputFilter$FakeOutputStream.write(GzipOutputFilter.java:164)
at java.util.zip.GZIPOutputStream.finish(GZIPOutputStream.java:95)
--
"http-8080-exec-41" daemon prio=1 tid=0x002ae320dad0 nid=0x12ac runnable 
[0x45c18000..0x45c18c10]
at 
org.apache.coyote.http11.InternalNioOutputBuffer.access$000(InternalNioOutputBuffer.java:44)
at 
org.apache.coyote.http11.InternalNioOutputBuffer$SocketOutputBuffer.doWrite(InternalNioOutputBuffer.java:794)
at 
org.apache.coyote.http11.filters.ChunkedOutputFilter.doWrite(ChunkedOutputFilter.java:126)
at 
org.apache.coyote.http11.filters.GzipOutputFilter$FakeOutputStream.write(GzipOutputFilter.java:164)
at java.util.zip.GZIPOutputStream.finish(GZIPOutputStream.java:95)
--
"http-8080-exec-41" daemon prio=1 tid=0x002ae320dad0 nid=0x12ac runnable 
[0x45c18000..0x45c18c10]
at 
org.apache.coyote.http11.InternalNioOutputBuffer.access$000(InternalNioOutputBuffer.java:44)
at 
org.apache.coyote.http11.InternalNioOutputBuffer$SocketOutputBuffer.doWrite(InternalNioOutputBuffer.java:794)
at 
org.apache.coyote.http11.filters.ChunkedOutputFilter.doWrite(ChunkedOutputFilter.java:126)
at 
org.apache.coyote.http11.filters.GzipOutputFilter$FakeOutputStream.write(GzipOutputFilter.java:164)
at java.util.zip.GZIPOutputStream.finish(GZIPOutputStream.java:95)

"http-8080-exec-29" daemon prio=1 tid=0x002ae4152d10 nid=0x6e3a runnable 
[0x43af7000..0x43af7b90]
at 
org.apache.coyote.http11.InternalNioOutputBuffer.access$000(InternalNioOutputBuffer.java:44)
at 
org.apache.coyote.http11.InternalNioOutputBuffer$SocketOutputBuffer.doWrite(InternalNioOutputBuffer.java:794)
at 
org.apache.coyote.http11.filters.ChunkedOutputFilter.doWrite(ChunkedOutputFilter.java:126)
at 
org.apache.coyote.http11.filters.GzipOutputFilter$FakeOutputStream.write(GzipOutputFilter.java:164)
at java.util.zip.GZIPOutputStream.finish(GZIPOutputStream.java:95)

"http-8080-exec-16" daemon prio=1 tid=0x002ae39bf030 nid=0x18d1 runnable 
[0x43cf9000..0x43cf9e10]
at 
org.apache.coyote.http11.InternalNioOutputBuffer.access$000(InternalNioOutputBuffer.java:44)
at 
org.apache.coyote.http11.InternalNioOutputBuffer$SocketOutputBuffer.doWrite(InternalNioOutputBuffer.java:794)
at 
org.apache.coyote.http11.filters.ChunkedOutputFilter.doWrite(ChunkedOutputFilter.java:126)
at 
org.apache.coyote.http11.filters.GzipOutputFilter$FakeOutputStream.write(GzipOutputFilter.java:164)
at java.util.zip.GZIPOutputStream.finish(GZIPOutputStream.java:95)

etc. Here is the connector configurations:






The server goes into this state very regularly, this configuration has been in 
service for 3 days and it's goes into this state every 2 - 5 hours until 
restarted. 

Has anyone experience any similar behaviour? Any ideas or suggestions?

Thanks
Peter



-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Tomcat 6 NIO consumes all CPU until restarted

2007-10-27 Thread Peter
:) 

It eased migration from Tomcat, using APR on the SSL connector allowed us to 
reuse certificates. Could probably rework them to JKS in the future. 

- Original Message 
From: Rémy Maucherat 


On 10/27/07, Peter <[EMAIL PROTECTED]> wrote:
> Has anyone experience any similar behaviour? Any ideas or
 suggestions?

Why do you think it is a good idea to use both the NIO and APR
connectors ? (the consequence of that is you're going to run in twice
as many bugs)

Rémy





-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Tomcat 6 NIO consumes all CPU until restarted

2007-10-29 Thread Peter
Thanks Filip, oversight on my part, here we go:

[EMAIL PROTECTED]:/logs/tomcat> ps -eL -o pid,%cpu,lwp | grep -i 4046 | grep 
-iv 0.0
 4046  0.6  4047
 4046  0.1  4052
 4046  0.1  4053
 4046 21.9  4078
 4046 18.7  4108
 4046  0.1  4109

"http-8080-Poller-0" daemon prio=1 tid=0x002ae2f860e0 nid=0xfee runnable 
[0x412cf000..0x412cfc10]
at java.util.HashMap.newKeyIterator(HashMap.java:889)
at java.util.HashMap$KeySet.iterator(HashMap.java:921)
at java.util.HashSet.iterator(HashSet.java:154)
at sun.nio.ch.SelectorImpl.processDeregisterQueue(SelectorImpl.java:127)
- locked <0x002ab2ac2810> (a java.util.HashSet)
at sun.nio.ch.PollSelectorImpl.doSelect(PollSelectorImpl.java:60)
at sun.nio.ch.SelectorImpl.lockAndDoSelect(SelectorImpl.java:69)
- locked <0x002ab2ac2870> (a sun.nio.ch.Util$1)
- locked <0x002ab2ac2858> (a java.util.Collections$UnmodifiableSet)
- locked <0x002ab2ab5c80> (a sun.nio.ch.PollSelectorImpl)
at sun.nio.ch.SelectorImpl.select(SelectorImpl.java:80)
at 
org.apache.tomcat.util.net.NioEndpoint$Poller.run(NioEndpoint.java:1417)
at java.lang.Thread.run(Thread.java:595)

"http-8080-exec-18" daemon prio=1 tid=0x002ae3c5d8e0 nid=0x100c runnable 
[0x430ec000..0x430edb10]
at 
org.apache.coyote.http11.InternalNioOutputBuffer.access$000(InternalNioOutputBuffer.java:44)
at 
org.apache.coyote.http11.InternalNioOutputBuffer$SocketOutputBuffer.doWrite(InternalNioOutputBuffer.java:794)
at 
org.apache.coyote.http11.filters.ChunkedOutputFilter.doWrite(ChunkedOutputFilter.java:126)
at 
org.apache.coyote.http11.filters.GzipOutputFilter$FakeOutputStream.write(GzipOutputFilter.java:164)
at java.util.zip.GZIPOutputStream.finish(GZIPOutputStream.java:95)
at 
org.apache.coyote.http11.filters.GzipOutputFilter.end(GzipOutputFilter.java:122)
at 
org.apache.coyote.http11.InternalNioOutputBuffer.endRequest(InternalNioOutputBuffer.java:396)
at 
org.apache.coyote.http11.Http11NioProcessor.action(Http11NioProcessor.java:1080)
at org.apache.coyote.Response.action(Response.java:183)
at org.apache.coyote.Response.finish(Response.java:305)
at 
org.apache.catalina.connector.OutputBuffer.close(OutputBuffer.java:276)
at 
org.apache.catalina.connector.Response.finishResponse(Response.java:486)
at 
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:287)
at 
org.apache.coyote.http11.Http11NioProcessor.process(Http11NioProcessor.java:887)
at 
org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProtocol.java:696)
at 
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:2009)
at 
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:650)
at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:675)
at java.lang.Thread.run(Thread.java:595)



- Original Message 
From: Filip Hanik 

since you are running on linux, you know that you can get the id of the
 
thread that is taking up all the CPU, just use a binary top that let
 you 
list individual threads.

as you can see, the thread dump you have, doesn't really show anything,
 
you're simply assuming that it's that call taking up CPU, but if your 
CPU usage is very high, then very little code is actually moving
 through.

there are a few bugs with references, but until you get the actual 
thread causing the CPU usage, then you wont know for sure

a few examples are, but nothing concrete.
http://issues.apache.org/bugzilla/show_bug.cgi?id=42090
http://issues.apache.org/bugzilla/show_bug.cgi?id=42925

gather up the data, get the thread id that is causing CPU, match that 
with your thread dump, and then you will know for sure

Filip

Peter wrote:
> Hi
>
> We are having a problem with Tomcat 6 using the NIO (running on linux
 with Java HotSpot(TM) 64-Bit Server VM (build 1.5.0_12-b04, mixed
 mode) that it consumes all CPU after a few hours in production, prior to
 that we ran Tomcat 6 with AJP and Apache 2.0 with mod_jk in front of it
 for over a month without any problems. While it is consuming all CPU it
 still serves requests but obviously much slower. During the last
 "episode" I collected some thread dumps over the period of 10 - 15 minutes
 and found 3 runnable threads that were present in all the dumps and were
 doing the exact same thing:
>
> "http-8080-exec-41" daemon prio=1 tid=0x002ae320dad0 nid=0x12ac
 runnable [0x45c18000..0x45c18c10]
> at
 
org.apache.coyote.http11.InternalNioOutputBuffer.access$000(InternalNioOutputBuffer.java:44)
> at
 
org.apache.coyote.http11.InternalNioOutputBuff

Re: Tomcat 6 NIO consumes all CPU until restarted

2007-10-29 Thread Peter
Oh, I forgot to mention, switched back to APR connector for 8080 for the 
weekend and all was fine. Switched back to NIO this morning to gather these 
stats and in a few hours it was stuck at 100% CPU again, very little variance 
in traffic (low traffic site right now, about a constant 1mbit). 

- Original Message 
From: Peter 


Thanks Filip, oversight on my part, here we go:

[EMAIL PROTECTED]:/logs/tomcat> ps -eL -o pid,%cpu,lwp | grep -i 4046 | grep
 -iv 0.0
 4046  0.6  4047
 4046  0.1  4052
 4046  0.1  4053
 4046 21.9  4078
 4046 18.7  4108
 4046  0.1  4109

"http-8080-Poller-0" daemon prio=1 tid=0x002ae2f860e0 nid=0xfee
 runnable [0x412cf000..0x412cfc10]
at java.util.HashMap.newKeyIterator(HashMap.java:889)
at java.util.HashMap$KeySet.iterator(HashMap.java:921)
at java.util.HashSet.iterator(HashSet.java:154)
at
 sun.nio.ch.SelectorImpl.processDeregisterQueue(SelectorImpl.java:127)
- locked <0x002ab2ac2810> (a java.util.HashSet)
at
 sun.nio.ch.PollSelectorImpl.doSelect(PollSelectorImpl.java:60)
at
 sun.nio.ch.SelectorImpl.lockAndDoSelect(SelectorImpl.java:69)
- locked <0x002ab2ac2870> (a sun.nio.ch.Util$1)
- locked <0x002ab2ac2858> (a
 java.util.Collections$UnmodifiableSet)
- locked <0x002ab2ab5c80> (a sun.nio.ch.PollSelectorImpl)
at sun.nio.ch.SelectorImpl.select(SelectorImpl.java:80)
at
 org.apache.tomcat.util.net.NioEndpoint$Poller.run(NioEndpoint.java:1417)
at java.lang.Thread.run(Thread.java:595)

"http-8080-exec-18" daemon prio=1 tid=0x002ae3c5d8e0 nid=0x100c
 runnable [0x430ec000..0x430edb10]
at
 
org.apache.coyote.http11.InternalNioOutputBuffer.access$000(InternalNioOutputBuffer.java:44)
at
 
org.apache.coyote.http11.InternalNioOutputBuffer$SocketOutputBuffer.doWrite(InternalNioOutputBuffer.java:794)
at
 
org.apache.coyote.http11.filters.ChunkedOutputFilter.doWrite(ChunkedOutputFilter.java:126)
at
 
org.apache.coyote.http11.filters.GzipOutputFilter$FakeOutputStream.write(GzipOutputFilter.java:164)
at
 java.util.zip.GZIPOutputStream.finish(GZIPOutputStream.java:95)
at
 
org.apache.coyote.http11.filters.GzipOutputFilter.end(GzipOutputFilter.java:122)
at
 
org.apache.coyote.http11.InternalNioOutputBuffer.endRequest(InternalNioOutputBuffer.java:396)
at
 
org.apache.coyote.http11.Http11NioProcessor.action(Http11NioProcessor.java:1080)
at org.apache.coyote.Response.action(Response.java:183)
at org.apache.coyote.Response.finish(Response.java:305)
at
 org.apache.catalina.connector.OutputBuffer.close(OutputBuffer.java:276)
at
 org.apache.catalina.connector.Response.finishResponse(Response.java:486)
at
 org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:287)
at
 
org.apache.coyote.http11.Http11NioProcessor.process(Http11NioProcessor.java:887)
at
 
org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProtocol.java:696)
at
 
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:2009)
at
 
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:650)
at
 java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:675)
at java.lang.Thread.run(Thread.java:595)



- Original Message 
From: Filip Hanik 

since you are running on linux, you know that you can get the id of the
 
thread that is taking up all the CPU, just use a binary top that let
 you 
list individual threads.

as you can see, the thread dump you have, doesn't really show anything,
 
you're simply assuming that it's that call taking up CPU, but if your 
CPU usage is very high, then very little code is actually moving
 through.

there are a few bugs with references, but until you get the actual 
thread causing the CPU usage, then you wont know for sure

a few examples are, but nothing concrete.
http://issues.apache.org/bugzilla/show_bug.cgi?id=42090
http://issues.apache.org/bugzilla/show_bug.cgi?id=42925

gather up the data, get the thread id that is causing CPU, match that 
with your thread dump, and then you will know for sure

Filip

Peter wrote:
> Hi
>
> We are having a problem with Tomcat 6 using the NIO (running on linux
 with Java HotSpot(TM) 64-Bit Server VM (build 1.5.0_12-b04, mixed
 mode) that it consumes all CPU after a few hours in production, prior
 to
 that we ran Tomcat 6 with AJP and Apache 2.0 with mod_jk in front of
 it
 for over a month without any problems. While it is consuming all CPU
 it
 still serves requests but obviously much slower. During the last
 "episode" I collected some thread dumps over the period of 10 - 15
 minutes
 and found 3 runnable threads that were present in all the dumps and
 were
 doing t

hi,problem when shutdown tomcat!

2007-06-12 Thread Peter

hi all;
when i shutdown tomcat, i found following message in the catalina.out;


2007-6-12 18:18:44 org.apache.catalina.core.StandardWrapper unload
* Waiting for 6 instance(s) to be deallocated*
2007-6-12 18:18:45 org.apache.catalina.core.StandardWrapper unload
*Waiting for 6 instance(s) to be deallocated
*2007-6-12 18:18:46 org.apache.catalina.core.StandardWrapper unload
*Waiting for 6 instance(s) to be deallocated
*2007-6-12 18:18:46 org.apache.catalina.core.StandardWrapper unload
*Waiting for 333 instance(s) to be deallocated*
2007-6-12 18:18:47 org.apache.catalina.core.StandardWrapper unload
*Waiting for 333 instance(s) to be deallocated*
2007-6-12 18:18:48 org.apache.catalina.core.StandardWrapper unload
* Waiting for 333 instance(s) to be deallocated*

anyone has a idea about the about messages, does it means that there is dead
lock in the program?
or some connection are not closed?

thank you for ideas!
peter


Re: hi,problem when shutdown tomcat!

2007-06-12 Thread Peter

thank you for ideas

i current using JBuider2006, what profiler can used in JBuider2006?

thanks
peter

On 6/12/07, Jon Wingfield <[EMAIL PROTECTED]> wrote:


Chuck answered a similar query recently:
http://marc.info/?l=tomcat-user&m=118113828210257&w=2

Your servlets are serving long-running requests (or are in infinite
loops, dead-locked etc) when you are trying to shutdown tomcat.
The first thing I'd do in this situation is SIGQUIT tomcat to get a
stackdump of the running threads.
With that you can usually determine the changes you need to do to your
servlets, if required.
If the stackdump isn't a help I'd attach a profiler to see where your
servlets are spending the time. I like the one bundled with netbeans.
I'm sure others on the list have their own favourites.

Jon

Peter wrote:
> hi all;
> when i shutdown tomcat, i found following message in the catalina.out;
>
>
> 2007-6-12 18:18:44 org.apache.catalina.core.StandardWrapper unload
> * Waiting for 6 instance(s) to be deallocated*
> 2007-6-12 18:18:45 org.apache.catalina.core.StandardWrapper unload
> *Waiting for 6 instance(s) to be deallocated
> *2007-6-12 18:18:46 org.apache.catalina.core.StandardWrapper unload
> *Waiting for 6 instance(s) to be deallocated
> *2007-6-12 18:18:46 org.apache.catalina.core.StandardWrapper unload
> *Waiting for 333 instance(s) to be deallocated*
> 2007-6-12 18:18:47 org.apache.catalina.core.StandardWrapper unload
> *Waiting for 333 instance(s) to be deallocated*
> 2007-6-12 18:18:48 org.apache.catalina.core.StandardWrapper unload
> * Waiting for 333 instance(s) to be deallocated*
>
> anyone has a idea about the about messages, does it means that there
> is dead
> lock in the program?
> or some connection are not closed?
>
> thank you for ideas!
> peter
>



-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




Re: hi,problem when shutdown tomcat!

2007-06-12 Thread Peter

hi all;
i try to use SIGQUIT but can not see the stack trace.

[EMAIL PROTECTED] root]# ps -ef|grep tomcat
root 26337 1  5 09:45 pts/000:00:11
/usr/java/jre1.5.0_08/bin/java -Xms256m -Xmx512m -
Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -
Djava.util.logging.config.file=/opt/tomcat/conf/logging.properties -
Djava.endorsed.dirs=/opt/tomcat/common/endorsed -classpath
:/opt/tomcat/bin/bootstrap.ja
root 26427 26172  0 09:49 pts/000:00:00 grep tomcat

[EMAIL PROTECTED] root]# kill -SIGQUIT 26337
[EMAIL PROTECTED] root]# kill -3 26337
[EMAIL PROTECTED] root]#

does anyone has idea why?
some artical said that if JVM set -Xrs,it will ignore the OS signal like
SIGQUIT
Does anyone know how can i see the stack trace in this situation?
i use Tomcat 5.5.20 in  linux , java, 1.5.0_10

thanks





On 6/12/07, Jon Wingfield <[EMAIL PROTECTED]> wrote:


Good question. I don't know. The last time I used JBuilder was way back
in 2000.
The Borland site suggests an OptimizeIt profiler is present in JBuilder
for the Developer and Enterprise editions:
http://info.borland.com/techpubs/jbuilder/

Jon

Peter wrote:
> thank you for ideas
>
> i current using JBuider2006, what profiler can used in JBuider2006?
>
> thanks
> peter
>
> On 6/12/07, Jon Wingfield <[EMAIL PROTECTED]> wrote:
>>
>> Chuck answered a similar query recently:
>> http://marc.info/?l=tomcat-user&m=118113828210257&w=2
>>
>> Your servlets are serving long-running requests (or are in infinite
>> loops, dead-locked etc) when you are trying to shutdown tomcat.
>> The first thing I'd do in this situation is SIGQUIT tomcat to get a
>> stackdump of the running threads.
>> With that you can usually determine the changes you need to do to your
>> servlets, if required.
>> If the stackdump isn't a help I'd attach a profiler to see where your
>> servlets are spending the time. I like the one bundled with netbeans.
>> I'm sure others on the list have their own favourites.
>>
>> Jon
>>
>> Peter wrote:
>> > hi all;
>> > when i shutdown tomcat, i found following message in the catalina.out
;
>> >
>> >
>> > 2007-6-12 18:18:44 org.apache.catalina.core.StandardWrapper unload
>> > * Waiting for 6 instance(s) to be deallocated*
>> > 2007-6-12 18:18:45 org.apache.catalina.core.StandardWrapper unload
>> > *Waiting for 6 instance(s) to be deallocated
>> > *2007-6-12 18:18:46 org.apache.catalina.core.StandardWrapper unload
>> > *Waiting for 6 instance(s) to be deallocated
>> > *2007-6-12 18:18:46 org.apache.catalina.core.StandardWrapper unload
>> > *Waiting for 333 instance(s) to be deallocated*
>> > 2007-6-12 18:18:47 org.apache.catalina.core.StandardWrapper unload
>> > *Waiting for 333 instance(s) to be deallocated*
>> > 2007-6-12 18:18:48 org.apache.catalina.core.StandardWrapper unload
>> > * Waiting for 333 instance(s) to be deallocated*
>> >
>> > anyone has a idea about the about messages, does it means that there
>> > is dead
>> > lock in the program?
>> > or some connection are not closed?
>> >
>> > thank you for ideas!
>> > peter
>> >
>>
>>
>>
>> -
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>> For additional commands, e-mail: [EMAIL PROTECTED]
>>
>>
>



-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




Can not see the stack trace?

2007-06-12 Thread Peter

hi all;
i try to use SIGQUIT but can not see the stack trace.

[EMAIL PROTECTED] root]# ps -ef|grep tomcat
root 26337 1  5 09:45 pts/000:00:11
/usr/java/jre1.5.0_08/bin/java -Xms256m -Xmx512m -
Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -
Djava.util.logging.config.file=/opt/tomcat/conf/logging.properties -
Djava.endorsed.dirs=/opt/tomcat/common/endorsed -classpath
:/opt/tomcat/bin/bootstrap.ja
root 26427 26172  0 09:49 pts/000:00:00 grep tomcat

[EMAIL PROTECTED] root]# kill -SIGQUIT 26337
[EMAIL PROTECTED] root]# kill -3 26337
[EMAIL PROTECTED] root]#

does anyone has idea why?
some artical said that if JVM set -Xrs,it will ignore the OS signal like
SIGQUIT
Does anyone know how can i see the stack trace in this situation?
i use Tomcat 5.5.20 in  linux , java, 1.5.0_10

thanks


Re: hi,problem when shutdown tomcat!

2007-06-12 Thread Peter

hi all;
I just found out that in linux
under the /proc generate a fold 26337
does it the place which the information stores?
any idea?
thanks

On 6/13/07, Peter <[EMAIL PROTECTED]> wrote:


hi all;
i try to use SIGQUIT but can not see the stack trace.

[EMAIL PROTECTED] root]# ps -ef|grep tomcat
root 26337 1  5 09:45 pts/000:00:11
/usr/java/jre1.5.0_08/bin/java -Xms256m -Xmx512m -
Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -
Djava.util.logging.config.file=/opt/tomcat/conf/logging.properties -
Djava.endorsed.dirs=/opt/tomcat/common/endorsed -classpath
:/opt/tomcat/bin/bootstrap.ja
root 26427 26172  0 09:49 pts/000:00:00 grep tomcat

[EMAIL PROTECTED] root]# kill -SIGQUIT 26337
[EMAIL PROTECTED] root]# kill -3 26337
[EMAIL PROTECTED] root]#

does anyone has idea why?
some artical said that if JVM set -Xrs,it will ignore the OS signal like
SIGQUIT
Does anyone know how can i see the stack trace in this situation?
i use Tomcat 5.5.20 in  linux , java, 1.5.0_10

thanks





On 6/12/07, Jon Wingfield <[EMAIL PROTECTED]> wrote:
>
> Good question. I don't know. The last time I used JBuilder was way back
> in 2000.
> The Borland site suggests an OptimizeIt profiler is present in JBuilder
> for the Developer and Enterprise editions:
> http://info.borland.com/techpubs/jbuilder/
>
> Jon
>
> Peter wrote:
> > thank you for ideas
> >
> > i current using JBuider2006, what profiler can used in JBuider2006?
> >
> > thanks
> > peter
> >
> > On 6/12/07, Jon Wingfield <[EMAIL PROTECTED]> wrote:
> >>
> >> Chuck answered a similar query recently:
> >> http://marc.info/?l=tomcat-user&m=118113828210257&w=2
> >>
> >> Your servlets are serving long-running requests (or are in infinite
> >> loops, dead-locked etc) when you are trying to shutdown tomcat.
> >> The first thing I'd do in this situation is SIGQUIT tomcat to get a
> >> stackdump of the running threads.
> >> With that you can usually determine the changes you need to do to
> your
> >> servlets, if required.
> >> If the stackdump isn't a help I'd attach a profiler to see where your
> >> servlets are spending the time. I like the one bundled with netbeans.
> >> I'm sure others on the list have their own favourites.
> >>
> >> Jon
> >>
> >> Peter wrote:
> >> > hi all;
> >> > when i shutdown tomcat, i found following message in the
> catalina.out;
> >> >
> >> >
> >> > 2007-6-12 18:18:44 org.apache.catalina.core.StandardWrapper unload
> >> > * Waiting for 6 instance(s) to be deallocated*
> >> > 2007-6-12 18:18:45 org.apache.catalina.core.StandardWrapper unload
> >> > *Waiting for 6 instance(s) to be deallocated
> >> > *2007-6-12 18:18:46 org.apache.catalina.core.StandardWrapper unload
> >> > *Waiting for 6 instance(s) to be deallocated
> >> > *2007-6-12 18:18:46 org.apache.catalina.core.StandardWrapper unload
> >> > *Waiting for 333 instance(s) to be deallocated*
> >> > 2007-6-12 18:18:47 org.apache.catalina.core.StandardWrapper unload
> >> > *Waiting for 333 instance(s) to be deallocated*
> >> > 2007-6-12 18:18:48 org.apache.catalina.core.StandardWrapper unload
> >> > * Waiting for 333 instance(s) to be deallocated*
> >> >
> >> > anyone has a idea about the about messages, does it means that
> there
> >> > is dead
> >> > lock in the program?
> >> > or some connection are not closed?
> >> >
> >> > thank you for ideas!
> >> > peter
> >> >
> >>
> >>
> >>
> >> -
> >> To start a new topic, e-mail: users@tomcat.apache.org
> >> To unsubscribe, e-mail: [EMAIL PROTECTED]
> >> For additional commands, e-mail: [EMAIL PROTECTED]
> >>
> >>
> >
>
>
>
> -
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>



Re: hi,problem when shutdown tomcat!

2007-06-13 Thread Peter

i found that.
thanks a lot





On 6/13/07, Jon Wingfield <[EMAIL PROTECTED]> wrote:


The trace is probably in the catalina.out log file (at least that's
where it goes for us running tc5.0.30)

Peter wrote:
> hi all;
> I just found out that in linux
> under the /proc generate a fold 26337
> does it the place which the information stores?
> any idea?
> thanks
>
> On 6/13/07, Peter <[EMAIL PROTECTED]> wrote:
>>
>> hi all;
>> i try to use SIGQUIT but can not see the stack trace.
>>
>> [EMAIL PROTECTED] root]# ps -ef|grep tomcat
>> root 26337 1 5 09:45 pts/0 00:00:11
>> /usr/java/jre1.5.0_08/bin/java -Xms256m -Xmx512m -
>> Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -
>> Djava.util.logging.config.file=/opt/tomcat/conf/logging.properties -
>> Djava.endorsed.dirs=/opt/tomcat/common/endorsed -classpath
>> :/opt/tomcat/bin/bootstrap.ja
>> root 26427 26172 0 09:49 pts/0 00:00:00 grep tomcat
>>
>> [EMAIL PROTECTED] root]# kill -SIGQUIT 26337
>> [EMAIL PROTECTED] root]# kill -3 26337
>> [EMAIL PROTECTED] root]#
>>
>> does anyone has idea why?
>> some artical said that if JVM set -Xrs,it will ignore the OS signal
>> like
>> SIGQUIT
>> Does anyone know how can i see the stack trace in this situation?
>> i use Tomcat 5.5.20 in linux , java, 1.5.0_10
>>
>> thanks
>>
>>
>>
>>
>>
>> On 6/12/07, Jon Wingfield <[EMAIL PROTECTED]> wrote:
>> >
>> > Good question. I don't know. The last time I used JBuilder was way
>> back
>> > in 2000.
>> > The Borland site suggests an OptimizeIt profiler is present in
>> JBuilder
>> > for the Developer and Enterprise editions:
>> > http://info.borland.com/techpubs/jbuilder/
>> >
>> > Jon
>> >
>> > Peter wrote:
>> > > thank you for ideas
>> > >
>> > > i current using JBuider2006, what profiler can used in JBuider2006?
>> > >
>> > > thanks
>> > > peter
>> > >
>> > > On 6/12/07, Jon Wingfield <[EMAIL PROTECTED]> wrote:
>> > >>
>> > >> Chuck answered a similar query recently:
>> > >> http://marc.info/?l=tomcat-user&m=118113828210257&w=2
>> > >>
>> > >> Your servlets are serving long-running requests (or are in
infinite
>> > >> loops, dead-locked etc) when you are trying to shutdown tomcat.
>> > >> The first thing I'd do in this situation is SIGQUIT tomcat to get
a
>> > >> stackdump of the running threads.
>> > >> With that you can usually determine the changes you need to do to
>> > your
>> > >> servlets, if required.
>> > >> If the stackdump isn't a help I'd attach a profiler to see where
>> your
>> > >> servlets are spending the time. I like the one bundled with
>> netbeans.
>> > >> I'm sure others on the list have their own favourites.
>> > >>
>> > >> Jon
>> > >>
>> > >> Peter wrote:
>> > >> > hi all;
>> > >> > when i shutdown tomcat, i found following message in the
>> > catalina.out;
>> > >> >
>> > >> >
>> > >> > 2007-6-12 18:18:44 org.apache.catalina.core.StandardWrapper
>> unload
>> > >> > * Waiting for 6 instance(s) to be deallocated*
>> > >> > 2007-6-12 18:18:45 org.apache.catalina.core.StandardWrapper
>> unload
>> > >> > *Waiting for 6 instance(s) to be deallocated
>> > >> > *2007-6-12 18:18:46 org.apache.catalina.core.StandardWrapper
>> unload
>> > >> > *Waiting for 6 instance(s) to be deallocated
>> > >> > *2007-6-12 18:18:46 org.apache.catalina.core.StandardWrapper
>> unload
>> > >> > *Waiting for 333 instance(s) to be deallocated*
>> > >> > 2007-6-12 18:18:47 org.apache.catalina.core.StandardWrapper
>> unload
>> > >> > *Waiting for 333 instance(s) to be deallocated*
>> > >> > 2007-6-12 18:18:48 org.apache.catalina.core.StandardWrapper
>> unload
>> > >> > * Waiting for 333 instance(s) to be deallocated*
>> > >> >
>> > >> > anyone has a idea about the about messages, does it means that
>> > there
>> > >> > is dead
>> > >> > lock in the program?
>> > >> > or some connection are not closed?
>> > >> >
>> > >> > thank you for ideas!
>> > >> > peter
>> > >> >
>> > >>
>> > >>
>> > >>
>> > >>
>> -
>> > >> To start a new topic, e-mail: users@tomcat.apache.org
>> > >> To unsubscribe, e-mail: [EMAIL PROTECTED]
>> > >> For additional commands, e-mail: [EMAIL PROTECTED]
>> > >>
>> > >>
>> > >
>> >
>> >
>> >
>> > -
>> > To start a new topic, e-mail: users@tomcat.apache.org
>> > To unsubscribe, e-mail: [EMAIL PROTECTED]
>> > For additional commands, e-mail: [EMAIL PROTECTED]
>> >
>> >
>>
>



-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




Nio problems on OSX

2007-06-13 Thread Peter
Hi

I'm trying to use the Nio connector with Tomcat 6.0.13 running with Java 
1.5.0_07 on OSX 10.4.9. When trying to access port 8080 which was declared with 
the Nio connector I just get a blank response and see the following in 
catalina.out:

Jun 13, 2007 10:47:02 AM org.apache.tomcat.util.net.NioEndpoint setSocketOptions
SEVERE:
java.net.SocketException: Invalid argument
at sun.nio.ch.Net.setIntOption0(Native Method)
at sun.nio.ch.Net.setIntOption(Net.java:152)
at sun.nio.ch.SocketChannelImpl$1.setInt(SocketChannelImpl.java:372)
at sun.nio.ch.SocketOptsImpl.setInt(SocketOptsImpl.java:46)
at sun.nio.ch.SocketOptsImpl$IP.typeOfService(SocketOptsImpl.java:249)
at sun.nio.ch.OptionAdaptor.setTrafficClass(OptionAdaptor.java:158)
at sun.nio.ch.SocketAdaptor.setTrafficClass(SocketAdaptor.java:330)
at 
org.apache.tomcat.util.net.SocketProperties.setProperties(SocketProperties.java:171)
at 
org.apache.tomcat.util.net.NioEndpoint.setSocketOptions(NioEndpoint.java:967)
at 
org.apache.tomcat.util.net.NioEndpoint$Acceptor.run(NioEndpoint.java:1183)
at java.lang.Thread.run(Thread.java:613)

I also use the native library:

Jun 13, 2007 10:46:30 AM org.apache.catalina.core.AprLifecycleListener init
INFO: APR capabilities: IPv6 [true], sendfile [false], accept filters [false], 
random [true].

Incidentally, does APR not support sendfile on OSX? 

Here are my connector definitions:





Any ideas?

Thanks
Peter



-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Can not see the stack trace?

2007-06-15 Thread Peter

thank you i got that

On 6/16/07, Rainer Jung <[EMAIL PROTECTED]> wrote:


Are you actually using -Xrs? At least it's not contained in the part of
the commandline you posted, which is unfortunately truncated.

The result of kill -QUIT goes to STDOUT of the jvm. So you need to find
out, where your STDOUT goes to. The standard tomcat start scripts
(startup.sh or catalina.sh called with the argument start) redirect
STDOUT to logs/catalina.out.

Regards,

Rainer

Peter wrote:
> hi all;
> i try to use SIGQUIT but can not see the stack trace.
>
> [EMAIL PROTECTED] root]# ps -ef|grep tomcat
> root 26337 1  5 09:45 pts/000:00:11
> /usr/java/jre1.5.0_08/bin/java -Xms256m -Xmx512m -
> Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -
> Djava.util.logging.config.file=/opt/tomcat/conf/logging.properties -
> Djava.endorsed.dirs=/opt/tomcat/common/endorsed -classpath
> :/opt/tomcat/bin/bootstrap.ja
> root 26427 26172  0 09:49 pts/000:00:00 grep tomcat
>
> [EMAIL PROTECTED] root]# kill -SIGQUIT 26337
> [EMAIL PROTECTED] root]# kill -3 26337
> [EMAIL PROTECTED] root]#
>
> does anyone has idea why?
> some artical said that if JVM set -Xrs,it will ignore the OS signal like
> SIGQUIT
> Does anyone know how can i see the stack trace in this situation?
> i use Tomcat 5.5.20 in  linux , java, 1.5.0_10
>
> thanks


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




log4j error! log4j:ERROR Attempted to append to closed appender named.

2007-06-19 Thread Peter

hi,all

we are using log4j under tomcat. and it appeals  so many following erros ;

log4j:ERROR Attempted to append to closed appender named [DEFAULT_LOGFILE].

does anyone has an idea why and how to sovle it.

thanks !

here is our log4j.xml





http://jakarta.apache.org/log4j/";
debug="false">


 
 
 
 
 
 
  
 



 
 
 
 
 
 
  
 






 

 




 
 


 
 




 
 




Re: log4j error! log4j:ERROR Attempted to append to closed appender named.

2007-06-19 Thread Peter

thanks

but it also generate log file as well. log file can be write.

i donot know if the error:

*log4j:ERROR Attempted to append to closed appender named
[DEFAULT_LOGFILE].*

will slow down our system or this error can be ignored?

how to solve it

thanks


On 6/20/07, 吴熊敏 <[EMAIL PROTECTED]> wrote:


I think the configuration of LOG4J has some problems



System can't find the log file.

On Wed, 20 Jun 2007 12:42:45 +0800
Peter <[EMAIL PROTECTED]> wrote:

> hi,all
>
> we are using log4j under tomcat. and it appeals  so many following erros
;
>
>  log4j:ERROR Attempted to append to closed appender named
[DEFAULT_LOGFILE].
>
> does anyone has an idea why and how to sovle it.
>
> thanks !
>
> here is our log4j.xml
>
>
> 
> 
>
> http://jakarta.apache.org/log4j/";
> debug="false">
>
>  
>   
>   
>   
>   
>   
>   
>
>   
>  
>
>  
>   
>   
>   
>   
>   
>   
>
>   
>  
>
>
>
>  
>
>   
>
>   
>
>  
>
>  
>   
>   
>  
>  
>   
>   
>  
>
> 
>  
>   
>   
>  
> 


吴熊敏 <[EMAIL PROTECTED]>


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




Re: Re[2]: log4j error! log4j:ERROR Attempted to append to closed appender named.

2007-06-19 Thread Peter

i will try this
thanks


On 6/20/07, 吴熊敏 <[EMAIL PROTECTED]> wrote:





change Append's value 'true' and try again

On Wed, 20 Jun 2007 13:18:01 +0800
Peter <[EMAIL PROTECTED]> wrote:

> thanks
>
> but it also generate log file as well. log file can be write.
>
> i donot know if the error:
>
>  *log4j:ERROR Attempted to append to closed appender named
> [DEFAULT_LOGFILE].*
>
> will slow down our system or this error can be ignored?
>
> how to solve it
>
> thanks
>
>
> On 6/20/07, 吴熊敏 <[EMAIL PROTECTED]> wrote:
> >
> > I think the configuration of LOG4J has some problems
> >
> > 
> >
> > System can't find the log file.
> >
> > On Wed, 20 Jun 2007 12:42:45 +0800
> > Peter <[EMAIL PROTECTED]> wrote:
> >
> > > hi,all
> > >
> > > we are using log4j under tomcat. and it appeals  so many following
erros
> > ;
> > >
> > >  log4j:ERROR Attempted to append to closed appender named
> > [DEFAULT_LOGFILE].
> > >
> > > does anyone has an idea why and how to sovle it.
> > >
> > > thanks !
> > >
> > > here is our log4j.xml
> > >
> > >
> > > 
> > > 
> > >
> > > http://jakarta.apache.org/log4j/";
> > > debug="false">
> > >
> > >  
> > >   
> > >   
> > >   
> > >   
> > >   
> > >   
> > >
> > >   
> > >  
> > >
> > >  
> > >   
> > >   
> > >   
> > >   
> > >   
> > >   
> > >
> > >   
> > >  
> > >
> > >
> > >
> > >  
> > >
> > >   
> > >
> > >   
> > >
> > >  
> > >
> > >  
> > >   
> > >   
> > >  
> > >  
> > >   
> > >   
> > >  
> > >
> > > 
> > >  
> > >   
> > >   
> > >  
> > > 
> >
> > 
> > 吴熊敏 <[EMAIL PROTECTED]>
> >
> >
> > -
> > To start a new topic, e-mail: users@tomcat.apache.org
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >


吴熊敏 <[EMAIL PROTECTED]>


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




Re: Re[2]: SOS thanks

2007-06-20 Thread Peter

hi
i.e.

The term i.e. means "id est" in Latin or "that is" in English. A trick that
I use: If you can replace "i.e." with "in other words" then you are using it
correctly. "I.e." is used to specify what your are trying to convey.
see the following actical about the i.e vs e.g
http://ancienthistory.about.com/od/abbreviations/f/ievseg.htm

hope it helps



On 6/21/07, 吴熊敏 <[EMAIL PROTECTED]> wrote:


"eg" stands for "example given"

but what does "ie" stands for?


On Thu, 21 Jun 2007 13:44:06 +1000
Jacob Rhoden <[EMAIL PROTECTED]> wrote:

> 吴熊敏 wrote:
> > Thanks very much.
> > I have another question,what does "ie" here means? Is it the same as
"it"?
> >
> > I have seen this word "ie" in many mails,but i don't understand its
> > meaning.
> >
> "ie" means "For example". It is similar in usage to "比喻说". (I think they
are the characters, not sure).
>
> Best Regards,
> Jacob
>
> _
> Jacobs Blog -- http://www.jacobrhoden.com/
>
>
> -
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]


吴熊敏 <[EMAIL PROTECTED]>


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




Re: 7.0.25 to 7.0.27 requires -Xmx32m to go to -Xmx512m

2012-04-10 Thread Peter
hey Christopher,

the app I used that uncovered the issue is one I use exclusively to validate 
tomcat releases;) it is a "hello world" style app using spring/servlet3.0. it 
has simple spring aop point cutting via jamon , simple spring jms (active mq) 
simple spring jaxrs, simple spring jaxws, simple spring mvc, simple spring 
security,... (spring 3.0.7)

bunch of very simple examples that end up pulling in "many" jars.

I will grab a dump tomorrow,  thanks for response,
peter

Re: 7.0.25 to 7.0.27 requires -Xmx32m to go to -Xmx512m

2012-04-12 Thread Peter
Thanks for the response Mark - it is consistent with both observations that i 
noted in the original email (heap post startup was near 0, and disabling 
scanning resolves). I looked in the changelog in 26/27 and did not see anything 
in there that fits this?  If your hypothesis is correct , I suspect quite a few 
people will be in for a shock when they deploy 7.0.27 or later into a 
production env where memory footprints are much more managed then say in 
eclipse on your desktop ;)

The issue might not be with the spec, but the tomcat implementation where by 
everything is getting loaded into ram during scanning. In 7.0.25 - I could 
start a "typical" Spring application in 32mb. 7.0.27 requires 512mb? 


- Peter




 From: Mark Thomas 
To: Tomcat Users List  
Sent: Wednesday, April 11, 2012 6:50 AM
Subject: Re: 7.0.25 to 7.0.27 requires -Xmx32m to go to -Xmx512m
 


Pid  wrote:

>On 11/04/2012 03:47, Peter wrote:
>> hey Christopher,
>> 
>> the app I used that uncovered the issue is one I use exclusively to
>validate tomcat releases;) it is a "hello world" style app using
>spring/servlet3.0. it has simple spring aop point cutting via jamon ,
>simple spring jms (active mq) simple spring jaxrs, simple spring jaxws,
>simple spring mvc, simple spring security,... (spring 3.0.7)
>> 
>> bunch of very simple examples that end up pulling in "many" jars.
>
>Can you post it to github or somewhere public?
>
>
>p
>
>
>> I will grab a dump tomorrow,  thanks for response,
>> peter

I know exactly where this memory is going. During the scanning process Tomcat 
has to scan every single class in the application and its libraries and every 
class and interface in that class's hierarchy for annotations (we don't have a 
choice in this - the spec requires it). This can lead to the same class being 
scanned many times during startup and that is slow. Tomcat now caches the 
result of scanning a class which means each class only has to be scanned once. 
However, this does mean that all the results are in memory until the scan is 
complete. If you have a lot of libraries, that could require a lot of memory. 
If you know a JAR doesn't need scanning, add it to the jarsToSkip property. If 
it is a popular jar then create an enhancement request and we'll add it to the 
default list. The other option is to set metadata complete in the web.xml

I haven't reviewed the scanning caching code but there may be some 
opportunities to reduce the memory footprint of the cache.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Tomcat Java Settings for each webapps, and virtual host strange issue.

2013-12-25 Thread Peter
Hi all, I am having strange issues with tomcat 7 as well as tomcat 8,
following is details of that issue, please someone help me to configure
java for each webapps


# This Java is supported by one webapp "host1"
$ ./java -version
java version "1.7.0_45"
OpenJDK Runtime Environment (rhel-2.4.3.3.el6-x86_64 u45-b15)
OpenJDK 64-Bit Server VM (build 24.45-b08, mixed mode)


# This Java supports another webapp "host2", but does not support above
webapp "host1"
$ ./java -version
java version "1.7.0_45"
Java(TM) SE Runtime Environment (build 1.7.0_45-b18)
Java HotSpot(TM) 64-Bit Server VM (build 24.45-b08, mixed mode)


This is setenv file in tomcat/bin directory
$ cat setenv.sh
#!/bin/sh

# Webapps1 Java
JAVA_HOME="/usr/local/www/html/TOMCAT_DEMO/tomcat/JAVA_Latest/jdk1.7.0_45"
JRE_HOME="/usr/local/www/html/TOMCAT_DEMO/tomcat/JAVA_Latest/jdk1.7.0_45/jre"


# Webapps2 Java
#JAVA_HOME="/usr/lib/jvm/jre-1.7.0"
#JRE_HOME="/usr/lib/jvm/jre-1.7.0"


export JRE_HOME
export JAVA_HOME

CATALINA_BASE="/usr/local/www/html/TOMCAT_DEMO/tomcat"
export CATALINA_BASE

JAVA_OPTS="-Xmx2048m -Xms512m -server -Djava.awt.headless=true
-Djava.util.prefs.systemRoot=$CATALINA_BASE/content/thredds/javaUtilPrefs"
export JAVA_OPTS


$ ./version.sh
Using CATALINA_BASE:   /usr/local/www/html/TOMCAT_DEMO/tomcat
Using CATALINA_HOME:   /usr/local/www/html/TOMCAT_DEMO/tomcat
Using CATALINA_TMPDIR: /usr/local/www/html/TOMCAT_DEMO/tomcat/temp
Using JRE_HOME:
/usr/local/www/html/TOMCAT_DEMO/tomcat/JAVA_Latest/jdk1.7.0_45/jre
Using CLASSPATH:
/usr/local/www/html/TOMCAT_DEMO/tomcat/bin/bootstrap.jar:/usr/local/www/html/TOMCAT_DEMO/tomcat/bin/tomcat-juli.jar
Server version: Apache Tomcat/7.0.47
Server built:   Oct 18 2013 01:07:38
Server number:  7.0.47.0
OS Name:Linux
OS Version: 2.6.32-431.el6.x86_64
Architecture:   amd64
JVM Version:1.7.0_45-b18
JVM Vendor: Oracle Corporation


$ cat server.xml



  
  
  
  
  


  


  

  







  
  
  
  

  
 
  








 

  

   
 

  


 

  





  



Thanks in advance,

Peter


Re: Tomcat Java Settings for each webapps, and virtual host strange issue.

2013-12-26 Thread Peter
Thanks *Mark,* Martin Gainty, André Warnier for you time

As some of you suggested I need to have different tomcat for different java
version


Do you mean if I have 2 webapps, which works on 2 difference java versions
then, do I have to create 2 tomcat folders ? like this

/tomcat7_copy1 --->www.host1.com
   bin

  setenv.sh > java version1 for app1
  start.sh
  stop.sh

   conf
   logs
   server
   webapps ---> app1
   work

/tomcat8_copy2  --->www.host2.com
   bin

  setenv.sh > java version2 for app2
  start.sh
  stop.sh
   conf
   logs
   server
   webapps ---> app2
   work


if this is what you said, I suspect tomcat will get confused I think,
please guide me how can create 2 hosts ?

for instance I want to do like this, port should be 80

tomcat7_copy1 as www.host1.com
tomcat8_copy2 as www.host2.com

what will be the configuration, I suspect system will be confused with 2
versions of java, may be PID configuration is needed to solve conflict, but
I have no much idea about this tomcat and java.

what will be server.xml ?
what will be setenv.sh  ?

what I expect from you people is if I type *www.host1.com
<http://www.host1.com>* on browser I should get *tomcat7  default index
page*, and for *www.host2.com <http://www.host2.com>* I should get *tomcat8
default index page*, both should work simultaneously without any
disturbance like, suppose if I run stop.sh of tomcat7, it should not
disturb tomcat8.

Hope my requirement is clear to all of you.

Please help me.


Thanks in advance.

- Peter














On Thu, Dec 26, 2013 at 2:42 PM, Mark Thomas  wrote:

> On 26/12/2013 04:30, Peter wrote:
> > Hi all, I am having strange issues with tomcat 7 as well as tomcat 8,
> > following is details of that issue, please someone help me to configure
> > java for each webapps
>
> You can't do that. You can only have one version of Java per OS process
> / Tomcat instance. If you want different Java versions for different web
> applications you need to have separate Tomcat instances.
>
> Marl
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>


Re: Tomcat Java Settings for each webapps, and virtual host strange issue.

2013-12-26 Thread Peter
Guys see here is that error message , I am attaching log file also please
help

OS - Centos 6.5 64 bit

HTTP Status 500 - Error instantiating servlet class
gov.noaa.pfel.erddap.Erddap
--

*type* Exception report

*message* *Error instantiating servlet class gov.noaa.pfel.erddap.Erddap*

*description* *The server encountered an internal error that prevented it
from fulfilling this request.*

*exception*

javax.servlet.ServletException: Error instantiating servlet class
gov.noaa.pfel.erddap.Erddap

org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)

org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)

org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)

org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)

org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1041)

org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:603)

org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)

java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)

java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
java.lang.Thread.run(Thread.java:744)

*root cause*

java.lang.ExceptionInInitializerError
gov.noaa.pfel.erddap.Erddap.(Erddap.java:196)
sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)

sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)

sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
java.lang.reflect.Constructor.newInstance(Constructor.java:526)
java.lang.Class.newInstance(Class.java:374)

org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)

org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)

org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)

org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)

org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1041)

org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:603)

org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)

java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)

java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
java.lang.Thread.run(Thread.java:744)

*root cause*

java.lang.RuntimeException: Ask the ERDDAP administrator to look at
the detailed error message in [bigParentDirectory]/logs/log.txt .
gov.noaa.pfel.erddap.util.EDStatic.(EDStatic.java:2322)
gov.noaa.pfel.erddap.Erddap.(Erddap.java:196)
sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)

sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)

sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
java.lang.reflect.Constructor.newInstance(Constructor.java:526)
java.lang.Class.newInstance(Class.java:374)

org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)

org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)

org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)

org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)

org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1041)

org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:603)

org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)

java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)

java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
java.lang.Thread.run(Thread.java:744)


 Please help me

Peter


On Fri, Dec 27, 2013 at 3:03 AM, André Warnier  wrote:

> Peter wrote:
>
>> Thanks *Mark,* Martin Gainty, André Warnier for you time
>>
>>
>> As some of you suggested I need to have different tomcat for different
>> java
>> version
>>
>>
> The very first question which you should maybe ask yourself (or the
> developers of the webapps), is *why* these webapps require different Java
> versions.  It should not be so.
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tom

Re: Tomcat Java Settings for each webapps, and virtual host strange issue.

2013-12-27 Thread Peter
On Fri, Dec 27, 2013 at 1:31 PM, Mark Eggers  wrote:

> On 12/26/2013 11:49 PM, Peter wrote:
>
>> Guys see here is that error message , I am attaching log file also please
>> help
>>
>> OS - Centos 6.5 64 bit
>>
>> HTTP Status 500 - Error instantiating servlet class
>> gov.noaa.pfel.erddap.Erddap
>> --
>>
>> *type* Exception report
>>
>> *message* *Error instantiating servlet class gov.noaa.pfel.erddap.Erddap*
>>
>> *description* *The server encountered an internal error that prevented it
>> from fulfilling this request.*
>> *exception*s
>>
>>>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *This looks like an ERDDAP setup problem. Are you trying to set up:
> http://coastwatch.pfeg.noaa.gov/erddap/index.html
> <http://coastwatch.pfeg.noaa.gov/erddap/index.html> If so, did you read /
> understand / follow :
> http://coastwatch.pfeg.noaa.gov/erddap/download/setup.html
> <http://coastwatch.pfeg.noaa.gov/erddap/download/setup.html> It looks like
> that the application should just work. The documentation recommends the
> latest JRE / JDK 7. /mde/*
>
>
> There is no setup problem

*# ERDDAP works fine with this Java*
java version "1.7.0_45"
OpenJDK Runtime Environment (rhel-2.4.3.3.el6-x86_64 u45-b15)
OpenJDK 64-Bit Server VM (build 24.45-b08, mixed mode)


*# This Java supports almost all webapps of mine, except ERDDAP *
$ ./java -version
java version "1.7.0_45"
Java(TM) SE Runtime Environment (build 1.7.0_45-b18)
Java HotSpot(TM) 64-Bit Server VM (build 24.45-b08, mixed mode)



- Peter


>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>


Re: Tomcat Java Settings for each webapps, and virtual host strange issue.

2013-12-27 Thread Peter
there is no log.txt but I can attach catalina logs

Please look into the attachment

All my webapps are working fine with following java downloaded from Oracle
website except ERDDAP



*# ls *.gz -1jdk-7u45-linux-x64.tar.gzjre-7u45-linux-x64.tar.gz*

*# Folders*
jdk1.7.0_45
jre1.7.0_45

Please help me.

Peter




On Fri, Dec 27, 2013 at 2:46 PM, André Warnier  wrote:

> Peter wrote:
>
>> Guys see here is that error message , I am attaching log file also please
>> help
>>
>
> And did you see that :
>
>
> java.lang.RuntimeException: Ask the ERDDAP administrator to look at
> the detailed error message in [bigParentDirectory]/logs/log.txt .
>
> Did you ask him ?
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

tomcat - How to forward request to some webapp while using port 80 without virtual host, without apache

2013-12-28 Thread Peter
Hi all, I have many entries in /etc/hosts file, like this

cat /etc/hosts
127.0.0.1 main.host.com localhost
::1localhost6.localdomain6 localhost6
a.b.c.d client1.host.com hostname
a.b.c.d client1.host.com hostname

in webapp directory, webapp folders

client1
client2

my tomcat uses port 80, so by default when I enter any of above hostname on
browser I could see default index page, but my interest is like below

if I enter *http://client1.host.com <http://client1.host.com>* on browser,
then tomcat should forward it to webapp client1

*http://client1.host.com/client1 <http://client1.host.com/client1>*
same way if I enter *http://client2.host.com <http://client2.host.com> *it
should forward to to


*http://client2.host.com/client2 <http://client2.host.com/client2>*
How this can be achieved



*I am not interested to use virtual host in tomcat, as well as http apache*
whether its possible ???


Please help me..if possible send me sample configuration file as I am
newbie to web programming world.


Thanks in advance

- Peter


Re: tomcat - How to forward request to some webapp while using port 80 without virtual host, without apache

2013-12-28 Thread Peter
On Sat, Dec 28, 2013 at 6:48 PM, Caldarale, Charles R <
chuck.caldar...@unisys.com> wrote:
> From: Peter [mailto:nex@gmail.com]
> Subject: tomcat - How to forward request to some webapp while using port
80 without virtual host, without apache

> if I enter *http://client1.host.com <http://client1.host.com>* on browser,
> then tomcat should forward it to webapp client1

> *http://client1.host.com/client1 <http://client1.host.com/client1>*
> same way if I enter *http://client2.host.com <http://client2.host.com> *it
> should forward to to

> *http://client2.host.com/client2 <http://client2.host.com/client2>*

> *I am not interested to use virtual host in tomcat, as well as http
apache*
> whether its possible ???

Many people use a filter to accomplish this;
http://tuckey.org/urlrewrite/is the most popular.

 - Chuck

I am confused about installation part please help me, installation guide
says its WEB-INF directory which WEB-INF ?? and I didn't find any lib
directory look at the following detail, I am newbie I have lot of need of
you people's help please do the needful.


[root@peter webapps]#pwd
/usr/local/www/html/TOMCAT_DEMO/tomcat/*webapps*

[root@peter host-manager]# ls -1
docs
examples
host-manager
manager
ROOT


[root@peter host-manager]# pwd
/usr/local/www/html/TOMCAT_DEMO/tomcat/*webapps/host-manager*

[root@peter host-manager]# ls -1
images
index.jsp
manager.xml
META-INF
*WEB-INF*

[root@peter manager]#  pwd
/usr/local/www/html/TOMCAT_DEMO/tomcat/*webapps/manager*
[root@peter host-manager]#  ls -1
images
index.jsp
META-INF
status.xsd
*WEB-INF*
xform.xsl


[root@peter ROOT]# pwd
/usr/local/www/html/TOMCAT_DEMO/tomcat/*webapps/ROOT*
[root@peter host-manager]# ls -1
asf-logo.png
asf-logo-wide.gif
bg-button.png
bg-middle.png
bg-nav-item.png
bg-nav.png
bg-upper.png
build.xml
favicon.ico
index.jsp
RELEASE-NOTES.txt
tomcat.css
tomcat.gif
tomcat.png
tomcat-power.gif
tomcat.svg
*WEB-INF*



- Peter


On Sat, Dec 28, 2013 at 6:48 PM, Caldarale, Charles R <
chuck.caldar...@unisys.com> wrote:

> > From: Peter [mailto:nex@gmail.com]
> > Subject: tomcat - How to forward request to some webapp while using port
> 80 without virtual host, without apache
>
> > if I enter *http://client1.host.com <http://client1.host.com>* on
> browser,
> > then tomcat should forward it to webapp client1
>
> > *http://client1.host.com/client1 <http://client1.host.com/client1>*
> > same way if I enter *http://client2.host.com <http://client2.host.com>
> *it
> > should forward to to
>
> > *http://client2.host.com/client2 <http://client2.host.com/client2>*
>
> > *I am not interested to use virtual host in tomcat, as well as http
> apache*
> > whether its possible ???
>
> Many people use a filter to accomplish this; http://tuckey.org/urlrewrite/is 
> the most popular.
>
>  - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete the e-mail and
> its attachments from all computers.
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>


Re: tomcat - How to forward request to some webapp while using port 80 without virtual host, without apache

2013-12-28 Thread Peter
I am happy that you guys sent reply to me, but anyone here can create
configuration file for me for example which I had mentioned in beginning of
post, then I can understand better, its my weakness but true.

-Peter

On Sat, Dec 28, 2013 at 10:25 PM, André Warnier  wrote:

> Peter wrote:
> ...
>
>
>
>> I am confused about installation part please help me, installation guide
>> says its WEB-INF directory which WEB-INF ?? and I didn't find any lib
>> directory look at the following detail, I am newbie I have lot of need of
>> you people's help please do the needful.
>>
>>
> Maybe you could start here :
>
> http://tomcat.apache.org/tomcat-7.0-doc/index.html
> 1, 2, 3 etc..
>
> This is not a joke.  If really you do not know what WEB-INF stands for,
> and you really want to achieve what is in the subject of this thread, you
> do need to read on some basics.
>
> On this list, we do what we can to help people with Tomcat problems or
> questions.
> But this does not really replace some basic knowledge about Servlet
> Engines in general, and Tomcat in particular.
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>


rc-10 bug?

2014-01-03 Thread Peter


I have 2 integration scenarios, both work in all earlier tomcat 6,7,and 
8.0.0.rc5:
1) tomcat.zip , unzipped, deployed ServletSample.war
2) tomcat.zip, unzipped, Spring jars added to tomcat lib, SpringSample.war 
deployed

In RC-10, testcase 2 seems to work, but every few seconds the contains restarts 
with the following message:
Jan 03, 2014 12:39:16 PM org.apache.catalina.loader.WebappClassLoader modified
INFO: One of more JARs have been added to the web application 
[/Cssp3FactorySample]
Jan 03, 2014 12:39:16 PM org.apache.catalina.core.StandardContext reload
INFO: Reloading Context with name [/Cssp3FactorySample] has started

Just a heads up - if there are any suggestions to enable specific logging, I am 
willing to try.
Thanks,

- Peter

Re: rc-10 bug?

2014-01-06 Thread Peter
Thanks to an email from Martin, I had a strong indicator of where to look. I 
checked out tomcat 8 from trunk and  validated in eclipse in debug mode. (FYI 
build.properties.default is broken due to missing commons pool, had to tweak a 
bit).

From webappclassloader.java snippet below (line 737), jars[] does not only 
contain jars, but also any other resources. i added a howTo.txt file in 
WEB-INF/lib, which results in  jars.length will NEVER equal 
jarModificationTimes.size().

Fix is simple - just filter out the non-jar, non-executable elements b4 
comparing. Workaround is equally trivial - remove said elements from the the 
lib folder.
Hope this helps,
Peter



    // Check if JARs have been added or removed
    WebResource[] jars = resources.listResources("/WEB-INF/lib");

    if (jars.length > jarModificationTimes.size()) {
    log.info(sm.getString("webappClassLoader.jarsAdded",
    resources.getContext().getName()));
    return true;
    } else if (jars.length < jarModificationTimes.size()){
    log.info(sm.getString("webappClassLoader.jarsRemoved",
    resources.getContext().getName()));
    return true;
    }

    for (WebResource jar : jars) {
    if (jar.getName().endsWith(".jar") && jar.isFile() && 
jar.canRead()) {


unsuscribe

2018-07-05 Thread Peter
unsubscribe

Re: CIS Tomcat 8 Benchmark (v1.1.0) -- Questions

2023-09-05 Thread Peter Kreuser
Robert,

While Mark Thomas will have a more detailled answer to this...

The finding behind this test is valid (information disclosure with server 
version in responses), though the remediation listed here is from looong time 
ago, when the was no ErrorReportValve to purge the version info.

So the CIS Tomcat 8(!) Guide is pretty outdated! Probably in more than this 
spot...

Peter

> Am 05.09.2023 um 14:03 schrieb Robert Turner :
> 
> While I think I know the answer to my question, I wanted to double-check
> with the group to confirm.
> 
> I have been asked to perform the CIS Apache Tomcat 8 Benchmark (v1.1.0) on
> our production Tomcat installation, and I am looking through the questions
> / information extraction requests, and I suspect they are not really
> evaluating what they think they are, and furthermore encouraging bad
> practices.
> 
> For instance, the first entry I have in the spreadsheet I was provided is
> listed as follows:
> 
> CIS Control:
> 2.1 Alter the Advertised server.info String (Scored)
> 
> Description:
> The server.info attribute contains the name of the application service.
> This value is presented to Tomcat clients when clients connect to the
> tomcat server.
> 
> Audit Procedures:
> Perform the following to determine if the server.info value has been
> changed:
> Extract the ServerInfo.properties file and examine the server.info
> attribute.
> $ cd $CATALINA_HOME/lib
> $ jar xf catalina.jar org/apache/catalina/util/ServerInfo.properties
> $ grep server.info org/apache/catalina/util/ServerInfo.properties
> 
> 
> So, other than a few issues with the audit procedures, etc. This seems to
> be doing the following:
> 
> a) evaluating a default value which I believe can be overridden and thus
> may not actually reflect the value the server may provide to external
> clients
> b) encouraging the modification of the catalina.jar contents to correct the
> default value
> 
> There are a few similar items (for server.number, server.built) (2.2, 2.3).
> 
> 
> Thoughts / comments from "those in the know"?
> 
> Thanks,
> 
> Robert

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: HSTS on 401 / error pages

2023-09-15 Thread Peter Kreuser



d) !!!

BTW: HSTS needs to be evaluated only once and then sticks in the browser!
So unless the 401 is the first page ever, this change would not be really 
necessary.

Peter

> Am 15.09.2023 um 17:58 schrieb Thomas Hoffmann (Speed4Trade GmbH) 
> :
> 
> Hello Christ,
> 
>> -Ursprüngliche Nachricht-
>> Von: Christopher Schultz 
>> Gesendet: Freitag, 15. September 2023 17:15
>> An: users@tomcat.apache.org
>> Betreff: Re: AW: HSTS on 401 / error pages
>> 
>> Thomas,
>> 
>>> On 9/14/23 10:03, Thomas Hoffmann (Speed4Trade GmbH) wrote:
>>> Hello Chris,
>>> 
>>>> -Ursprüngliche Nachricht-
>>>> Von: Christopher Schultz 
>>>> Gesendet: Donnerstag, 14. September 2023 15:26
>>>> An: users@tomcat.apache.org
>>>> Betreff: Re: HSTS on 401 / error pages
>>>> 
>>>> Thomas,
>>>> 
>>>> Please start a new thread next time.
>>> 
>>> Sorry, I thought removing all content and subject is sufficient. Maybe
>>> the message-id header is used internally(?)
>> 
>> Absolutely. That's what "reply" does on a mailing list...
>> 
>>> 
>>>> On 9/14/23 02:20, Thomas Hoffmann (Speed4Trade GmbH) wrote:
>>>>> Hello everyone,
>>>>> 
>>>>> I would like to get your opinion about the HttpHeaderSecurityFilter
>>>>> in
>>>> Tomcat.
>>>>> I configured HSTS in Tomcat and it works well.
>>>>> When I do a pen-test with burpsuite it complains that HSTS header is
>>>> missing on 401 responses.
>>>>> I couldn’t find much information about whether HSTS makes sense for
>>>> error pages.
>>>>> 
>>>>> It seems that Tomcat doesn’t send HSTS on 401 pages but burpsuite
>>>> expects the header.
>>>>> Are there any pros and cons about sending HSTS on 401 response?
>>>> 
>>>> You should always return an HSTS header.
>>>> 
>>>> How have you configured your HttpHeaderSecurityFilter? What is
>>>> causing the
>>>> 401 response? Which application is responding with that status?
>>>> 
>>>> -chris
>>>> 
>>> 
>>> Here are the requested details:
>>> 
>>> SecurityFilter is set in the web.xml of the application:
>>> 
>>>httpHeaderSecurity
>>>> class>org.apache.catalina.filters.HttpHeaderSecurityFilter
>>>true
>>>
>>> hstsEnabled
>>> true
>>>
>>> ...
>>> 
>>> Further down in the web.xml is a constraint:
>>>
>>>  
>>>  xxx
>>>  /*
>>>  
>>> 
>>>  
>>>  yyy
>>>  
>>> 
>>>  
>>>  CONFIDENTIAL
>>>  
>>>  
>>> 
>>> 
>>> There is no frontend-server, tomcat is directly accessed from the browser.
>>> It seems that burpsuite didn’t send authentication in the first place and 
>>> this
>> resulted in 401.
>>> 
>>> If I use curl https:///  I get similar result:
>>> < HTTP/1.1 401
>>> < WWW-Authenticate: Negotiate
>>> < Content-Type: text/html;charset=utf-8 < Content-Language: de <
>>> Content-Length: 439 < Date: Thu, 14 Sep 2023 13:58:10 GMT
>>> 
>>> When providing credentials to curl, the following headers are also included:
>>> < Strict-Transport-Security: max-age=31536000;includeSubDomains
>>> < X-Frame-Options: DENY
>>> < X-Content-Type-Options: nosniff
>>> < X-XSS-Protection: 1; mode=block
>>> 
>>> I hope this information helps.
>> 
>> Authentication is checked before any filters run, because authentication is
>> performed by a Valve, all of which run before any Filters run.
>> 
>> I'm not sure there is a way around this without
>> 
>> a. Using a fronting server of some kind
>> b. Getting a change of some kind made to Tomcat c. Hacking this yourself
>> 
>> (b) is probably the best option, though I'm not sure what the best form of
>> server-support for this would be.
>> 
>> Making HttpHeaderSecurity available in a Valve-packaging would do the trick,
>> but maybe this makes sense to add at a more fundamental level to Tomcat.
>> The problem is that HSTS

Re: Admin password for Tomcat

2023-11-04 Thread Peter Kreuser


Jerry,

> Am 05.11.2023 um 02:34 schrieb Brian Wolfe :
> 
> You need to build a custom realm for that if you're using tomcat to manage
> your user sessions and not creating your own sessions for your application.
> You can extend the existing one that you're using. I assume you're using
> the JDBC Realm since you said you have an USERS table. So you could add
> another field to your table and extend the JDBC class to do an additional
> check on your admin pwd field if you don't want them to have a second
> account.
> 
> https://tomcat.apache.org/tomcat-9.0-doc/realm-howto.html#Standard_Realm_Implementations
> 
> You will want to look at the source of the realm implementation to see how
> you need to extend it. So you shouldn't have to do too much to get the
> functionality you're looking for.
> 
>> On Sat, Nov 4, 2023 at 8:18 PM Jerry Malcolm  wrote:
>> 
>> My support team needs to be able to log in to our site as various users
>> (on behalf of...) to be able to see exactly what they are seeing since
>> roles, access groups, history is different for different users.  I would
>> like to implement an admin password where I can log in as any userId
>> with this password.  I totally realize the security risks involved in
>> this.  But I am handling the security risks with additional
>> authorizations.

Back in the days when we had this requirement, we implemented an "admin tool" 
where we had the admin user login as themselves and then pick the user they 
wanted to see. At this time the password check was simply skipped. No fiddling 
with the password table, no security flaws as the admin tool was not available 
to the public.

>>  I simply need to make every user have two passwords...
>> their real personal password, and the admin password.  The only
>> alternative I have right now is to save off the user's password hash in
>> the USERS table, replace it with my password hash, then restore the
>> user's original password when I'm done.  I'm not thrilled with that
>> solution first because it's a pain and error prone, and also because the
>> user can no longer log in while their password is replaced with my
>> password.
>> 
>>  I figure this function is buried in the authenticator code somewhere.
>> But I'd first like to see if anybody has done anything like this
>> already.  If not, could somebody point me in the right direction to the
>> tomcat source file that I'm going to need to modify and also what's
>> involved in making authentication use my updated class instead of the
>> default.
>> 
>> Suggestions?
>> 

Would that be a solution?

Peter

>> Thx
>> 
>> Jerry
>> 
>> 
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>> 
>> 
> 
> --
> Thanks,
> Brian Wolfe
> https://www.linkedin.com/in/brian-wolfe-3136425a/

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Forward: Jakarta Servlet support decision (insight to a discussion in freemarker-devs)

2023-11-08 Thread Peter Rader
FYI I share this mail from the freemarker-mailsystem for your entertainment, 
enjoy.

> Gesendet: Dienstag, 07. November 2023 um 23:50 Uhr
> Von: "Daniel Dekany" 
> An: "FreeMarker developer list" 
> Subject: Jakarta Servlet support decision
>
> The package of Servlet related classes has changed because of Jakarta,
> which breaks our Servlet support (freemarker.ext.servlet), which is packged
> into freemarker.jar.
> 
> We have to choose which end result we want (ignore the "how" for now) as
> the solution, from these two (as far as I can tell):
> 
> 1. We can copy the `freemarker.ext.servlet` package into
> `freemarker.ext.jakartaservlet` (or such), and we will only have the normal
> artifact in Maven Central, which contains that, and also the older
> freemarker.ext.servlet. Explanation: As you probably know, 2.x has a single
> monolithic freemarker.jar artifact, which already contains support classes
> of various optional dependencies. We already support multiple incompatible
> Serlvet/JSP versions, and has separate version-specific classes for some.
> But, classes like freemarker.ext.servlet.FreemarkerServlet managed to stay
> common amongst Servlet API versions. For the Jakarta change not even that
> can remain common of course.
> 
> 2. We can have an additional artifact variant (let's say via Maven
> classifier "jakarta"), that still uses the `freemarker.ext.servlet`
> package, but there that links to the Jakarta Servlet classes. This artifact
> will drop support for pre-Jakarta Servlet/JSP versions.
> 
> Possibility 1 pro: We don't have to publish one more artifact. Also, then
> users don't have to fiddle with dependency management to choose the
> artifact with the "jakarta" classifier.
> 
> Possibility 1 con: Any existing dependent Java code that used
> `freemarker.ext.servlet` so far, and wants to migrate to a Jakarta Servlet
> container, has to be modified to link to `freemarker.ext.jakartaservlet`
> instead. That sounds quite bad, however, the same dependent Java code
> likely has to be modified anyway, to link to Jakarta Servlet classes.
> Except, there are tools, like
> https://github.com/apache/tomcat-jakartaee-migration, that transforms jar-s
> to depend on Jakarta Servlet API, but same tools of course won't replace
> links to freemarker.ext.servlet with freemarker.ext.jakartaservlet, so some
> pain is expected. Also, `web.xml`-s that refer to
> `freemarker.ext.servlet.FreemarkerSerlvet` also have to be modified, if
> someone uses a Jakarta container.
> 
> Opinions?
> 
> Note 1: We had two attempts so far on this issue, but certainly the actual
> solution will be a 3rd one. Anyway, the "how" is now not the point now, but> 
> here they are:
> 
> - 
> https://github.com/apache/freemarker/pull/94[https://github.com/apache/freemarker/pull/94]
> - 
> https://github.com/apache/freemarker/pull/95[https://github.com/apache/freemarker/pull/95]
> 
> Note 2: At some later(!) point, maybe in a FreeMarker 2.4.0, we can get rid
> of non-Jakarta servlet support. At the same point, we will also get rid of
> the GAE/non-GAE variety. So we could end up with just a single variant of
> the freemarker 2.x artifact, over time.
> 
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



CredentialHandler not working for MD5

2023-11-10 Thread Peter Otto
Logging into manager using MD5 works in 9.0.73 but now fails in 9.0.74->current
Steps to reproduce.

Step 1. Run C:\tomcat\bin> .\digest.bat -a md5 -s 0 -i 1 
tomcat:UserDatabase:nobueno

tomcat:UserDatabase:nobueno:bb6c1c32b9b6df4f707c0e58f2c900e0


Step 2. Use the digest # and place it in tomcat-users.xml





Step 3. Edit server.xml and add the CredentialHandler to use MD5









Step 4. Edit the web.xml in manager to say

DIGEST
UserDatabase
  

Step 5 start tomcat and try to access the manager.
On WIndows 2019 server/Chrome/OpenJDK11  type tomcat for the user
and nobueno for the password.

This would work on versions 9.0.73 and earlier

This stopped working from 9.0.74 and onwards.
The way to access the manager from 9.0.74+ is to use 
bb6c1c32b9b6df4f707c0e58f2c900e0 as the password.
In other words the text in tomcat-user.xml is the password.

Anyone have any ideas how to fix this?  I have to use 9.0.74+ version of tomcat 
because of CVEs.

Thank you all
This e-mail and any files transmitted with it are the property of Arthrex, Inc. 
and/or its affiliates, are confidential, and are intended solely for the use of 
the individual or entity to whom this e-mail is addressed. If you are not one 
of the named recipient(s) or otherwise have reason to believe that you have 
received this message in error, please notify the sender at 239-643-5553 and 
delete this message immediately from your computer. Any other use, retention, 
dissemination forwarding, printing or copying of this e-mail is strictly 
prohibited. Please note that any views or opinions presented in this email are 
solely those of the author and do not necessarily represent those of the 
company. Finally, while Arthrex uses virus protection, the recipient should 
check this email and any attachments for the presence of viruses. The company 
accepts no liability for any damage caused by any virus transmitted by this 
email.


Re: CredentialHandler not working for MD5

2023-11-10 Thread Peter Otto
Chris,

With 9.0.82, and the latest version 10, I get the same problem.
So I assume it stopped working since 9.0.74 all the way up to 9.0.82

Removing the Realm LockOutRealm did not work either.

Thanks


From: Christopher Schultz 
Date: Friday, November 10, 2023 at 12:35 PM
To: users@tomcat.apache.org 
Subject: Re: CredentialHandler not working for MD5
Peter,

On 11/10/23 13:27, Peter Otto wrote:
> Logging into manager using MD5 works in 9.0.73 but now fails in 
> 9.0.74->current
> Steps to reproduce.
>
> Step 1. Run C:\tomcat\bin> .\digest.bat -a md5 -s 0 -i 1 
> tomcat:UserDatabase:nobueno
>
> tomcat:UserDatabase:nobueno:bb6c1c32b9b6df4f707c0e58f2c900e0
>
>
> Step 2. Use the digest # and place it in tomcat-users.xml
> 
> 
>  roles="manager-gui,manager-script"/>
>
>
> Step 3. Edit server.xml and add the CredentialHandler to use MD5
>
> 
>  resourceName="UserDatabase">
>  className="org.apache.catalina.realm.MessageDigestCredentialHandler" 
> algorithm="MD5" />
> 
> 
>
>
>
> Step 4. Edit the web.xml in manager to say
> 
>  DIGEST
>  UserDatabase
>
>
> Step 5 start tomcat and try to access the manager.
> On WIndows 2019 server/Chrome/OpenJDK11  type tomcat for the user
> and nobueno for the password.
>
> This would work on versions 9.0.73 and earlier
>
> This stopped working from 9.0.74 and onwards.
> The way to access the manager from 9.0.74+ is to use 
> bb6c1c32b9b6df4f707c0e58f2c900e0 as the password.
> In other words the text in tomcat-user.xml is the password.
>
> Anyone have any ideas how to fix this?  I have to use 9.0.74+ version of 
> tomcat because of CVEs.

If you temporarily remove the LockOutRealm, does the correct password work?

If you upgrade to 9.0.82, does the correct password work?

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
This e-mail and any files transmitted with it are the property of Arthrex, Inc. 
and/or its affiliates, are confidential, and are intended solely for the use of 
the individual or entity to whom this e-mail is addressed. If you are not one 
of the named recipient(s) or otherwise have reason to believe that you have 
received this message in error, please notify the sender at 239-643-5553 and 
delete this message immediately from your computer. Any other use, retention, 
dissemination forwarding, printing or copying of this e-mail is strictly 
prohibited. Please note that any views or opinions presented in this email are 
solely those of the author and do not necessarily represent those of the 
company. Finally, while Arthrex uses virus protection, the recipient should 
check this email and any attachments for the presence of viruses. The company 
accepts no liability for any damage caused by any virus transmitted by this 
email.


Re: CredentialHandler not working for MD5

2023-11-13 Thread Peter Otto
Chris,

Running the debugger, I found out the DigestAuthenticator wants to use SHA-256. 
  8 months ago there was a change for RFC 7616.
https://github.com/apache/tomcat/blob/9.0.74/java/org/apache/catalina/authenticator/DigestAuthenticator.java

To bypass the array of digest,
I commented out some code so it was forced to use MD5 only.

But In the RealmBase, I really don’t understand what getDigest is doing.
When I create a MD5 digest, I use Username:Realm:Password.
In the code it is using Nonce, nc, cnonce, gop…..




From: Christopher Schultz 
Date: Friday, November 10, 2023 at 1:44 PM
To: users@tomcat.apache.org 
Subject: Re: CredentialHandler not working for MD5
Peter,

On 11/10/23 16:30, Peter Otto wrote:
> With 9.0.82, and the latest version 10, I get the same problem.
> So I assume it stopped working since 9.0.74 all the way up to 9.0.82
>
> Removing the Realm LockOutRealm did not work either.

Thanks for double-checking both of those.

I don't see anything in the changelog that seems like it would be
related. Thing I suspect are related were in an earlier release.

Are you able to run under a debugger, and are you comfortable doing
that? It's pretty easy to set a breakpoint in the Realm and/or
CredentialHandler to see what's being done when you try to authenticate.

-chris

> From: Christopher Schultz 
> Date: Friday, November 10, 2023 at 12:35 PM
> To: users@tomcat.apache.org 
> Subject: Re: CredentialHandler not working for MD5
> Peter,
>
> On 11/10/23 13:27, Peter Otto wrote:
>> Logging into manager using MD5 works in 9.0.73 but now fails in 
>> 9.0.74->current
>> Steps to reproduce.
>>
>> Step 1. Run C:\tomcat\bin> .\digest.bat -a md5 -s 0 -i 1 
>> tomcat:UserDatabase:nobueno
>>
>> tomcat:UserDatabase:nobueno:bb6c1c32b9b6df4f707c0e58f2c900e0
>>
>>
>> Step 2. Use the digest # and place it in tomcat-users.xml
>> 
>> 
>> > roles="manager-gui,manager-script"/>
>>
>>
>> Step 3. Edit server.xml and add the CredentialHandler to use MD5
>>
>> 
>> > resourceName="UserDatabase">
>> > className="org.apache.catalina.realm.MessageDigestCredentialHandler" 
>> algorithm="MD5" />
>> 
>> 
>>
>>
>>
>> Step 4. Edit the web.xml in manager to say
>> 
>>   DIGEST
>>   UserDatabase
>> 
>>
>> Step 5 start tomcat and try to access the manager.
>> On WIndows 2019 server/Chrome/OpenJDK11  type tomcat for the user
>> and nobueno for the password.
>>
>> This would work on versions 9.0.73 and earlier
>>
>> This stopped working from 9.0.74 and onwards.
>> The way to access the manager from 9.0.74+ is to use 
>> bb6c1c32b9b6df4f707c0e58f2c900e0 as the password.
>> In other words the text in tomcat-user.xml is the password.
>>
>> Anyone have any ideas how to fix this?  I have to use 9.0.74+ version of 
>> tomcat because of CVEs.
>
> If you temporarily remove the LockOutRealm, does the correct password work?
>
> If you upgrade to 9.0.82, does the correct password work?
>
> -chris
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> This e-mail and any files transmitted with it are the property of Arthrex, 
> Inc. and/or its affiliates, are confidential, and are intended solely for the 
> use of the individual or entity to whom this e-mail is addressed. If you are 
> not one of the named recipient(s) or otherwise have reason to believe that 
> you have received this message in error, please notify the sender at 
> 239-643-5553 and delete this message immediately from your computer. Any 
> other use, retention, dissemination forwarding, printing or copying of this 
> e-mail is strictly prohibited. Please note that any views or opinions 
> presented in this email are solely those of the author and do not necessarily 
> represent those of the company. Finally, while Arthrex uses virus protection, 
> the recipient should check this email and any attachments for the presence of 
> viruses. The company accepts no liability for any damage caused by any virus 
> transmitted by this email.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
This e-mail and any files transmitted with it are the property of Arthrex, Inc. 
and/or its affiliates, are confidential, and are intended solely for the use of 
the individual or entity to whom this e-mail is addressed. If you are not one 
of the named

Re: CredentialHandler not working for MD5

2023-11-13 Thread Peter Otto
More info….



In the Request Header-> Authorization->Response.  Response is used as the 
clientDigest.  However this response is generated, it is incorrect.

Need to understand where Tomcat generates this Response because it is used for 
comparison of the serverDigest.  And if the server digest equals the 
clientDigest, then it works.



The way I understand it, the clientDigest comes from the client entering in the 
username/pwd on the popup box.




From: Peter Otto 
Date: Monday, November 13, 2023 at 11:05 AM
To: Tomcat Users List 
Subject: Re: CredentialHandler not working for MD5
Chris,

Running the debugger, I found out the DigestAuthenticator wants to use SHA-256. 
  8 months ago there was a change for RFC 7616.
https://urldefense.com/v3/__https://github.com/apache/tomcat/blob/9.0.74/java/org/apache/catalina/authenticator/DigestAuthenticator.java__;!!P192cPdC!gngwaC1JS3mDrQRjm-kpcOFNPuIBaF56P2aVV9vgLqK1CJAqprPgZBsUjm671wxFYUYKD6tJCCzjvQLczAw0$<https://urldefense.com/v3/__https:/github.com/apache/tomcat/blob/9.0.74/java/org/apache/catalina/authenticator/DigestAuthenticator.java__;!!P192cPdC!gngwaC1JS3mDrQRjm-kpcOFNPuIBaF56P2aVV9vgLqK1CJAqprPgZBsUjm671wxFYUYKD6tJCCzjvQLczAw0$>

To bypass the array of digest,
I commented out some code so it was forced to use MD5 only.

But In the RealmBase, I really don’t understand what getDigest is doing.
When I create a MD5 digest, I use Username:Realm:Password.
In the code it is using Nonce, nc, cnonce, gop…..




From: Christopher Schultz 
Date: Friday, November 10, 2023 at 1:44 PM
To: users@tomcat.apache.org 
Subject: Re: CredentialHandler not working for MD5
Peter,

On 11/10/23 16:30, Peter Otto wrote:
> With 9.0.82, and the latest version 10, I get the same problem.
> So I assume it stopped working since 9.0.74 all the way up to 9.0.82
>
> Removing the Realm LockOutRealm did not work either.

Thanks for double-checking both of those.

I don't see anything in the changelog that seems like it would be
related. Thing I suspect are related were in an earlier release.

Are you able to run under a debugger, and are you comfortable doing
that? It's pretty easy to set a breakpoint in the Realm and/or
CredentialHandler to see what's being done when you try to authenticate.

-chris

> From: Christopher Schultz 
> Date: Friday, November 10, 2023 at 12:35 PM
> To: users@tomcat.apache.org 
> Subject: Re: CredentialHandler not working for MD5
> Peter,
>
> On 11/10/23 13:27, Peter Otto wrote:
>> Logging into manager using MD5 works in 9.0.73 but now fails in 
>> 9.0.74->current
>> Steps to reproduce.
>>
>> Step 1. Run C:\tomcat\bin> .\digest.bat -a md5 -s 0 -i 1 
>> tomcat:UserDatabase:nobueno
>>
>> tomcat:UserDatabase:nobueno:bb6c1c32b9b6df4f707c0e58f2c900e0
>>
>>
>> Step 2. Use the digest # and place it in tomcat-users.xml
>> 
>> 
>> > roles="manager-gui,manager-script"/>
>>
>>
>> Step 3. Edit server.xml and add the CredentialHandler to use MD5
>>
>> 
>> > resourceName="UserDatabase">
>> > className="org.apache.catalina.realm.MessageDigestCredentialHandler" 
>> algorithm="MD5" />
>> 
>> 
>>
>>
>>
>> Step 4. Edit the web.xml in manager to say
>> 
>>   DIGEST
>>   UserDatabase
>> 
>>
>> Step 5 start tomcat and try to access the manager.
>> On WIndows 2019 server/Chrome/OpenJDK11  type tomcat for the user
>> and nobueno for the password.
>>
>> This would work on versions 9.0.73 and earlier
>>
>> This stopped working from 9.0.74 and onwards.
>> The way to access the manager from 9.0.74+ is to use 
>> bb6c1c32b9b6df4f707c0e58f2c900e0 as the password.
>> In other words the text in tomcat-user.xml is the password.
>>
>> Anyone have any ideas how to fix this?  I have to use 9.0.74+ version of 
>> tomcat because of CVEs.
>
> If you temporarily remove the LockOutRealm, does the correct password work?
>
> If you upgrade to 9.0.82, does the correct password work?
>
> -chris
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> This e-mail and any files transmitted with it are the property of Arthrex, 
> Inc. and/or its affiliates, are confidential, and are intended solely for the 
> use of the individual or entity to whom this e-mail is addressed. If you are 
> not one of the named recipient(s) or otherwise have reason to believe that 
> you have received this message in error, please notify the sender at 
> 239-643-5553 and delete this message immediately from your computer. Any 
> 

Re: CredentialHandler not working for MD5

2023-11-16 Thread Peter Otto
  1.  Configure BASIC auth with clear-text passwords in the Realm and get
that working.
  2.  Switch to DIGEST auth with clear-text passwords in the Realm and get
that working.
  3.  Then configure DIGEST auth and digested passwords in the Realm.
Hi Chris,

Step 1 & 2 work
Step 3 will not work with the clear txt password, only the digested password, 
which means the text password in tomcat-users.xml.   In past versions of 
Tomcat, the clear text password would work.

On line # 1154 in Realmbase.java we read.


String digestValue = username + ":" + realmName + ":" +  getPassword(username);

The method getPassword(username) is using the digested password, when it should 
use  the clear text password.

Here is how I run digest in powershell.
.\digest.bat -a MD5 -i 1 -s 0 tomcat:UserDatabase:nobueno

RealmBase.java is not using the clear text password, instead it is using the 
digested password. This will return false for the manager access.

When I replace the getPassword(username) and replace it with the clear text 
password, it will then WORK.
This e-mail and any files transmitted with it are the property of Arthrex, Inc. 
and/or its affiliates, are confidential, and are intended solely for the use of 
the individual or entity to whom this e-mail is addressed. If you are not one 
of the named recipient(s) or otherwise have reason to believe that you have 
received this message in error, please notify the sender at 239-643-5553 and 
delete this message immediately from your computer. Any other use, retention, 
dissemination forwarding, printing or copying of this e-mail is strictly 
prohibited. Please note that any views or opinions presented in this email are 
solely those of the author and do not necessarily represent those of the 
company. Finally, while Arthrex uses virus protection, the recipient should 
check this email and any attachments for the presence of viruses. The company 
accepts no liability for any damage caused by any virus transmitted by this 
email.


Re: CredentialHandler not working for MD5

2023-11-17 Thread Peter Otto
Ok thanks.

Got it is now working.

This step was missing.



We didn’t have to do this before.

No mention of having to edit Digest inside context.xml here
https://tomcat.apache.org/tomcat-9.0-doc/realm-howto.html

Tried SHA-256, couldn’t get it to work.  But MD5 does.
Thanks again.

This e-mail and any files transmitted with it are the property of Arthrex, Inc. 
and/or its affiliates, are confidential, and are intended solely for the use of 
the individual or entity to whom this e-mail is addressed. If you are not one 
of the named recipient(s) or otherwise have reason to believe that you have 
received this message in error, please notify the sender at 239-643-5553 and 
delete this message immediately from your computer. Any other use, retention, 
dissemination forwarding, printing or copying of this e-mail is strictly 
prohibited. Please note that any views or opinions presented in this email are 
solely those of the author and do not necessarily represent those of the 
company. Finally, while Arthrex uses virus protection, the recipient should 
check this email and any attachments for the presence of viruses. The company 
accepts no liability for any damage caused by any virus transmitted by this 
email.


Re: [EXT] Datadog _ JMX Integration facing connection issues.

2023-12-13 Thread Peter Kreuser


Sai Vamsi,

> Am 13.12.2023 um 19:59 schrieb Chuck Caldarale :
> 
> 
>> On Dec 13, 2023, at 10:36, Bodavula, Sai Vamsi Mohan Krishna (TR Technology) 
>>  wrote:
>> 
>> as you just asked .,
>> I do have a process with Catalina.
>> 
>> root@lab1workflow4scalsvc2zus1-deployment-659dd79df7-wg59g:/# netstat -tulpn
>> Active Internet connections (only servers)
>> Proto Recv-Q Send-Q Local Address   Foreign Address State
>>PID/Program name
>> tcp6   0  0 :::34753:::*LISTEN   
>>1/java
>> tcp6   0  0 :::9109 :::*LISTEN   
>>1/java
>> tcp6   0  0 :::10109:::*LISTEN   
>>1/java
>> root@lab1workflow4scalsvc2zus1-deployment-659dd79df7-wg59g:/# ^C
>> root@lab1workflow4scalsvc2zus1-deployment-659dd79df7-wg59g:/# ps aux | grep 
>> catalina
>> root 744  0.0  0.0   6460   680 pts/1S+   11:47   0:00 grep 
>> --color=auto catalina
>> root@lab1workflow4scalsvc2zus1-deployment-659dd79df7-wg59g:/#
> 
> 

you have to figure out WHY tomcat is not starting! There should be log files or 
error messages on the console. It seems you have put an error somewhere in any 
of the configfiles. It's not at all a question of the ports not being 
allocated. Take a step back and make tomcat launch again. After that we figure 
out where you have to set the options...

Please detail how you start tomcat and show the output of startup (the 
beginning and last lines should be enough).

Again, don't put any java options for tomcat in any global environment options 
(JAVA_OPTS, CATALINA_OPTS) in your shell. Only in setenv.sh .

Peter

> That shows only the grep process looking for catalina, not anything using 
> catalina. If Tomcat were actually running, you’d see something like this 
> (slightly reformatted for clarity):
> 
> chuck@Chuck-MacBookPro apache-tomcat-9.0.83 > ps aux | grep catalina
> chuck16879   0.0  0.0 408626896   1376 s000  S+   12:53PM   
> 0:00.00 grep catalina
> chuck16874   0.0  0.9 415316912 153296 s000  S12:53PM   
> 0:02.66 
> /Library/Java/JavaVirtualMachines/temurin-21.jdk/Contents/Home/bin/java
> -Djava.util.logging.config.file=/Users/chuck/Downloads/apache-tomcat-9.0.83/conf/logging.properties
> -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
> -Djdk.tls.ephemeralDHKeySize=2048
> -Djava.protocol.handler.pkgs=org.apache.catalina.webresources
> -Dorg.apache.catalina.security.SecurityListener.UMASK=0027
> -Dtest_port=9090
> -Dignore.endorsed.dirs=
> -classpath
> /Users/chuck/Downloads/apache-tomcat-9.0.83/bin/bootstrap.jar:/Users/chuck/Downloads/apache-tomcat-9.0.83/bin/tomcat-juli.jar
> -Dcatalina.base=/Users/chuck/Downloads/apache-tomcat-9.0.83
> -Dcatalina.home=/Users/chuck/Downloads/apache-tomcat-9.0.83
> -Djava.io.tmpdir=/Users/chuck/Downloads/apache-tomcat-9.0.83/temp 
> org.apache.catalina.startup.Bootstrap
> start
> 
> 
>  - Chuck
> 

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Servlet-Mapping having %-sign

2023-12-29 Thread Peter Rader
Hey,
 
having a URL like this:
 
https://localhost:8443/index.html works perfect. This is my mapping:
 

Nano-Nano-Servlet
/index.html


Nano-Nano-Servlet
*.ts

 
Unfortunately this URI does not load (because of the %-sign):
 
https://localhost:8443/@rm%2fmodel.ts
 
It gives a http-status:400 having the message "Invalid URI: [noSlash]"

Any ideas?
 
Kind regards / Happy new year

Peter Rader

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Aw: Re: Servlet-Mapping having %-sign

2023-12-29 Thread Peter Rader
> Peter,
>
> On 12/29/23 07:56, Peter Rader wrote:
> > having a URL like this:
> >
> > https://localhost:8443/index.html works perfect. This is my mapping:
> >
> > 
> > Nano-Nano-Servlet
> > /index.html
> > 
> > 
> > Nano-Nano-Servlet
> > *.ts
> > 
> >
> > Unfortunately this URI does not load (because of the %-sign):
> >
> > https://localhost:8443/@rm%2fmodel.ts
> >
> > It gives a http-status:400 having the message "Invalid URI: [noSlash]"
>
> What's the use-case for having a client use a %-encoded / in your URL?
> That kind of thing is usually evidence of a hacking attempt, which is
> why Tomcat returns a 400 response.

I generate TypeScript dynamically. In order to use it in Node: I register a 
servlet to create npm-packages at run-time. On Node-side I use this command:

1. Register servlet as npm source: 'npm config set 
@myapp:registry=https://nonofyourbusiness.mydomain.com:8443/'
2. Start the download: 'npm install @myapp/model --loglevel verbose'  (hint: 
@myapp is the tomcat)

This is the output of the second command:

npm info it worked if it ends with ok
npm verb cli [
npm verb cli   '/home/grim/.nvm/versions/node/v14.18.1/bin/node',
npm verb cli   '/home/grim/.nvm/versions/node/v14.18.1/bin/npm',
npm verb cli   'install',
npm verb cli   '@myapp/model@1.0.0',
npm verb cli   '--loglevel',
npm verb cli   'verbose'
npm verb cli ]
npm info using npm@6.14.15
npm info using node@v14.18.1
npm verb config Skipping project config: /home/grim/.npmrc. (matches userconfig)
npm verb npm-session 778f7308eede99d8
npm http fetch GET 200 
https://nonofyourbusiness.mydomain.com:8443/@myapp%2fmodel 28ms
npm http fetch GET 200 https://nonofyourbusiness.mydomain.com:8443/index.tgz.ts 
14ms
npm timing stage:loadCurrentTree Completed in 71ms
npm timing stage:loadIdealTree:cloneCurrentTree Completed in 0ms
npm timing stage:loadIdealTree:loadShrinkwrap Completed in 3ms
npm timing stage:loadIdealTree:loadAllDepsIntoIdealTree Completed in 1ms
npm timing stage:loadIdealTree Completed in 5ms
npm timing stage:generateActionsToTake Completed in 1ms
npm verb correctMkdir /home/grim/.npm/_locks correctMkdir not in flight; 
initializing
npm verb lock using /home/grim/.npm/_locks/staging-b24acfc1530c2325.lock for 
/home/grim/node_modules/.staging
npm http fetch GET 200 https://nonofyourbusiness.mydomain.com:8443/index.tgz.ts 
7ms
npm timing action:extract Completed in 10ms
npm timing action:finalize Completed in 1ms
npm timing action:refresh-package-json Completed in 1ms
npm info lifecycle model@1.0.0~preinstall: model@1.0.0
npm timing action:preinstall Completed in 1ms
npm info linkStuff model@1.0.0
npm timing action:build Completed in 0ms
npm info lifecycle model@1.0.0~install: model@1.0.0
npm timing action:install Completed in 1ms
npm info lifecycle model@1.0.0~postinstall: model@1.0.0
npm timing action:postinstall Completed in 0ms
npm verb unlock done using /home/grim/.npm/_locks/staging-b24acfc1530c2325.lock 
for /home/grim/node_modules/.staging
npm timing stage:executeActions Completed in 18ms
npm timing stage:rollbackFailedOptional Completed in 1ms
npm timing stage:runTopLevelLifecycles Completed in 97ms
npm WARN saveError ENOENT: no such file or directory, open 
'/home/grim/package.json'
npm info lifecycle undefined~preshrinkwrap: undefined
npm info lifecycle undefined~shrinkwrap: undefined
npm info lifecycle undefined~postshrinkwrap: undefined
npm WARN enoent ENOENT: no such file or directory, open 
'/home/grim/package.json'
npm verb enoent This is related to npm not being able to find a file.
npm verb enoent
npm WARN grim No description
npm WARN grim No repository field.
npm WARN grim No README data
npm WARN grim No license field.

npm http fetch POST 400 
https://registry.npmjs.org/-/npm/v1/security/audits/quick 266ms
+ model@1.0.0 (as @myapp/model)
added 1 package in 0.347s
npm verb exit [ 0, true ]
npm timing npm Completed in 463ms
npm info ok

--- end of console output

As you might have noticed, this time the URL responded successfully. This is 
because I modified catalina.properties 
(org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true).

>
> https://stackoverflow.com/questions/19576777/why-does-apache-tomcat-handle-encoded-slashes-2f-as-path-separators

I agree that this might become a security risk. Since the mentioned mod_jk-bug 
is not affected in this particular case, I could exoticize the tomcat-config to 
undo tomcats built-in-workaround throu the catalina.properties.

It does not feel like an elegant solution, but it works for now. If however npm 
might be the future for some developers, a redesign of tomcat may a more 
desirable solution. It might be hard to tell the npm people to change their 
"way of downloading npm-packages" because &

Logrotation throu CATALINA_OUT_CMD in Tomcat9

2024-05-15 Thread Peter Rader
Hi,

my catalina.out is getting bigger and bigger.

In order to have smaller catalina.out I noticed this environment-variable: 
CATALINA_OUT_CMD

Inside the catalina.sh is documented:

# CATALINA_OUT_CMD (Optional) Command which will be executed and receive
#   as its stdin the stdout and stderr from the Tomcat java
#   process. If CATALINA_OUT_CMD is set, the value of
#   CATALINA_OUT will be used as a named pipe.
#   No default.
#   Example (all one line)
#   CATALINA_OUT_CMD="/usr/bin/rotatelogs -f 
$CATALINA_BASE/logs/catalina.out.%Y-%m-%d.log 86400"

I try to use that example and export this variable before start of tomcat:

   export CATALINA_OUT_CMD="/usr/bin/rotatelogs -f 
/home/tomcat/apache-tomcat-9.0.75/logs/catalina.out.%Y-%m-%d.log 86400" 

Unfortunately the tomcat does not work anymore, instead this message appear:

/home/tomcat/apache-tomcat-9.0.75/logs/catalina.out exists and is not a 
named pipe. Start aborted.
 
Any Ideas?
 
Kind regards

Peter Rader

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Aw: Re: Logrotation throu CATALINA_OUT_CMD in Tomcat9

2024-05-15 Thread Peter Rader
> You need to do what the instructions state: create a FIFO and specify its 
> name in the CATALINA_OUT variable. For example, do

Ah, yes,

mkfifo catalina.out

fixed it for me. I had no idea what a fifo is, now I knew.

Kind regards

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Apache Tomcat 9 | Tomcat starting issue

2021-08-23 Thread Peter Chamberlain
On Sun, 22 Aug 2021 at 08:55, Piyush Sharma  wrote:
>
> On Fri, Aug 20, 2021 at 10:40 PM Christopher Schultz <
> ch...@christopherschultz.net> wrote:
>
> > Piyush,
> >
> > On 8/20/21 06:36, Piyush Sharma wrote:
> > >>
> > >> Hello,
> > >>
> > >> I am using Apache Tomcat 9.0.46 version on docker container.
> > >>
> > >> There is a problem, where the base path was wrongly set by automation
> > >> script due to which it starts for few seconds, listen port 8080 and then
> > >> stop, due to that container exit after sometime.
> > >>
> > >
> > > Now how can we debug such issue, which shows any error / problem in
> > tomcat
> > >> configuration.
> > >>
> > >> I tried with "jpda start" or "debug" options, but that didn't help me.
> > Is
> > >> there any option to debug tomcat related issues or problems.
> > >>
> > >> "catalina.sh configtest" will show any error in xml or properties but
> > will
> > >> not help to debug tomcat startup problem.
> > >>
> > >> *Note:* I am just deploying with the helloworld war file. nothing much
> > in
> > >> code as of now.
> >
> > Maybe just fix your automation script to use the right path?
> >
> > It's hard to understand what the problem is given the information you
> > have presented.
> >
> > -chris
> >
> >
> Thanks Chris
>
> I have removed automation and harded everything and created a new docker
> image.
> Now when I try to start the container, it starts for a few seconds and
> stops (port 8080 listens for a while). Nothing in logs.
>
> $ catalina.sh run  (tried with "jpda start" or "debug" options as well)
> $ ps aux |grep java --> show the process for few seconds
> $ netstat -ntpl |grep 8080 --> shows the port for few seconds
>
> I am wondering if I can debug such issues, when it starts for a few seconds
> and then stops. Is there any memory , config file or any other issues?
>
> Any debug option whether tomcat
>
>
> Thanks
> Piyush

Could it be a clash of port or similar for the shutdown port, or maybe
another port, eg, in server.xml:
Server port="8005"

Best regards, Peter

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Aw: tomcat hangs

2021-09-09 Thread Peter Rader
I might noticed a simmilar issue: I ran the JVM in a linux OS on a VM (in 
virtualbox btw). The jdk for some reason request a random number. The JDK asks 
the LinuxOS for a new random number (maybe in the hope to use a hardware-based 
TRNG). Since this linux in virtualbox is not-so low-level the random number is 
generated due to RAM squarenumbers, because no memory is changed - no new 
random number has been generated and we get a OS-based softlock.

Regards


> HiI use apache tomcat 8.0.32 and oracle-jdk-8u66 and redhat 6.After working 
> with the system for a few hours
> and the load on the system increases, suddenly the tomcat hangs and no logs 
> are printed and it is not possible
> to connect via jvisualvm and I can not get any dump and I have to reload 
> Tomcat.I have increased maxthreads
> and use the HttpProtocol protocol.Please suggest a way to fix the my tomact.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Aw: Re: tomcat hangs

2021-09-13 Thread Peter Rader
Chris,

> Gesendet: Donnerstag, 09. September 2021 um 22:15 Uhr
> Von: "Christopher Schultz" 
> An: users@tomcat.apache.org
> Betreff: Re: Aw: tomcat hangs
> Peter,
>
> On 9/9/21 08:21, Peter Rader wrote:
> > I might noticed a simmilar issue: I ran the JVM in a linux OS on a VM
> > (in virtualbox btw). The jdk for some reason request a random number.
> > The JDK asks the LinuxOS for a new random number (maybe in the hope
> > to use a hardware-based TRNG). Since this linux in virtualbox is
> > not-so low-level the random number is generated due to RAM
> > squarenumbers, because no memory is changed - no new random number
> > has been generated and we get a OS-based softlock.
>
> WHAT?
>
> -chris

YES, id reported this many years ago 
https://bugs.java.com/bugdatabase/view_bug.do?bug_id=4952383

There is a workaround (from comments): set java.security.egd=file:/dev/urandom

Regards

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Aw: Tomcat - Deployment

2021-11-07 Thread Peter Rader
Dear Admin Priyanka,

unfortunately the source-code your developers wrote might be invalid. The error 
might occour in a Thread calling the productExclusionRegistryDao-bean (Maybe 
the ProductExclusionRegistryDao.java source-file) in the method used to 
initialize the application.

In order to solve the bug your developers are in charge IMO. Please provide the 
stacktrace to your developers in order to solve the problem.
 
Kind regards

Peter Rader
--
Fachinformatiker AE / IT Software Developer
Peter Rader
Wilsnacker Strasse 17
10559 Berlin - GERMANY
Tel: 0049 (0)30 / 6 29 33 29 6
Fax: 0049 (0)30 / 6 29 33 29 6
Handy: 0049 (0)176 / 87 521 576
Handy: 0049 (0)176 / 47 876 303
 
 

Gesendet: Sonntag, 07. November 2021 um 16:04 Uhr
Von: "Kumawat, Priyanka" 
An: "Tomcat Users List" 
Betreff: Tomcat - Deployment
Hi Team ,

I have did a Tomcat application deployment on Production region and copied the 
WAR file to the webapps location of tomcat , we normally do this change monthly 
, tested on Stage env after successful it will go to the production env.

But This time we have encountered an issue- after the deployment completes - 
The logs was giving the below error -

The client reports there is no issue with the WAR file as it was deployed 
successfully for lower env - stage , they have asked to deploy one more time on 
prod , this time it worked successful. I need your help to determine wat went 
wrong during the first implementation while the same steps were performed 
during both the times.

2021-11-07 05:05:58,277 ERROR org.springframework.web.context.ContextLoader:350 
- Context initialization failed
org.springframework.beans.factory.UnsatisfiedDependencyException: Error 
creating bean with name 'fleetTireFinderRestController': Unsatisfied dependency 
expressed through field 'fleetOrderService'; nested exception is 
org.springframework.beans.factory.UnsatisfiedDependencyException: Error 
creating bean with name 'fleetOrderServiceImpl': Unsatisfied dependency 
expressed through field 'catalogHelper'; nested exception is 
org.springframework.beans.factory.UnsatisfiedDependencyException: Error 
creating bean with name 'catalogHelperDao': Unsatisfied dependency expressed 
through field 'productValidationDao'; nested exception is 
org.springframework.beans.factory.UnsatisfiedDependencyException: Error 
creating bean with name 'productValidationDao': Unsatisfied dependency 
expressed through field 'tireFinder'; nested exception is 
org.springframework.beans.factory.UnsatisfiedDependencyException: Error 
creating bean with name 'tireFinderDao': Unsatisfied dependency expressed 
through field 'prodExclusions'; nested exception is 
org.springframework.beans.factory.BeanCreationException: Error creating bean 
with name 'productExclusionRegistryDao': Invocation of init method failed; 
nested exception is org.springframework.jdbc.UncategorizedSQLException: 
StatementCallback; uncategorized SQLException for SQL [select * from 
excl_dc_ph]; SQL state [null]; error code [-4470]; 
[jcc][t4][10120][10898][4.9.78] Invalid operation: result set is closed. 
ERRORCODE=-4470, SQLSTATE=null; nested exception is 
com.ibm.db2.jcc.am.SqlException: [jcc][t4][10120][10898][4.9.78] Invalid 
operation: result set is closed. ERRORCODE=-4470, SQLSTATE=null
Caused by: org.springframework.beans.factory.UnsatisfiedDependencyException: 
Error creating bean with name 'fleetOrderServiceImpl': Unsatisfied dependency 
expressed through field 'catalogHelper'; nested exception is 
org.springframework.beans.factory.UnsatisfiedDependencyException: Error 
creating bean with name 'catalogHelperDao': Unsatisfied dependency expressed 
through field 'productValidationDao'; nested exception is 
org.springframework.beans.factory.UnsatisfiedDependencyException: Error 
creating bean with name 'productValidationDao': Unsatisfied dependency 
expressed through field 'tireFinder'; nested exception is 
org.springframework.beans.factory.UnsatisfiedDependencyException: Error 
creating bean with name 'tireFinderDao': Unsatisfied dependency expressed 
through field 'prodExclusions'; nested exception is 
org.springframework.beans.factory.BeanCreationException: Error creating bean 
with name 'productExclusionRegistryDao': Invocation of init method failed; 
nested exception is org.springframework.jdbc.UncategorizedSQLException: 
StatementCallback; uncategorized SQLException for SQL [select * from 
excl_dc_ph]; SQL state [null]; error code [-4470]; 
[jcc][t4][10120][10898][4.9.78] Invalid operation: result set is closed. 
ERRORCODE=-4470, SQLSTATE=null; nested exception is 
com.ibm.db2.jcc.am.SqlException: [jcc][t4][10120][10898][4.9.78] Invalid 
operation: result set is closed. ERRORCODE=-4470, SQLSTATE=null


Thanks & Regards,

Priyanka Kumaw

PGP signature on the latest Tomcat release

2021-12-12 Thread Gershkovich, Peter
Hi everyone,
I am trying to verify the PGP signature on the latest Tomcat 9 release (9.0.56) 
but unable to obtain it from a suggested key server (see command logs below).
Could you please clarify where to obtain and how to verify the authenticity of 
that particular signature.
Thanks in advance!
Peter


gpg --verify apache-tomcat-9.0.56.tar.gz.asc.txt apache-tomcat-9.0.56.tar.gz
gpg: Signature made Thu Dec  2 09:31:59 2021 EST using RSA key ID 359E722B
gpg: requesting key 359E722B from hkps server 
hkps.pool.sks-keyservers.net<http://hkps.pool.sks-keyservers.net>
gpgkeys: HTTP fetch error 6: Couldn't resolve host 
'hkps.pool.sks-keyservers.net<http://hkps.pool.sks-keyservers.net>'
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
gpg: keyserver communications error: keyserver helper internal error
gpg: keyserver communications error: General error
gpg: Can't check signature: No public key



gpg --keyserver pgpkeys.mit.edu<http://pgpkeys.mit.edu> --recv-key 359E722B
gpg: requesting key 359E722B from hkp server 
pgpkeys.mit.edu<http://pgpkeys.mit.edu>
gpgkeys: key 359E722B can't be retrieved
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
gpg: keyserver communications error: keyserver helper general error
gpg: keyserver communications error: Invalid public key algorithm
gpg: keyserver receive failed: Invalid public key algorithm

Thanks,
Peter



Re: Apex SSO

2022-03-24 Thread Peter Chiu
I have a working APEX SSO against Azure AD or On-Permise AD.

On Thu, Mar 24, 2022 at 1:13 PM rupali singh 
wrote:

> HI Team,
>
> We are using apex 21.1 with tomcat 9.54.
> we want to implement SSO for application deployed in Apex  with IDCS
> reference URL :
>
> https://www.ateam-oracle.com/post/integrating-apex-with-oracle-identity-cloud-service
>
> but apex is not at all redirecting to IDCS URL and as per Oracle issue is
> with tomcat .
>
> anyone successfully implemented APEX SSO( webserver : apache tomcat)  with
> Oracle IDCS
> or  APEX SSO( webserver : apache tomcat)  with Microsoft Azure AD.
> can you please assist us with steps.
>
> --
> Thanks and Regards,
> Rupali
>


Re: Apex SSO

2022-03-24 Thread Peter Chiu
I will email you directly. For the group knowledge, there is nothing
special you need to do on Tomcat if it is not behind a proxy.

On Thu, Mar 24, 2022 at 1:51 PM rupali singh 
wrote:

> Hi Peter,
>
> Are u using apache web server with tomcat or its only tomcat  .
> if possible can you please share steps for azure AD with me on
> rupali.r.si...@gmail.com
>
>
>
> On Thu, 24 Mar 2022 at 21:21, Peter Chiu  wrote:
>
> > I have a working APEX SSO against Azure AD or On-Permise AD.
> >
> > On Thu, Mar 24, 2022 at 1:13 PM rupali singh 
> > wrote:
> >
> > > HI Team,
> > >
> > > We are using apex 21.1 with tomcat 9.54.
> > > we want to implement SSO for application deployed in Apex  with IDCS
> > > reference URL :
> > >
> > >
> >
> https://www.ateam-oracle.com/post/integrating-apex-with-oracle-identity-cloud-service
> > >
> > > but apex is not at all redirecting to IDCS URL and as per Oracle issue
> is
> > > with tomcat .
> > >
> > > anyone successfully implemented APEX SSO( webserver : apache tomcat)
> > with
> > > Oracle IDCS
> > > or  APEX SSO( webserver : apache tomcat)  with Microsoft Azure AD.
> > > can you please assist us with steps.
> > >
> > > --
> > > Thanks and Regards,
> > > Rupali
> > >
> >
>
>
> --
> Thanks and Regards,
> Rupali
>


Re: Fwd: tomcat 9.50 - rewrite rule question

2022-03-24 Thread Peter Chiu
Have you consider doing the following
1. custom URL/domain, and
2. enable Friendly URLs in APEX

On Thu, Mar 24, 2022 at 3:09 PM Felix Schumacher <
felix.schumac...@internetallee.de> wrote:

>
> Am 24.03.22 um 19:23 schrieb rupali singh:
>
> hi,
>
> yes context name is apex.
>
> Good to know.
>
>  https://xyz.ae/apex/f?p=1001  
>    tohttps://xyz.ae/apex/myapp 
>  
>
> we dont want to change xyz.ae that will name remain as it is , we want to
> change f?p=1001  
>  to myapp
>
> Sorry, I don't understand, what you meant by the above.
>
> I suspect, that you wanted to show, what the user enters into the browser
> and where the application listens. But it doesn't really makes sense to me.
>
> Reading your first mail again, I think, that you have a loadbalancer that
> listens on xyz.ae and that proxies to xyz.com (you mentioned port 8080,
> which is left out in all your examples). Is that right?
>
> Apart from that, I wanted to know, what you tried on a technical level.
> Have you tried the curl command that I gave as an example?
>
> Felix
>
> On Wed, 23 Mar 2022 at 19:23, Felix Schumacher 
>  wrote:
>
>
> Am 23. März 2022 12:14:25 MEZ schrieb rupali singh :
>
> Hi Chris,
>
> I already tried with fully qualified name but its not working
>
> Can you be more specific, what you tried?
>
> Is Chris right and your context name is apex?
>
> Felix
>
> On Tue, Mar 22, 2022, 7:15 PM Christopher Schultz 
>  wrote:
>
>
> All,
>
> On 3/21/22 10:19, Felix Schumacher wrote:
>
> Am 21.03.22 um 06:39 schrieb rupali singh:
>
> Hi Felix,
>
> location of context.xml file is
>
>   cat context.xml| grep RewriteValve
>  
> className="org.apache.catalina.valves.rewrite.RewriteValve"
>
> />
>
>   pwd
> /opt/tomcat/apache-tomcat-9.0.54/instance/conf
>
> That context.xml is thought to be a default template for all installed
> webapps. It will work, but remember, that every installed webapp will
> get its own copy of a rewrite valve.
>
> +1
>
> This is probably the problem.
>
>
> more
>
>
> /opt/tomcat/apache-tomcat-9.0.54/instance/webapps/ROOT/WEB-INF/rewrite.config
>
> RewriteCond %{QUERY_STRING} p=10001
> RewriteRule ^/apex/f$ /apex/myapp [R,L]
>
> I think you want:
>
> RewriteCond %{QUERY_STRING} p=10001
> RewriteRule ^/f$ /myapp [R,L]
>
> The prefix /apex is already a part of the context-path and should be
> removed from the URL patterns being matched. If you want to redirect to
> another web application, you need a fully-qualified redirect like this:
>
> RewriteCond %{QUERY_STRING} p=10001
> RewriteRule ^/f$ https://www.google.com/ [R,L]
>
> -chris
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>  -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>


Re: Fwd: tomcat 9.50 - rewrite rule question

2022-03-24 Thread Peter Chiu
Application builder->Your application->Shared Components->Application
Definition Attributes->Properties->Friendly URLs

On Thu, Mar 24, 2022 at 3:25 PM rupali singh 
wrote:

> Hi,
>
> How we can enable friendly url in apex?
>
>
>
> On Fri, Mar 25, 2022, 12:48 AM Peter Chiu  wrote:
>
> > Have you consider doing the following
> > 1. custom URL/domain, and
> > 2. enable Friendly URLs in APEX
> >
> > On Thu, Mar 24, 2022 at 3:09 PM Felix Schumacher <
> > felix.schumac...@internetallee.de> wrote:
> >
> > >
> > > Am 24.03.22 um 19:23 schrieb rupali singh:
> > >
> > > hi,
> > >
> > > yes context name is apex.
> > >
> > > Good to know.
> > >
> > >  https://xyz.ae/apex/f?p=1001 <https://xyz.com/apex/f?p=1001> <
> > https://xyz.com/apex/f?p=1001>   tohttps://xyz.ae/apex/myapp <
> > https://xyz.com/aorx/myapp> <https://xyz.com/aorx/myapp>
> > >
> > > we dont want to change xyz.ae that will name remain as it is , we want
> > to
> > > change f?p=1001 <https://xyz.com/apex/f?p=1001> <
> > https://xyz.com/apex/f?p=1001> to myapp
> > >
> > > Sorry, I don't understand, what you meant by the above.
> > >
> > > I suspect, that you wanted to show, what the user enters into the
> browser
> > > and where the application listens. But it doesn't really makes sense to
> > me.
> > >
> > > Reading your first mail again, I think, that you have a loadbalancer
> that
> > > listens on xyz.ae and that proxies to xyz.com (you mentioned port
> 8080,
> > > which is left out in all your examples). Is that right?
> > >
> > > Apart from that, I wanted to know, what you tried on a technical level.
> > > Have you tried the curl command that I gave as an example?
> > >
> > > Felix
> > >
> > > On Wed, 23 Mar 2022 at 19:23, Felix Schumacher <
> > felix.schumac...@internetallee.de> wrote:
> > >
> > >
> > > Am 23. März 2022 12:14:25 MEZ schrieb rupali singh <
> > rupali.r.si...@gmail.com>:
> > >
> > > Hi Chris,
> > >
> > > I already tried with fully qualified name but its not working
> > >
> > > Can you be more specific, what you tried?
> > >
> > > Is Chris right and your context name is apex?
> > >
> > > Felix
> > >
> > > On Tue, Mar 22, 2022, 7:15 PM Christopher Schultz <
> > ch...@christopherschultz.net> wrote:
> > >
> > >
> > > All,
> > >
> > > On 3/21/22 10:19, Felix Schumacher wrote:
> > >
> > > Am 21.03.22 um 06:39 schrieb rupali singh:
> > >
> > > Hi Felix,
> > >
> > > location of context.xml file is
> > >
> > >   cat context.xml| grep RewriteValve
> > >   > >
> > > className="org.apache.catalina.valves.rewrite.RewriteValve"
> > >
> > > />
> > >
> > >   pwd
> > > /opt/tomcat/apache-tomcat-9.0.54/instance/conf
> > >
> > > That context.xml is thought to be a default template for all installed
> > > webapps. It will work, but remember, that every installed webapp will
> > > get its own copy of a rewrite valve.
> > >
> > > +1
> > >
> > > This is probably the problem.
> > >
> > >
> > > more
> > >
> > >
> > >
> >
> /opt/tomcat/apache-tomcat-9.0.54/instance/webapps/ROOT/WEB-INF/rewrite.config
> > >
> > > RewriteCond %{QUERY_STRING} p=10001
> > > RewriteRule ^/apex/f$ /apex/myapp [R,L]
> > >
> > > I think you want:
> > >
> > > RewriteCond %{QUERY_STRING} p=10001
> > > RewriteRule ^/f$ /myapp [R,L]
> > >
> > > The prefix /apex is already a part of the context-path and should be
> > > removed from the URL patterns being matched. If you want to redirect to
> > > another web application, you need a fully-qualified redirect like this:
> > >
> > > RewriteCond %{QUERY_STRING} p=10001
> > > RewriteRule ^/f$ https://www.google.com/ [R,L]
> > >
> > > -chris
> > >
> > > -
> > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > > For additional commands, e-mail: users-h...@tomcat.apache.org
> > >
> > >  -
> > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > > For additional commands, e-mail: users-h...@tomcat.apache.org
> > >
> > >
> >
>


Re: Apex SSO

2022-03-25 Thread Peter Chiu
Hi Chris,

To implement APEX SSO, that requires NO change to tomcat. That is why I
tried not to post here.

Here is the blog for starters. https://fuzziebrain.com/content/id/1908/

If tomcat is behind a proxy (apache or nginx), we might need to change a
setting in server.xml to return the real hostname.

Hope this helps.

On Fri, Mar 25, 2022 at 8:54 AM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> Peter,
>
> On 3/24/22 14:54, Peter Chiu wrote:
> > I will email you directly. For the group knowledge, there is nothing
> > special you need to do on Tomcat if it is not behind a proxy.
>
> Please post to the mailing list. It's not at all clear to me how you'd
> get Oracle APEX to deliver authentication information to Tomcat.
>
> Presumably, that's what Rupali is trying to accomplish and it would be
> helpful for the whole community to post back.
>
> -chris
>
> > On Thu, Mar 24, 2022 at 1:51 PM rupali singh 
> > wrote:
> >
> >> Hi Peter,
> >>
> >> Are u using apache web server with tomcat or its only tomcat  .
> >> if possible can you please share steps for azure AD with me on
> >> rupali.r.si...@gmail.com
> >>
> >>
> >>
> >> On Thu, 24 Mar 2022 at 21:21, Peter Chiu  wrote:
> >>
> >>> I have a working APEX SSO against Azure AD or On-Permise AD.
> >>>
> >>> On Thu, Mar 24, 2022 at 1:13 PM rupali singh  >
> >>> wrote:
> >>>
> >>>> HI Team,
> >>>>
> >>>> We are using apex 21.1 with tomcat 9.54.
> >>>> we want to implement SSO for application deployed in Apex  with IDCS
> >>>> reference URL :
> >>>>
> >>>>
> >>>
> >>
> https://www.ateam-oracle.com/post/integrating-apex-with-oracle-identity-cloud-service
> >>>>
> >>>> but apex is not at all redirecting to IDCS URL and as per Oracle issue
> >> is
> >>>> with tomcat .
> >>>>
> >>>> anyone successfully implemented APEX SSO( webserver : apache tomcat)
> >>> with
> >>>> Oracle IDCS
> >>>> or  APEX SSO( webserver : apache tomcat)  with Microsoft Azure AD.
> >>>> can you please assist us with steps.
> >>>>
> >>>> --
> >>>> Thanks and Regards,
> >>>> Rupali
> >>>>
> >>>
> >>
> >>
> >> --
> >> Thanks and Regards,
> >> Rupali
> >>
> >
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>


Aw: PostConstruct annotation in a filter since version 9.0.60

2022-04-03 Thread Peter Rader
PostConstruct is for dependency-injection. A vanilla tomcat does no dependency 
injection. Can you confirm you have a vanilla tomcat?
 
Kind regards

Peter Rader
--
Fachinformatiker AE / IT Software Developer
Peter Rader
Wilsnacker Strasse 17
10559 Berlin - GERMANY
Tel: 0049 (0)30 / 6 29 33 29 6
Fax: 0049 (0)30 / 6 29 33 29 6
Handy: 0049 (0)176 / 87 521 576
Handy: 0049 (0)176 / 47 876 303
 
 

Gesendet: Freitag, 01. April 2022 um 23:02 Uhr
Von: "Cherio" 
An: users@tomcat.apache.org
Betreff: PostConstruct annotation in a filter since version 9.0.60
I observed an announced change in behavior in version 9.0.60 (and later).

My application has a Spring class loaded as a javax.servlet.Filter. It has
a method annotated with a PostConstruct annotation. Up until Tomcat 9.0.59
the annotation was handled by Spring. Starting with Tomcat 9.0.60 behavior
changed. Now Tomcat attempts to take action on that method. The attempt
fails with "java.lang.IllegalArgumentException: Invalid
javax.annotation.PostConstruct annotation" exception and that results in
the whole application failing to start.

I use PostConstruct in other Spring modules but it looks like Tomcat cares
only about classes it deals with directly.

I do not see this change documented anywhere so I assume this may be a
regression or an undocumented bug fix or feature.

Does anyone have more information about this?
Thanks!

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: [OT] Getting TLS handshake details

2022-04-14 Thread Peter Kreuser
Chris,

> Am 13.04.2022 um 21:37 schrieb Christopher Schultz 
> :
> 
> All,
> 
> I asked this question a few years ago on SO and I didn't really get an answer:
> https://stackoverflow.com/questions/39374024/determine-diffie-hellman-parameters-length-for-a-tls-handshake-in-java
> 
> Does anyone know if it's possible to get the DHE key-exchange parameters 
> during the TLS handshake using just SSLSocket on the client end? I'm trying 
> to detect when the server is using "weak" DH key lengths like <= 1024 bits.
> 
> (I'm also curious as to why my ssltest tool[1] is unable to connect to a 
> server which is allowing ADH-AES128-GCM-SHA256 aka 
> TLS_DH_anon_WITH_AES_128_GCM_SHA256 ; I suspect it has something to do with 
> my JVMs unwillingness to use 1024-bit DHE for the handshake, and I can't 
> figure out how to turn it off. SSLLabs and sslscan both report this cipher 
> suite as being "enabled" on the server, but my tool reports that the 
> handshake failed, which usually implies that the cipher suite is disabled.)
> 
Is your question how to detect this in code? Or specifically in Java? 

Anyways Do you know testssl.sh? If I want to know how to handle a specific tls 
problem I check in Dirk's code and start from there...

Peter

> Thanks,
> -chris
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: [OT] Getting TLS handshake details

2022-04-15 Thread Peter Kreuser
Chris,

> Am 14.04.2022 um 23:21 schrieb Christopher Schultz 
> :
> 
> Peter,
> 
>> On 4/14/22 03:45, Peter Kreuser wrote:
>> Chris,
>>>> Am 13.04.2022 um 21:37 schrieb Christopher Schultz 
>>>> :
>>> All,
>>> I asked this question a few years ago on SO and I didn't really get an 
>>> answer:
>>> https://stackoverflow.com/questions/39374024/determine-diffie-hellman-parameters-length-for-a-tls-handshake-in-java
>>> Does anyone know if it's possible to get the DHE key-exchange parameters 
>>> during the TLS handshake using just SSLSocket on the client end? I'm trying 
>>> to detect when the server is using "weak" DH key lengths like <= 1024 bits.
>>> (I'm also curious as to why my ssltest tool[1] is unable to connect to a 
>>> server which is allowing ADH-AES128-GCM-SHA256 aka 
>>> TLS_DH_anon_WITH_AES_128_GCM_SHA256 ; I suspect it has something to do with 
>>> my JVMs unwillingness to use 1024-bit DHE for the handshake, and I can't 
>>> figure out how to turn it off. SSLLabs and sslscan both report this cipher 
>>> suite as being "enabled" on the server, but my tool reports that the 
>>> handshake failed, which usually implies that the cipher suite is disabled.)
>> Is your question how to detect this in code? Or specifically in Java?
> 
> Specifically in Java, and without any cooperation from the server e.g. 
> returning the details in some kind of HTTP header. I expect to perform a TLS 
> handshake only and then terminate the socket connection.
> 
>> Anyways Do you know testssl.sh?
> 
> I think that just executes openssl in a loop, no?

Not quite. It sets openssl params for specific tls testcases and verifies 
output from the tls response or certs.
Plus it has test case for known dhparams.

However that info may not be accessible from java, as Thomas said.

Peter
>> If I want to know how to handle a specific tls problem I check in
>> Dirk's code and start from there...
> -chris
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Enable HTTP Strict Transport Security (HSTS) in Tomcat 9.0.x

2022-04-28 Thread Peter Chiu
This is what I am using. Hope this helps.

https://orclcs.blogspot.com/2017/04/enable-hsts-in-tomcat.html

On Thu, Apr 28, 2022 at 3:11 PM Kaushal Shriyan 
wrote:

> Hi,
>
> I am running the tomcat version 9.0.56 on CentOS Linux release 7.9.2009
> (Core) and trying to configure HTTP Strict Transport Security (HSTS)
> using /opt/tomcat9/conf/web.xml
>
> # ./version.sh
> Using CATALINA_BASE:   /opt/tomcat9
> Using CATALINA_HOME:   /opt/tomcat9
> Using CATALINA_TMPDIR: /opt/tomcat9/temp
> Using JRE_HOME:
>  /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.322.b06-1.el7_9.x86_64
> Using CLASSPATH:
> /opt/tomcat9/bin/bootstrap.jar:/opt/tomcat9/bin/tomcat-juli.jar
> Using CATALINA_OPTS:
> Server version: Apache Tomcat/9.0.56
> Server built:   Dec 2 2021 14:30:07 UTC
> Server number:  9.0.56.0
> OS Name:Linux
> OS Version: 3.10.0-1160.62.1.el7.x86_64
> Architecture:   amd64
> JVM Version:1.8.0_322-b06
> JVM Vendor: Red Hat, Inc.
> # cat /etc/redhat-release
> CentOS Linux release 7.9.2009 (Core)
> #
>
>
> > */opt/tomcat9/conf/web.xml*
> >   httpHeaderSecurity
> >
> >
> org.apache.catalina.filters.HttpHeaderSecurityFilter
> >   true
> >   
> > hstsEnabled
> > true
> >   
> >   
> > hstsMaxAgeSeconds
> > 31536000
> >   
> >   
> > hstsIncludeSubDomains
> > true
> >   
> > 
> > 
> >   httpHeaderSecurity
> >   /*
> >   REQUEST
> > 
>
>
> When I scan the https://tomcatURL FQDN using
> https://www.ssllabs.com/ssltest/ I do not see the Strict Transport
> Security
> response header. Please guide me. Thanks in advance
>
> Best Regards,
>
> Kaushal
>


Re: AW: SSL issue with Tomcat 6.0.45 and JRE 1.8.0

2022-06-17 Thread Peter Chamberlain
errors or warnings in the logs?
> >>>
> >>> -chris
> >>>
> >>>> On Tue, Jun 14, 2022 at 7:30 PM Christopher Schultz
> >>>> mailto:ch...@christopherschultz.net>>
> >>> wrote:
> >>>>
> >>>>  Pavan,
> >>>>
> >>>>  On 6/14/22 08:32, Pavan Kumar Tiruvaipati wrote:
> >>>>   > We have replaced JDK 1.8 with JRE 1.8.0_333.
> >>>>   >
> >>>>   > SSL configuration was working fine with Tomcat 6.0.45 before
> >>>>  replacing JDK
> >>>>   > with JRE.
> >>>>   >
> >>>>   > Now it's not working.
> >>>>   >
> >>>>   > In server.xml, SSL Protocol is set to "TLS".
> >>>>   >
> >>>>   > Does Tomcat 6.0.45 support SSL with JRE 1.8.0_333 ?
> >>>>   >
> >>>>   > Are there any specific protocols / versions to be used to
> enable
> >>>>  SSL ?
> >>>>
> >>>>  Please post your  configuration. Remove any secrets
> >>>> that
> >>> may
> >>>>  be in there (e.g. passwords).
> >>>>
> >>>>  -chris
> >>>>
> >>>
> >
> > The error says that the client and the server couldn’t find a common
> cipher suite.
> > They couldn’t agree on any cipher.
> > Does your keystore contain a valid private key?
>
> The problem is likely that Tomcat 6 (which is ancient) defaults to TLSv1
> and no higher (this is a guess; I'm not bothering to look at a
> 14-year-old version of Tomcat to figure out what the problem really is).
> The client isn't willing to connect to such an ancient version of any
> protocol, so it fails with the handshake failure.
>
> > Maybe you can try to print out all available cipher suites on your
> environment:
> >
> https://stackoverflow.com/questions/9333504/how-can-i-list-the-available-cipher-algorithms
> > You can add the code to a jsp-page and print out the available
> algorithms.
>
> Try explicitly setting the "enabled protocols" to "TLSv1, TLSv1.1,
> TLSv1.2, TLSv1.3" -- however that's done in that dinosaur of a Tomcat
> version. It might be enabledProtocols="..." if might be
> SSLProtocols="..." and it might have a lot to do with whether or not
> APR/native is being used, too.
>
> -chris
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
Could this be an issue with the java jdk security disabled algorithms.
Later versions of jdk 8 disabled TLSv1 and TLSv1.1 by default, and you have
to change the jre/jdk conf/security/java.security file to fix it for older
use cases.
-- 



*Peter Chamberlain*


Re: SSLLabs scan shows TLSv1.0 and TLSv1.1 even though I have sslProtocol="TLSv1.2"

2022-08-09 Thread Peter Kreuser


James,

the most recent connector attribute is "protocols". The documentation is a bit 
vague on this saying there is an overlap between the two, yet I don't know if 
the overlap is there if protocols is unset and defaults to "all"
https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support

Peter

> Am 10.08.2022 um 00:15 schrieb James H. H. Lampert 
> :
> 
> I think this may have come up before, but I don't recall how it was resolved.
> 
> On customer box #1, I have:
>  address=""
>   maxThreads="400" SSLEnabled="true" scheme="https" secure="true"
>   keystoreFile="/tomcat/wttomcat.ks" keyAlias=""
> ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384"
>   clientAuth="false" sslProtocol="TLSv1.2" /> 
> 
> and an SSLLabs scan shows it accepting only TLSv1.2, as it should.
> 
> But on customer box #2, I have:
> 
>maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
>   keystoreFile="/tomcat/wttomcat.ks" keyAlias=""
>   clientAuth="false" sslProtocol="TLSv1.2" />
> 
> and an SSLLabs scan shows it accepting TLSv1.0, TLSv1.1, and TLSv1.2.
> 
> What could be wrong here? I vaguely recall seeing something like this before.
> 
> --
> JHHL
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


Re: Simple SSL question

2022-08-11 Thread Peter Kreuser


Jon and Chris,


> Am 11.08.2022 um 19:33 schrieb Christopher Schultz 
> :
> 
> Jon,
> 
>> On 8/11/22 12:53, jonmcalexan...@wellsfargo.com.INVALID wrote:
>> I was just wondering if there was a vanity name for the "new" structure is 
>> all, to differentiate in documentation.
> 
> *shrug*
> 
> "New"?
> 
> That kind of loses its lustre after a while. Today, that's just "the way you 
> do it". So the "new" way is The Way and the old way is ... the Old Way.
> 
> Use SSLHostConfig. I'm sure you'll sleep better at night after you've 
> switched.
> 
> -chris
> 
>>> -Original Message-
>>> From: Christopher Schultz 
>>> Sent: Thursday, August 11, 2022 11:29 AM
>>> To: users@tomcat.apache.org
>>> Subject: Re: Simple SSL question
>>> 
>>> Jon,
>>> 
>>> On 8/11/22 11:22, jonmcalexan...@wellsfargo.com.INVALID wrote:
>>>> Is there a "name" for the new connector style? The old is known as the
>>>> Coyote Connector.
>>> Coyote is just the name of the connector itself, for whatever reason.
>>> Both the new and old-style configuration is using the same connector
>>> underneath. When you configure everything on the , Tomcat
>>> still creates an SSLHostConfig object under the covers and fills it with 
>>> that
>>> same data.
>>> 
>>> Why should you bother migrating? Two reasons:
>>> 
>>> 1. The new configuration is easier to read IMO. It separates the TLS
>>> host/key/certificate and all that associated stuff from the more basic 
>>> socket-
>>> type stuff for the 
>>> 
>>> 2. It allows for more options such as proper name-based virtual-hosting with
>>> TLS. It also allows multiple types of keys and certificates to be used. For
>>> example, you can configure both RSA and EC certificates for a single host.
>>> That's just not possible with the one-attribute-to-rule-them-all 
>>> configuration
>>> where everything is on the  element.
>>> 

I have tried all the fancy new cert options and they are cool.

And I do agree that it's more readable.

What would be useful would be one sample how to transfer a simple "old" config 
to SSLHostConfig.
That would take away the fear to get going. In another thread I said, that it 
may be a lot of work to migrate a lot of tomcat instances. But I guess most 
people would only need a single SSLHostConfig  to add to their one connector...

Peter
>>> -chris
>>> 
>>>>> -Original Message-
>>>>> From: Mark Thomas 
>>>>> Sent: Wednesday, August 10, 2022 2:43 PM
>>>>> To: users@tomcat.apache.org
>>>>> Subject: Re: Simple SSL question
>>>>> 
>>>>> On 10/08/2022 19:22, jonmcalexan...@wellsfargo.com.INVALID wrote:
>>>>>> Ok, I'm asking a rather simple, stupid (in my opinion) question, but
>>>>>> here
>>>>> goes:
>>>>>> 
>>>>>> What is the best practice form of connector for SSL. Is it the
>>>>>> old-school
>>>>> coyote connector or the connector with the  section?
>>>>> 
>>>>> 
>>>>> 
>>>>> The old style isn't supported in Tomcat 10.0.x onwards.
>>>>> 
>>>>>> Are the two interchangeable, or does the SSLHostConfig one rely on
>>>>> openssl and won't work without it? The documentation is confusing me
>>>>> on a hump day afternoon.
>>>>> 
>>>>> They are interchangeable. However, if you want to configure TLS
>>>>> virtual hosting with SNI you'll need to use SSLHostConfig.
>>>>> 
>>>>> Both approaches can be used with JSSE and OpenSSL based TLS
>>>>> implementations.
>>>>> 
>>>>> Mark
>>>>> 
>>>>> 
>>>>> 
>>>>>> 
>>>>>> Thanks,
>>>>>> 
>>>>>> Dream * Excel * Explore * Inspire
>>>>>> Jon McAlexander
>>>>>> Senior Infrastructure Engineer
>>>>>> Asst. Vice President
>>>>>> He/His
>>>>>> 
>>>>>> Middleware Product Engineering
>>>>>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
>>>>>> 
>>>>>> 8080 Cobblestone Rd | Urbandale, IA 50322
>>>

Re: Tomcat 10.1.1 error starting

2022-10-20 Thread Peter Kreuser
Jon,

 

> Am 20.10.2022 um 18:57 schrieb jonmcalexan...@wellsfargo.com.invalid:
> 
> Good morning,
> 
> I am getting the following error when trying to start a very generic setup of 
> Tomcat 10.1.1 on Windows Server 2019.
> 
> Error: A JNI error has occurred, please check your installation and try again
> Exception in thread "main" java.lang.UnsupportedClassVersionError: 
> org/apache/catalina/startup/Bootstrap has been compiled by a more recent 
> version of the Java Runtime (class file version 55.0), this version of the 
> Java Runtime only recognizes class file versions up to 52.0
>at

Looks like you are running Tomcat on an older Java, that the app was compiled 
with...

Need to lookup the exact class versions, but like:

Compiled with jdk13 and running on java 11.

HTH

Peter

> java.lang.ClassLoader.defineClass1(Native Method)
>at java.lang.ClassLoader.defineClass(ClassLoader.java:756)
>at 
> java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
>at java.net.URLClassLoader.defineClass(URLClassLoader.java:473)
>at java.net.URLClassLoader.access$100(URLClassLoader.java:74)
>at java.net.URLClassLoader$1.run(URLClassLoader.java:369)
>at java.net.URLClassLoader$1.run(URLClassLoader.java:363)
>at java.security.AccessController.doPrivileged(Native Method)
>at java.net.URLClassLoader.findClass(URLClassLoader.java:362)
>at java.lang.ClassLoader.loadClass(ClassLoader.java:418)
>at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:355)
>at java.lang.ClassLoader.loadClass(ClassLoader.java:351)
>at 
> sun.launcher.LauncherHelper.checkAndLoadMain(LauncherHelper.java:601)
> 
> Is there a minimum version of Java 8 that is required?
> 
> Thanks,
> 
> Dream * Excel * Explore * Inspire
> Jon McAlexander
> Senior Infrastructure Engineer
> Asst. Vice President
> He/His
> 
> Middleware Product Engineering
> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> 
> 8080 Cobblestone Rd | Urbandale, IA 50322
> MAC: F4469-010
> Tel 515-988-2508 | Cell 515-988-2508
> 
> jonmcalexan...@wellsfargo.com<mailto:jonmcalexan...@wellsfargo.com>
> This message may contain confidential and/or privileged information. If you 
> are not the addressee or authorized to receive this for the addressee, you 
> must not use, copy, disclose, or take any action based on this message or any 
> information herein. If you have received this message in error, please advise 
> the sender immediately by reply e-mail and delete this message. Thank you for 
> your cooperation.
> 

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Aw: Tomcat/Java app timezone radomly changes during operation.

2022-10-27 Thread Peter Rader
Hi David,

is it a moving server? We had similar issues on a airborn server crossing 
nation-borders rapidly.

10 minutes is unusual. The lowest timezone-change is 15 minutes afaik.

Kind regards

>
> Hi all,
>
> I've experienced an issue since the morning of the 21st that I'm
> hoping to get some direction on for where to look.
>
> An app uses the date/time to set a timeout for a password reset.
> This had been working fine for years and suddenly it failed. A restart of
> tomcat allowed it to work for a day, then 12 hours, then 5 hours, then 1 hr
> and now is averaging a 10 minute or so working duration between tomcat
> restarts.
>
> Changing the logging in the app showed that the issue is due to it
> sending UTC to the DB while it is broken. Restarting Tomcat results in CDT
> being sent for a while until randomly it switches again.
>
> RHEL 7.9, jvm 1.8.0_231-b11, Tomcat 9.0.29
> ntp is on, chrony is syncing, Java states correct time when queried
> however unsure if it's JDK or JRE when targeted. OS time is good.
>
> When I redeploy the app, log timestamps for the app are in UTC as well
> until restarting tomcat. During the issue the log timestamp remains in
> CDT as expected, even though values passed are UTC.
>
> I have explicitly defined the timezone in setenv.sh with no change in
> behavior.
>
> Any thoughts as what to investigate are greatly appreciated.
>
> Thanks,
> David

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: OT: hsts in Tomcat 9.0.73

2023-04-20 Thread Peter Kreuser
Any more details on the request?

Are you hitting an error 400? Like with ip address on a name based host?

That is handled prior to the filter and so you don't see the header!

Peter

> Am 20.04.2023 um 22:40 schrieb jonmcalexan...@wellsfargo.com.invalid:
> 
> Hellow again.
> 
> I hae another app team that is getting hit with a QID 11827 stating that the 
> hsts Security header is missing. We have reviewed the web.xml and the 
> appropriate section and filter are present. hstsEnabled is set to true. 
> Performing a curl aganst the site does NOT show the hsts STRICT header.
> 
> WEB.XML
> 
> -
> httpHeaderSecurity
> org.apache.catalina.filters.HttpHeaderSecurityFilter
> true
> 
> 
> -
> antiClickJackingOption
> SAMEORIGIN
> 
> 
> -
> hstsEnabled
> true
> 
> 
> 
> -
> hstsMaxAgeSeconds
> 31536000
> 
> 
> 
> -
> hstsIncludeSubDomains
> true
> 
> 
> 
> 
> -
> httpHeaderSecurity
> /*
> REQUEST
> 
> 
> 
> Thank you,
> 
> Dream * Excel * Explore * Inspire
> Jon McAlexander
> Senior Infrastructure Engineer
> Asst. Vice President
> He/His
> 
> Middleware Product Engineering
> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> 
> 8080 Cobblestone Rd | Urbandale, IA 50322
> MAC: F4469-010
> Tel 515-988-2508 | Cell 515-988-2508
> 
> jonmcalexan...@wellsfargo.com<mailto:jonmcalexan...@wellsfargo.com>
> This message may contain confidential and/or privileged information. If you 
> are not the addressee or authorized to receive this for the addressee, you 
> must not use, copy, disclose, or take any action based on this message or any 
> information herein. If you have received this message in error, please advise 
> the sender immediately by reply e-mail and delete this message. Thank you for 
> your cooperation.
> 

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: OT: hsts in Tomcat 9.0.73

2023-04-24 Thread Peter Kreuser
Jon,



Peter Kreuser
Liebknechtstr. 83
63303 Dreieich-Sprendlingen
phone: +49 6103 9880863
fax: +49 6103 9886215
mobile: +49 172 6649346
email: pe...@kreuser.name
web: www.kreuser.name
key: http://www.kreuser.name/PGP_Public_Key.txt
smime: http://www.kreuser.name/SMIME.cer
> Am 24.04.2023 um 15:39 schrieb jonmcalexan...@wellsfargo.com.invalid:
> 
> Thank you for all the good insights Olaf. I am like you, I prefer to put a 
> reverse proxy in front of my Tomcat instances as well. Unfortunately it is 
> Qualsys that is calling this particular system out, so have to figure out how 
> best to fix it.

should it always be behind the reverse proxy and not available to the public?

Peter

> 
> Thanks again.
> 
> Dream * Excel * Explore * Inspire
> Jon McAlexander
> Senior Infrastructure Engineer
> Asst. Vice President
> He/His
> 
> Middleware Product Engineering
> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> 
> 8080 Cobblestone Rd | Urbandale, IA 50322
> MAC: F4469-010
> Tel 515-988-2508 | Cell 515-988-2508
> 
> jonmcalexan...@wellsfargo.com
> This message may contain confidential and/or privileged information. If you 
> are not the addressee or authorized to receive this for the addressee, you 
> must not use, copy, disclose, or take any action based on this message or any 
> information herein. If you have received this message in error, please advise 
> the sender immediately by reply e-mail and delete this message. Thank you for 
> your cooperation.
> 
>> -Original Message-
>> From: Olaf Kock 
>> Sent: Saturday, April 22, 2023 2:14 AM
>> To: users@tomcat.apache.org
>> Subject: Re: OT: hsts in Tomcat 9.0.73
>> 
>> 
>>> Am 22.04.23 um 00:48 schrieb jonmcalexan...@wellsfargo.com.INVALID:
>>> Thanks Peter,
>>> 
>>> I still do not see the hsts header. I'm wondering if this is causing it.
>>> 
>>> SSL certificate verify result: self signed certificate in certificate chain 
>>> (19),
>> continuing anyway.
>>> 
>>> I don't know why it's complaining as the certificate for Tomcat is not a 
>>> self-
>> signed certificate.
>> 
>> That's a good guess: Anything self-signed is a problem for HSTS (though only
>> curl might see it as that, depending on the root certificate store it uses
>> compared to your browser). However, somehow I'd expect the server to be
>> ignorant to the level of trust that the client has and send the header 
>> anyway.
>> 
>> Another aspect to dig into is the explicit nonstandard port number. I didn't
>> fully parse the RFC for it, but there are several statements on explicit, 
>> implicit
>> ports and how they're mapped.
>> 
>> In the end, it might be worth hitting the Tomcat filter in a debugger, or
>> inspecting the source - to see if any conditional branches in an unexpected
>> fashion, if a different filter than the expected one is hitting, or if the 
>> URL
>> doesn't match.
>> 
>> Yet one more option: Set some nonstandard header, where no assumption
>> can be made in any server- or client-side code, and see if it gets through. 
>> This
>> way you know that you're hitting the expected filter
>> 
>> I'm typically lazy in all of this setup, as I defer HTTPS/HSTS to a reverse 
>> proxy
>> (and I'm only setting up demo systems), so I can only make wild guesses.
>> 
>> Olaf
>> 
>> 
>> 
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> ТÐÐ¥FòVç7V'67&–&RÂRÖÖ–âW6W'2×Vç7V'67&–&TFöÖ6Bæ6†Ræ÷&pФf÷"FF—F–öæÂ6öÖÖæG2ÂRÖÖ–âW6W'2Ö†VÇFöÖ6Bæ6†Ræ÷&pÐ
>  

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Maven tomcat7:redeploy upload reset/retry

2023-05-02 Thread Peter Rader
Hi Folks,
 
I am running a tomcat 8.5.50.
 
I try to upload a webapp using maven-tomcat7-plugin.
 
It worked very good for a couple of years. I did nothing new to the 
configuration.
 
Then I see broken pipes during build:
 

    [INFO] Deploying war to 
http://www.foobar.de/manager/de.foobar.xxx-1.0.0-SNAPSHOT[https://deref-gmx.net/mail/client/1mSXrDjDU9k/dereferrer/?redirectUrl=http%3A%2F%2Fwww.foobar.de%2Fmanager%2Fde.foobar.xxx-1.0.0-SNAPSHOT]
  
    Uploading: 
http://www.foobar.de/manager/text/deploy?path=de.foobar.xxx-1.0.0-SNAPSHOT&update=true[https://deref-gmx.net/mail/client/LgHF_x8BUC4/dereferrer/?redirectUrl=http%3A%2F%2Fwww.foobar.de%2Fmanager%2Ftext%2Fdeploy%3Fpath%3Dde.foobar.xxx-1.0.0-SNAPSHOT%26update%3Dtrue]
    3534/82321 KB   
    Uploading: 
http://www.foobar.de/manager/text/deploy?path=de.foobar.xxx-1.0.0-SNAPSHOT&update=true[https://deref-gmx.net/mail/client/LgHF_x8BUC4/dereferrer/?redirectUrl=http%3A%2F%2Fwww.foobar.de%2Fmanager%2Ftext%2Fdeploy%3Fpath%3Dde.foobar.xxx-1.0.0-SNAPSHOT%26update%3Dtrue]
    3504/82321 KB   
    Uploading: 
http://www.foobar.de/manager/text/deploy?path=de.foobar.xxx-1.0.0-SNAPSHOT&update=true[https://deref-gmx.net/mail/client/LgHF_x8BUC4/dereferrer/?redirectUrl=http%3A%2F%2Fwww.foobar.de%2Fmanager%2Ftext%2Fdeploy%3Fpath%3Dde.foobar.xxx-1.0.0-SNAPSHOT%26update%3Dtrue]
    3684/82321 KB   
    Uploading: 
http://www.foobar.de/manager/text/deploy?path=de.foobar.xxx-1.0.0-SNAPSHOT&update=true[https://deref-gmx.net/mail/client/LgHF_x8BUC4/dereferrer/?redirectUrl=http%3A%2F%2Fwww.foobar.de%2Fmanager%2Ftext%2Fdeploy%3Fpath%3Dde.foobar.xxx-1.0.0-SNAPSHOT%26update%3Dtrue]
    3474/82321 KB   
 
The redeployment failed. I checked the free space and there are about 4 
gigabyte free on the device.
 
I already checked the upload-size in manager/WEB-INF/web.xml
I already checked the ip-disclosure in manager/META-INF/context.xml
I already checked the connectionTimeout in the http and https connector.
I already checked the username and password.
I already checked the roles.
 
It have worked successfully until a few days. I changed nothing.
 
Any ideas? (I do not like to update to a new tomcat-version)
 
Kind regards
 Peter Rader
--
Fachinformatiker AE / IT Software Developer
Peter Rader
Wilsnacker Strasse 17
10559 Berlin - GERMANY
Tel: 0049 (0)30 / 6 29 33 29 6
Fax: 0049 (0)30 / 6 29 33 29 6
Handy: 0049 (0)176 / 87 521 576
Handy: 0049 (0)176 / 47 876 303

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Fw: AW: Maven tomcat7:redeploy upload reset/retry

2023-05-02 Thread Peter Rader
> > Hi Folks,
> >
> > I am running a tomcat 8.5.50.
> >
> > I try to upload a webapp using maven-tomcat7-plugin.
> >
> > It worked very good for a couple of years. I did nothing new to the
> > configuration.
> >
> > Then I see broken pipes during build:
> >
> >
> >     [INFO] Deploying war to http://www.foobar.de/manager/de.foobar.xxx-
> > 1.0.0-SNAPSHOT[https://deref-
> > gmx.net/mail/client/1mSXrDjDU9k/dereferrer/?redirectUrl=http%3A%2F%2Fw
> > ww.foobar.de%2Fmanager%2Fde.foobar.xxx-1.0.0-SNAPSHOT]
> >     Uploading: 
> > http://www.foobar.de/manager/text/deploy?path=de.foobar.xxx-[http://www.foobar.de/manager/text/deploy?path=de.foobar.xxx-]
> > 1.0.0-SNAPSHOT&update=true[https://deref-
> > gmx.net/mail/client/LgHF_x8BUC4/dereferrer/?redirectUrl=http%3A%2F%2Fw
> > ww.foobar.de%2Fmanager%2Ftext%2Fdeploy%3Fpath%3Dde.foobar.xxx-1.0.0-
> > SNAPSHOT%26update%3Dtrue]
> >     3534/82321 KB
> >     Uploading: 
> > http://www.foobar.de/manager/text/deploy?path=de.foobar.xxx-[http://www.foobar.de/manager/text/deploy?path=de.foobar.xxx-]
> > 1.0.0-SNAPSHOT&update=true[https://deref-
> > gmx.net/mail/client/LgHF_x8BUC4/dereferrer/?redirectUrl=http%3A%2F%2Fw
> > ww.foobar.de%2Fmanager%2Ftext%2Fdeploy%3Fpath%3Dde.foobar.xxx-1.0.0-
> > SNAPSHOT%26update%3Dtrue]
> >     3504/82321 KB
> >     Uploading: 
> > http://www.foobar.de/manager/text/deploy?path=de.foobar.xxx-[http://www.foobar.de/manager/text/deploy?path=de.foobar.xxx-]
> > 1.0.0-SNAPSHOT&update=true[https://deref-
> > gmx.net/mail/client/LgHF_x8BUC4/dereferrer/?redirectUrl=http%3A%2F%2Fw
> > ww.foobar.de%2Fmanager%2Ftext%2Fdeploy%3Fpath%3Dde.foobar.xxx-1.0.0-
> > SNAPSHOT%26update%3Dtrue]
> >     3684/82321 KB
> >     Uploading: 
> > http://www.foobar.de/manager/text/deploy?path=de.foobar.xxx-[http://www.foobar.de/manager/text/deploy?path=de.foobar.xxx-]
> > 1.0.0-SNAPSHOT&update=true[https://deref-
> > gmx.net/mail/client/LgHF_x8BUC4/dereferrer/?redirectUrl=http%3A%2F%2Fw
> > ww.foobar.de%2Fmanager%2Ftext%2Fdeploy%3Fpath%3Dde.foobar.xxx-1.0.0-
> > SNAPSHOT%26update%3Dtrue]
> >     3474/82321 KB
> >
> > The redeployment failed. I checked the free space and there are about 4
> > gigabyte free on the device.
> >
> > I already checked the upload-size in manager/WEB-INF/web.xml I already
> > checked the ip-disclosure in manager/META-INF/context.xml I already checked
> > the connectionTimeout in the http and https connector.
> > I already checked the username and password.
> > I already checked the roles.
> >
> > It have worked successfully until a few days. I changed nothing.
> >
> > Any ideas? (I do not like to update to a new tomcat-version)
> >
> > Kind regards
> >  Peter Rader
> > -- 
> 
> Could you check the tomcat logs?
> Under normal circumstances there should be some information to track down the 
> issue.
> Check all the log files according to the timestamp and post snippets, if you 
> find something related.
> 
> Greetings,
> Thomas
> 
> 

I checked the Tomcat-logs using enabled logging I saw:

02-May-2023 11:56:44.656 FINE [http-nio-80-exec-4] 
org.apache.catalina.realm.RealmBase.hasResourcePermission Role found:  
manager-script
02-May-2023 11:56:44.657 FINE [http-nio-80-exec-4] 
org.apache.catalina.authenticator.AuthenticatorBase.invoke Successfully passed 
all security constraints
02-May-2023 11:56:44.657 FINER [http-nio-80-exec-4] 
org.apache.catalina.core.StandardWrapper.allocate   Returning non-STM instance
02-May-2023 11:56:44.657 INFO [http-nio-80-exec-4] 
org.apache.catalina.core.ApplicationContext.log Manager: deploy: Deploying web 
application 'de.foobar.xxx-1.0.0-SNAPSHOT'
02-May-2023 11:56:44.814 FINE 
[ContainerBackgroundProcessor[StandardEngine[Catalina]]] 
org.apache.catalina.startup.HostConfig.checkResources Checking context[] 
redeploy resource /usr/local/share/apache-tomcat-8.5.50/webapps/ROOT.war
02-May-2023 11:56:44.814 FINE 
[ContainerBackgroundProcessor[StandardEngine[Catalina]]] 
org.apache.catalina.startup.HostConfig.checkResources Checking context[] 
redeploy resource /usr/local/share/apache-tomcat-8.5.50/webapps/ROOT
(last two messages are repeated 50 times the different applications)

As you can see, the authentication completed successfully.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



RateLimitFilter

2023-07-07 Thread Peter Eichenauer

Hi,

thank you for adding the RateLimitFilter in Tomcat 9.0.76. It is working 
as expected, but I wonder if the log message during initialisation is 
correct: Actual is [{3}] per [{4}] milliseconds. [{5}].


To me it looks like that parameter {4} is printed in seconds.

For example, this is my web.xml configuration:

RateLimitFilter

org.apache.catalina.filters.RateLimitFilter

bucketDuration
10


bucketRequests
10



my log shows:
[RateLimitFilter] initialized with [10] requests per [10] seconds. 
Actual is [16] per [16] milliseconds.


Thanks again,
Peter

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Aw: Re: /META-INF/resources/ and Chrome's DevTools

2020-04-06 Thread Peter Rader
Hello Konstantin Kolinko,

I tried to use the PreResource but it does not work. 

2020-04-06 10:13:05 WARNUNG org.apache.tomcat.util.digester.Digester endElement 
  No rules found matching 'Context/Resources/PreResources'.

This is my context.xml









Any idea?



>
> Gesendet: Montag, 16. März 2020 um 01:01 Uhr
> Von: "Konstantin Kolinko" 
> An: "Tomcat Users List" 
> Betreff: Re: /META-INF/resources/ and Chrome's DevTools
> ??, 15 ???. 2020 ?. ? 13:47, Peter Rader :
> >
> > I have my default.js in a frontend.jar's /META-INF/resources/js/ according 
> > to the specs (last paragraph of point 10.10 in 
> > https://download.oracle.com/otn-pub/jcp/servlet-3.0-fr-eval-oth-JSpec/servlet-3_0-final-spec.pdf
> >  ) it is served successfully. This works great!
>
> 1. If you unpack the file into a directory in your web application
> (into its /js/ directory),
> it will take precedence over the version packed in the framework jar.
>
>
> 2. It is possible to map files from elsewhere on your hard drive into
> your web application.
> It can be done with "" element in the
> META-INF/context.xml file of your web application.
>
> For reference:
> http://tomcat.apache.org/tomcat-9.0-doc/config/resources.html[http://tomcat.apache.org/tomcat-9.0-doc/config/resources.html]
>
>
> 3. If your Tomcat runs on the same computer. you can run the web
> application from an expanded directory, without packing it as a war
> file.
>
> 1) Copy your META-INF/context.xml file as
> $CATALINA_BASE/conf/Catalina/localhost/yourwebappname.xml
>
> 2) Add docBase attribute to the  element in it.
>
> See
> http://tomcat.apache.org/tomcat-9.0-doc/config/context.html#Defining_a_context[http://tomcat.apache.org/tomcat-9.0-doc/config/context.html#Defining_a_context]
>
>
> Best regards,
> Konstantin Kolinko




Kind regards

Peter Rader
--
Fachinformatiker AE / IT Software Developer
Peter Rader
Wilsnacker Strasse 17
10559 Berlin - GERMANY
Tel: 0049 (0)30 / 20 9930560
Fax: 0049 (0)30 / 20 9930561
Handy: 0049 (0)176 / 8 7521576

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Setting up Tomcat behind an existing Apache httpd server (on Amazon Linux 2)

2020-04-06 Thread Peter Kreuser
James,

> Am 06.04.2020 um 21:53 schrieb James H. H. Lampert :
> 
> Here is the situation:
> 
> We have an existing Amazon EC2 instance, running Amazon Linux 2, with an 
> Apache httpd server already running our web sites (for argument's sake, 
> "foo.com," "bar.com," and "baz.com."), and already getting its certs from 
> Let's Encrypt, using "foo.com" as the CN, with "www.foo.com," "bar.com," 
> "www.bar.com," "baz.com," and "www.baz.com" as SANs. And it seems to be 
> working quite nicely.
> 
> Now, we want to add a Tomcat server, which would then serve several webapp 
> contexts at "qux.baz.com," and maybe also "corge.baz.com," running behind the 
> httpd server (which is something I've never done before; I've always set up 
> Tomcat directly facing the outside world, so with this, I frankly haven't a 
> clue what I'm doing).
> 

Don‘t be scared!

> First of all, which is currently considered the easier/better way to get 
> Tomcat running behind httpd, given the above scenario? "mod_proxy," or 
> "mod_jk?" Or is there something else I haven't heard of?
> 


> Second of all, I found this step-by-step procedure.
> 
>> https://preview.tinyurl.com/vwnutqj
> 
> Is it any good?
> 
Sounds reasonable.

Are you going to host tomcat on the same „server“ or are you proxying to a 
different instance? Then mod_proxy and ssl (!) should be the way to go. If you 
are on the same instance, you may want to see if mod_jk is an option.

> Third, am I correct in assuming that all we need to do in order for the 
> existing Let's Encrypt setup to cover the new "qux" and "corge" subdomains is 
> to add them to the SANs already listed?
> 

That and the additional Serveralias‘ or VirtualHosts that proxy the tomcat 
requests.

> Finally, are there any "gotchas" I need to be concerned with?
> 

Any headers that are necessary for your tomcat application need to be sent or 
maybe rewritten.

You may need to set the correct attributes on your connector, so the URLs are 
correctly rewritten (port 8080/8443 in tomcat should be https 443 to the 
outside! Cookies may need the correct path and secure flag.)

That may be a second round of tweaking. First get to serve the pages on the 
right Uri.

Let us know how you get along and we can add to the config if necessary.

Peter

> --
> James H. H. Lampert
> Touchtone Corporation
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Aw: Re: Re: /META-INF/resources/ and Chrome's DevTools

2020-04-07 Thread Peter Rader



Ah ok, 
 
I use maven, only tomcat 7 and 6 is available. PreResources are only available 
in tomcat8 so I decide against tomcat in higher versions than 7.
 
Kind regards

>  Gesendet: Montag, 06. April 2020 um 16:34 Uhr
>  Von: "Mark Thomas" 
>  An: users@tomcat.apache.org
>  Betreff: Re: Aw: Re: /META-INF/resources/ and Chrome's DevTools
>  On 06/04/2020 09:16, Peter Rader wrote:
>  > Hello Konstantin Kolinko,
>  >
>  > I tried to use the PreResource but it does not work.
>  >
>  > 2020-04-06 10:13:05 WARNUNG org.apache.tomcat.util.digester.Digester 
> endElement No rules found matching 'Context/Resources/PreResources'.
>  >
>  > This is my context.xml
>  >
>  > 
>  >   > type="javax.sql.DataSource" driverClassName="org.postgresql.Driver"
>  > url=""
>  > username="xxx" password="xxx" maxTotal="50"
>  > maxIdle="50" maxWait="10">
>  > 
>  >   > className="org.apache.catalina.webresources.FileResourceSet"
>  > base="C:\Users\Guest\git\x\src\main\resources\META-INF\resources"
>  > internalPath="index.html" />
> 
>  That doesn't look quite right. I'd expect it to look something like:
> 
>    className="org.apache.catalina.webresources.FileResourceSet"
>  base="C:\Users\Guest\git\x\src\main\resources\META-INF\resources"
>  />
>
>  To map the contents of the "...\META-INF\resources" directory into the
>  root of the web application.
> 
>  Mark
> 
>  -
>  To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>  For additional commands, e-mail: users-h...@tomcat.apache.org
>   
>
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Setting up Tomcat behind an existing Apache httpd server (on Amazon Linux 2)

2020-04-09 Thread Peter Kreuser
Mark, James

> Am 09.04.2020 um 22:14 schrieb Mark Eggers :
> 
> James,
> 
>> On 4/9/2020 12:11 PM, James H. H. Lampert wrote:
>>> On 4/6/20 2:13 PM, Mark Eggers wrote:
>>> # Secure your proxy - localhost for now - this is IMPORTANT
>>> 
>>>Require ip 127
>>> 
>> 

Isn‘t this for CONNECT Requests?
The Backend proxying happens with GET POST PUT to httpd and then apache opens 
the connect to backend.
No Proxying in the sense of the PROXY directive...

>> Dear Mr. Eggers:
>> 
>> It seems I was right about how what you said about this, and what the
>> docs say about it, appeared to contradict each other: with that in the
>> VirtualHost with the ProxyPass and ProxyPassReverse directives, it
>> blocked all outside access through the proxy.
>> 
>> Once I commented out those lines, I got proxied straight to the default
>> ROOT context.
>> 
>> Then, when I reactivated the valve in the manager app, I found that I
>> was still able to get into it via the proxy, but not directly.
>> 
>> I've now put this in
>>> https://qux.baz.com/manager";>
>>>  Require ip xx.yy.zz.qq
>>> 
>>> https://corge.bax.com/manager";>
>>>  Require ip xx.yy.zz.qq
>>> 
>> 

It should be sufficient to just do a Location directive and then Require.


  Require 


Maybe also LocationMatch.

>> where xx.yy.zz.qq is my office IP address. I could get in just fine.
>> Then I changed the IP address to something different, restarted my
>> browser, and I could still get in. I also tried it with "/*" on the ends
>> of the URLs, and with "/html" on the ends, and with "/html/*" on the
>> ends. I also went back to the original "*" on one of them, and it went
>> back to locking me out of everything. Something doesn't seem right here.
>> 
> 
> I'll play with this a little later.

Me too. 
> 
> Please note that when you change Apache HTTPD configurations you must
> restart Apache HTTPD.
> 

An apachectl graceful reloads the config without downtime.

> This is one of the reasons why I prefer mod_jk. I can change the mapped
> URLs on the fly without having to restart Apache HTTPD (albeit with some
> small hit to performance).
> 
> The way that I have things set up for a client is to have a machine with
> two interfaces and use an  directive in server.xml.
> 
> I then run an additional HTTP/1.1 connector and bind it to the internal
> interface only. The internal interface is protected by VPN with a two
> factor authentication.
> 
Interesting idea.


> I could further protect the sensitive applications by using the remote
> address filter and restricting access to the management and build
> systems subnets.
> 
> To access the manager application, you have to connect to the VPN, and
> then browse to the following:
> 
> http://internal.dns.domain.com:port/manager/html
> 
> This will will bring up a manager interface that is appropriate for:
> 
> https://external.dns..domain.com
> 
> and all the applications running there. This is mostly used by the
> client's internal Jenkins build system to publish applications to the
> appropriate Tomcat server. It can also be used by a JMX application for
> Tomcat monitoring.
> 
> My urimapping.properties file contains lines like:
> 
> !/manager|/*=worker_name
> !/jmxmonitor|/*=worker_name
> 
> This blocks proxying the manager and JMX applications by mod_jk.
> 
> This has been running in production since I set it up, and has survived
> both random script kiddie attacks and security audits by the client's
> customers.
> 
> You could look at mimicking this behavior with mod_proxy by using an
> exclamation mark (not tested).
> 
> Something like the following:
> 
> ProxyPass /manager !
> ProxyPass /jmxmonitor !
> 
> per the documentation here:
> 
> https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxypass
> 
> Apparently, the documentation would recommend something like the following:
> 
> 
>ProxyPass "!"
> 
> 
>ProxyPass "!"
> 
> 
> I think that the above is probably easier to read and more specific.
> Place the directives in the appropriate virtual host.
> 
> You could also be more expressive with LocationMatch and regular
> expressions.
> 
> Once this is done you could access the manager application directly by
> using the appropriate port and configuring AWS's firewall rules to allow
> your office IP address through the port.
> 
> Again, I have not tried this since I use mod_jk.  Again, please remember
> to restart Apache HTTPD after any configuration changes.
> 
> 
> . . . just my two cents
> /mde/

Peter
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Error in stopping application tomcat !!

2020-07-25 Thread Peter Kreuser
Kushagra,


> Am 25.07.2020 um 08:12 schrieb Kushagra Bindal :
> 
> One more related changes :
> https://bz.apache.org/bugzilla/show_bug.cgi?id=63041

None of the bugzilla entries relate to changes in  newer versions.

It won‘t be as easy as to search for „ „shutdown“ in either bugzilla or the 
release notes!

> Please suggest the probable fix to make this smooth.
> 

For now it maybe as simple as sending SIGKILL to the java process.

Apparently some resources in your app don‘t want to terminate.

My 2ct.

Peter

>> On Sat, Jul 25, 2020 at 11:03 AM Kushagra Bindal 
>> wrote:
>> Thanks Martin,
>> By looking at the change log I found few relevant items.
>> 1. https://bz.apache.org/bugzilla/show_bug.cgi?id=55969
>> 2. https://bz.apache.org/bugzilla/show_bug.cgi?id=62515
>> 3. https://bz.apache.org/bugzilla/show_bug.cgi?id=48655
>> 4. https://bz.apache.org/bugzilla/show_bug.cgi?id=63210
>> If possible, please help in understanding the behavior and possible way to
>> handle this.
>> Thanks in advance for helping me so far.
>> On Fri, Jul 24, 2020 at 1:08 AM Martin Grigorov 
>> wrote:
>>> On Thu, Jul 23, 2020, 15:52 Kushagra Bindal 
>>> wrote:
>>>> Thanks Martin.
>>>> But with the old version i.e. 8.5.24 it is working smoothly. So, what
>>> could
>>>> be the problem? Or some specific property/configuration changes that
>>> need
>>>> to be made around this?
>>> You will have to consult with the changelogs for all the versions in
>>> between.
>>>> On Thu, Jul 23, 2020 at 6:00 PM Martin Grigorov 
>>>> wrote:
>>>>> On Thu, Jul 23, 2020 at 3:10 PM Kushagra Bindal <
>>>> bindal.kusha...@gmail.com
>>>>> wrote:
>>>>>> Hi Martin,
>>>>>> Due to our environment I was not able to use pastebin service. I
>>> have
>>>>>> taken different Thread dump during shutdown and attaching the same
>>> with
>>>>>> this email.
>>>>>> Please review the same and let me know, what is the probable root
>>> cause
>>>>> of
>>>>>> the problem and what could be the fix of the same.
>>>>> You have many AMQP (RabbitMQ) listener threads which are not daemons.
>>>>> It seems your application does not notify Spring Framework that it
>>> needs
>>>> to
>>>>> destroy its application context or the beans with
>>>>> type
>>> org.springframework.amqp.rabbit.listener.SimpleMessageListenerContainer
>>>>> are not notified to stop for some other
>>>>> reason.
>>>>>> On Thu, Jul 23, 2020 at 3:22 PM Martin Grigorov <
>>> mgrigo...@apache.org>
>>>>>> wrote:
>>>>>>> Hi,
>>>>>>> On Thu, Jul 23, 2020 at 6:35 AM Kushagra Bindal <
>>>>>>> bindal.kusha...@gmail.com>
>>>>>>> wrote:
>>>>>>>> Hi Martin,
>>>>>>>> These are the only two behaviors right now which I am getting on
>>> a
>>>>>>>> regular basis.
>>>>>>>> 1. During startup of the application and then shutdown
>>>>>>>> 2. Running application and then shutdown.
>>>>>>>> Please let me know if anything specific is further needed from my
>>>> end
>>>>>>> which
>>>>>>>> I can provide to have a better clarity.
>>>>>>>> I have shared the server.xml and command which we are using in
>>>>> stopping
>>>>>>> the
>>>>>>>> tomcat.
>>>>>>>> On Thu, Jul 23, 2020 at 2:49 AM Martin Grigorov <
>>>> mgrigo...@apache.org
>>>>>>>> wrote:
>>>>>>>>> On Wed, Jul 22, 2020, 15:55 Kushagra Bindal <
>>>>>>> bindal.kusha...@gmail.com>
>>>>>>>>> wrote:
>>>>>>>>>> Hi Christopher,
>>>>>>>>>> Did you get a chance to look into this?
>>>>>>>>>> Please help us in resolving this issue.
>>>>>>>>>> On Sat, Jul 18, 2020 at 11:26 AM Kushagra Bindal <
>>>>>>>>>> bindal.kusha...@gmail.com>
>>>>>>>>>> wrote:
>>>>>>>>>>> Hi Chris,
>>>>>>>>>>> Additionally when trying to stop running application, we
>>>

Re: Request for Help

2020-07-28 Thread Peter Rader
Hello Mohan,
 
please tell if you are using
1. the JSP technology inside the application
2. what JDK version on server-side
 
Kind regards

Peter Rader
--
Fachinformatiker AE / IT Software Developer
Peter Rader
Wilsnacker Strasse 17
10559 Berlin - GERMANY
Tel: 0049 (0)30 / 6 29 33 29 6
Fax: 0049 (0)30 / 6 29 33 29 6
Handy: 0049 (0)176 / 8 7521576
 
 

Gesendet: Mittwoch, 29. Juli 2020 um 06:33 Uhr
Von: "Mohan T" 
An: "Tomcat Users List" 
Betreff: Request for Help
Dear All,



In one of the environments we are using apache-tomcat-8.5.35.



On server start we are getting this exception

org.apache.catalina.core 28-Jul-2020 13:46:13.407 SEVERE 
[localhost-startStop-1] org.apache.catalina.core.StandardContext.loadOnStartup 
Servlet [RVW_Banner] in web application [/security] threw load() exception
java.lang.NoSuchMethodError:org.eclipse.jdt.internal.compiler.Compiler.(Lorg/eclipse/jdt/internal/compiler/env/INameEnvironment;Lorg/eclipse/jdt/internal/compiler/IErrorHandlingPolicy;Lorg/eclipse/jdt/internal/compiler/impl/CompilerOptions;Lorg/eclipse/jdt/internal/compiler/ICompilerRequestor;Lorg/eclipse/jdt/internal/compiler/IProblemFactory;)V
at org.apache.jasper.compiler.JDTCompiler.generateClass(JDTCompiler.java:480)

Any inputs to overcome this could help us in this.

Thanks

Mohan



DISCLAIMER: This communication contains information which is confidential and 
the copyright of Ramco Systems Ltd, its subsidiaries or a third party 
("Ramco"). This email may also contain legally privileged information. 
Confidentiality and legal privilege attached to this communication are not 
waived or lost by reason of mistaken delivery to you.This email is intended to 
be read or used by the addressee only. If you are not the intended recipient, 
any use, distribution, disclosure or copying of this email is strictly 
prohibited without the express written approval of Ramco. Please delete and 
destroy all copies and email Ramco at le...@ramco.com immediately. Any views 
expressed in this communication are those of the individual sender, except 
where the sender specifically states them to be the views of Ramco. Except as 
required by law, Ramco does not represent, warrant and/or guarantee that the 
integrity of this communication has been maintained nor that the communication 
is free of errors, virus, interception or interference. If you do not wish to 
receive such communications, please forward this communication to 
market...@ramco.com and express your wish not to receive such communications 
henceforth.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Tomcat v9 - Insecure transport vulnerability reported by Qualys

2020-08-25 Thread Peter Kreuser
Pratik,

> Am 25.08.2020 um 12:14 schrieb Pratik Shrestha :
> 
> Hi all,
> 
> Tomcat version: 9.0.37
> 
> Our website is running on Tomcat. We did Qualys vulnerability scan on our
> site. Scan shows below vulnerability.
> 
> Insecure transport
> Group: Information Disclosure
> CWE CWE-319
> OWASP A3 Sensitive Data Exposure
> WASC WASC-4 INSUFFICIENT TRANSPORT LAYER PROTECTION
> 
> Please note
> 1. HTTP port is not enabled.


Which port does it complain on? Maybe it’s not Tomcat, but another service?


> 2. We have only opened HTTPS port 8443. But when we connect this HTTPS port
> with HTTP (http://www.oursite.com:8443/), we get an error "Bad Request. This
> combination of host and port requires TLS."
> 3. Due to the above error message, we get this vulnerability error from
> Qualys.
> 4. We have already enabled HSTS.
> 5. We have enabled Rewrite Valve also to direct all HTTP to HTTPS. But it
> never works. It is like, Tomcat doesn't care about Rewrite or HSTS. It just
> finds someone is accessing HTTPS port with HTTP protocol and then just
> throws error 400 'Bad Request'
> 6. Note that Tomcat version 7 used to send the error 'ERR_EMPTY_RESP' which
> should still be okay.
> 
> We already tried to find the fix for this issue on the web but in vain.
> 
> Kindly help if anyone has found a way to fix it.
> 
> Regards,
> Pratik

Peter


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Tomcat v9 - Insecure transport vulnerability reported by Qualys

2020-08-27 Thread Peter Kreuser
Mark,

Sorry for Top-posting.

I’m still wondering what is causing this Qualys finding.

I remember times when you got only garbage when you connected with http to 
https. Probably Qualys was fine with that.

Now you get a nice 400 message that helps the user understand his mistake and 
Qualys jumps on that!
From my point of view we should not change that behavior as it will not change 
the users settings or mistyping.

I wonder how Nginx or httpd are reacting to this finding - if Qualys reacts in 
the same way?
Basically the scanner already has the information that this is an SSL port!
To me a bug in the scanner plugin!

My 2ct.

Peter

> Am 27.08.2020 um 09:47 schrieb Mark Thomas :
> 
> On 27/08/2020 06:31, Terence M. Bandoian wrote:
>> On 8/26/2020 11:27 PM, Pratik Shrestha wrote:
> 
> 
> 
>>> For me, there are two options for the fix which I am not able  to make
>>> them
>>> work.
>>> 
>>> 1. Either show 'ERR_EMPTY_RESP' like old Tomcat version 7 used to
>>> show. As
>>> far as I know, with Tomcat 7 giving that error, Qualys did not use to
>>> show
>>> this vulnerability.
>>> 2. *Best is to do a redirect* when Tomcat sees error 400 to https URL.
>>> Like
>>> in Apache, we can add below.
>>>'ErrorDocument 400 "*https*://xxx.xxx.xxx.xxx"
>>> But as understood, redirect only works with error 3XX and ErrorDocument
>>> feature is not there in Tomcat yet.
> 
> 
> 
>> With HTTPD rewrite, whether or not the request is encrypted or sent to
>> the correct port can be detected and the request redirected as
>> appropriate. Maybe the same can be done with the rewrite valve used with
>> Tomcat.
> 
> This isn't currently possible with Tomcat because of detection of plain
> text HTTP when TLS should be used (and the generation of the associated
> response) is much, much earlier in the processing chain than the rewrite
> valve.
> 
> 
> 
>>>>> On 8/26/20 13:59, Mark Thomas wrote:
>>>>>> On 26/08/2020 17:50, Christopher Schultz wrote:
> 
> 
> 
>>>>>>> I'm interested in having Tomcat be able to pass these (admittedly
>>>>>>> stupid) security requirements,
>>>>>> I have no interest in adding bloat to Tomcat so it can pass so called
>>>>>> security requirements that have no relevance to actual security. Those
>>>>>> sort of changes are the sort that get me starting to think about using
>>>>>> a veto.
>> Understood. But what does the OP have in terms of options at this point?
>> 
>> 1. Ignore the complaint (probably not possible) 2. Request a waiver for
>> this issue (probably not possible, or at least would require 10 years of
>> red tape) 3. Front the server with httpd + "ErrorDocument 400" (which
>> ... I
>> think will *also* reply with a plaintext response, right?) 4. Switch to
>> Jetty>
>> I'm trying to avoid "the easiest thing" which is probably to switch to
>> Jetty. I know our "customers" don't pay for Tomcat, but losing a
>> "customer"
>> sucks.
> 
> One of the things I love about working Tomcat is when this sort of
> security nonsense comes along, I can a) call it out and b) veto (if I
> have to) the implementation without someone higher up the organisational
> hierarchy able to play the "I don't care if it is nonsense, our
> customers want it so you have to implement it" card.
> 
> My objection to implementing or changing features in response to
> "security nonsense" is that it perpetuates the problem. If people who
> know this is "security nonsense" just accept it rather than arguing
> against it, that nonsense eventually becomes "security fact". I think
> the world could do with a little more security fact and a little less
> security nonsense.
> 
> That said, I'm not against changing this feature where that change
> offers real benefits to users.
> 
>> How about being able to specify the response text, possibly blank?
> 
> While I remember, there was the issue raised that the response wasn't
> UTF-8 and we changed hard-coded response to UTF-8 rather than provide an
> option.
> 
> My concern with anything along the lines of making it configurable is
> that because this response is generated outside of the normal HTTP
> processing infrastructure you can quickly get into the situation where
> you end up replicating functionality we already have elsewhere.
> 
>> I think "ErrorDocument 400" with nothing e

Deploying war, Negative Date exception

2020-10-12 Thread Peter Henderson
Hello fellow tomcat users.

My environment.
Tomcat: 9.0.39
Java: openjdk 11.0.8 2020-07-14
OS: Ubuntu 18.04.5 LTS

Source code [0]

When deploying this war [1], by copying it into the webapps directory,
I get this exception. [2]
java.lang.IllegalArgumentException: Negative time


I only started seeing this exception when I upgraded my projects build tool
version
from
sbt.version=1.3.10
to
sbt.version=1.4.0


Is this a tomcat bug, a build tool bug or most likely something I'm doing
wrong?

Thanks
Peter.


[0]
https://github.com/bollinger/NegativeDate

[1]
https://github.com/bollinger/NegativeDate/blob/master/Negative.war

[2]
2020-10-12 11:41:35.932 SEVERE oacs.HostConfig Error deploying web
application archive [/home/peter/apache-tomcat-9.0.39/webapps/Negative.war]
java.lang.IllegalStateException: Error starting child
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:720)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:690)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:706)
at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:978)
at
org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1848)
at
java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at
org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
at
java.base/java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:118)
at org.apache.catalina.startup.HostConfig.deployWARs(HostConfig.java:773)
at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:427)
at org.apache.catalina.startup.HostConfig.check(HostConfig.java:1620)
at
org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:305)
at
org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123)
at
org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1151)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1353)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1357)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1335)
at
java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at
java.base/java.util.concurrent.FutureTask.runAndReset(FutureTask.java:305)
at
java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305)
at
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: org.apache.catalina.LifecycleException: Failed to start
component
[StandardEngine[Catalina].StandardHost[localhost].StandardContext[/Negative]]
at
org.apache.catalina.util.LifecycleBase.handleSubClassException(LifecycleBase.java:440)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:198)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:717)
... 24 more
Caused by: java.lang.IllegalArgumentException: Negative time
at java.base/java.io.File.setLastModified(File.java:1441)
at org.apache.catalina.startup.ExpandWar.expand(ExpandWar.java:169)
at
org.apache.catalina.startup.ContextConfig.fixDocBase(ContextConfig.java:820)
at
org.apache.catalina.startup.ContextConfig.beforeStart(ContextConfig.java:958)
at
org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:305)
at
org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123)
at
org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:423)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:182)
... 25 more

-- 
Peter Henderson


Re: Deploying war, Negative Date exception

2020-10-12 Thread Peter Henderson
On Mon, 12 Oct 2020 at 14:50, Mark Thomas  wrote:

> On 12/10/2020 13:53, Mark Thomas wrote:
> > On 12/10/2020 12:49, Mark Thomas wrote:
> >> On 12/10/2020 12:19, Peter Henderson wrote:
> >>> Hello fellow tomcat users.
> >>>
> >>> My environment.
> >>> Tomcat: 9.0.39
> >>> Java: openjdk 11.0.8 2020-07-14
> >>> OS: Ubuntu 18.04.5 LTS
> >>>
> >>> Source code [0]
> >>>
> >>> When deploying this war [1], by copying it into the webapps directory,
> >>> I get this exception. [2]
> >>> java.lang.IllegalArgumentException: Negative time
> >>>
> >>>
> >>> I only started seeing this exception when I upgraded my projects build
> tool
> >>> version
> >>> from
> >>> sbt.version=1.3.10
> >>> to
> >>> sbt.version=1.4.0
> >>>
> >>>
> >>> Is this a tomcat bug, a build tool bug or most likely something I'm
> doing
> >>> wrong?
> >>
> >> Looks like an issue with the dates of files in the WAR.
> >>
> >> If you look at the dates of the files in the WAR nearly all of them are
> >> in the future (07 Feb 2106, 06:28).
> >>
> >> It looks like something is overflowing but a Java long shouldn't do
> that.
> >>
> >> Need to dig into exactly what is going on as this looks like it should
> >> work - even if the WAR contains files created almost a century in the
> >> future.
> >
> > Hmm. I see the 2106 date on the file system and with Java 8 but with
> > Java 11 I see 1969-dec-31 23:00 which gives -360 which triggers the
> > exception.
> >
> > The root cause appears to be in the JRE at this point. Whether it is in
> > the JRE used to create the WAR or the JRE reading the WAR is TBD.
> >
> > I think I am going to have to look at the raw bytes and the zip file
> > spec to figure out where the root cause is.
>
> That was fun.
>
> Per the zip spec, the last modified time on those files is:
>
> 1969-Dec-31 23:00:00 UTC
>
> i.e. 1 hour before the Epoch at 1970-Jan-01 00:00:00 UTC
>
> It is stored as a signed 32-bit int (F1F0) which is -3600 (zip
> timestamps are in seconds since the Epoch).
>
> Java 8 reads this incorrectly as an unsigned int (4294963696) which,
> when taken as seconds since Epoch, gives 2016-Feb-07 05:28:16 UTC.
>
> (Incidently the archiver that ships with Ubuntu appears to make the same
> error)
>
> Java 11 reads this correctly but Java does not let you set times before
> the Epoch so the exception is triggered.
>
> The short version is that the modification times of the files in the WAR
> are being set to "1969-Dec-31 23:00:00 UTC" which Java doesn't like.
>
> Tomcat could handle this more gracefully but the end result will be the
> same - the WAR isn't going to deploy. I'm not convinced it is worth
> doing anything here.
>
> It looks like the fix will be somewhere in the build system used to
> create the WAR.
>

Thanks for digging into this.

For anyone else who runs into this.

When upgrading to sbt >= 1.4.0
An environment variable needs to be set
SOURCE_DATE_EPOCH
[0]

I suspect the bug is in [1] with the orElse(0L) start of epoch looks
familiar.


[0] https://reproducible-builds.org/docs/source-date-epoch/
[1]
https://github.com/sbt/sbt/pull/5344/commits/1d0a41520071c2fcf694d6b68e4b5e7721f7c321

Peter.






>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

-- 
Peter Henderson

Director
Starjar Ltd.
www.starjar.com
0330 088 1662


Re: Browser complains of "weak signature algorithm" in cert on a new Tomcat installation. Does anybody here know anything about that sort of thing

2021-01-06 Thread Peter Kreuser
James,

> Am 07.01.2021 um 00:34 schrieb James H. H. Lampert :
> 
> We just had our first Tomcat 8.5 installation on a customer's AS/400.
> 
> The customer apparently has his own CA (they're a big company), and when I 
> installed SSL in their Tomcat, and tested it with a browser, it complained, 
> something to the general effect of "weak signature algorithm."
> 
I guess they never upgraded their CA and still sign the certs with SHA1 or even 
MD5.

They should change that for sure!

Peter

> While it's not really my problem (and is only connected to Tomcat by virtue 
> of it happening with a Tomcat server), I'm curious about what's up with it, 
> if anybody here is able and willing to explain it.
> 
> Of course, a customer that's big enough to run a private CA in production is 
> already doing things beyond my pay grade.
> 
> --
> JHHL
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Question about TLS/SSL setup and SSLHostConfig or not

2021-03-02 Thread Peter Kreuser
Alex,

> Am 02.03.2021 um 23:19 schrieb Alex :
> 
> Hi.
> 
>> On 02.03.21 23:14, John Larsen wrote:
>> I usually let the apache webserver or nginx handle the SSL while proxying
>> to the tomcat.


Unless you need some really fancy rewriting or caching, Tomcat is absolutely 
capable to handle this. Even static files are OK nowadays.


>> To use tomcat's built in server you'll need to import the
>> SSL certificate into the keystore via your jdk.

That’s not the case anymore. Tomcat 8.5.x perfectly speaks PEM-files and 
openssl config. (See below)

Even dynamic reloading of SSL configs can be achieved with the jmxproxy.

> 
> Fully agree, but sometimes it is requierd that the HAProxy/nginx talk TLS to
> the backend, in this case tomcat.
> 
>> John Larsen
>>> On Tue, Mar 2, 2021 at 3:06 PM Alex  wrote:
>>> Hi.
>>> 
>>> I try to make a "good" tomcat config and read the docs.
>>> 
>>> Now in the Connector doc is the following statement.
>>> 
>>> http://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support
>>> http://tomcat.apache.org/tomcat-10.0-doc/config/http.html#SSL_Support
>>> 
>>> Each secure connector must define at least one SSLHostConfig.
>>> 
>>> But when I look into the SSL/TLS Configuration How-To is the snipplet
>>> without SSLHostConfig. What's now the "best" way to setup TLS/SSL
>>> with tomcat. I would prefer to put SSLHostConfig but I'm not sure if
>>> it's the way how the developer think to setup the TLS in tomcat?
>>> 
>>> I use JSSE as implementation.
>>> 
>>> http://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html
>>> http://tomcat.apache.org/tomcat-10.0-doc/ssl-howto.html
>>> 
>>> ```
>>> 
>>> >> protocol="org.apache.coyote.http11.Http11NioProtocol"
>>> port="8443" maxThreads="200"
>>> scheme="https" secure="true" SSLEnabled="true"
>>> keystoreFile="${user.home}/.keystore" keystorePass="changeit"
>>> clientAuth="false" sslProtocol="TLS"/>
>>> ```
>>> 

You should move this to SSLHostConfig.


  


HTH

Peter

>>> What's your suggestion and opinion to configure the tomcat in a
>>> proper way to use TLS also for the future versions.
>>> 
>>> Regards
>>> Alex
>>> 
>>> -
>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>> 
>>> 
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



IDNs emoji replaced by punycode - how to remain with emoji?

2021-03-08 Thread Peter Rader


Hi,
 
I try to support a emoji in a IDN. This is the head of my engine-config:
 

   
    
  
  
 
Both, HTTP and HTTPS connector have the UTF8 encoding:
 

  
 
    
    
    
    
    
 
 
Unfortunately the browser-url redirect to the punycode xn--x7h.example.com in 
Chrome, Edge and Firefox (did not test more).
 
How to remain with emoji IDN in the browser URL?
 
Kind regards

Peter Rader
--
Fachinformatiker AE / IT Software Developer
Peter Rader
Wilsnacker Strasse 17
10559 Berlin - GERMANY
Tel: 0049 (0)30 / 6 29 33 29 6
Fax: 0049 (0)30 / 6 29 33 29 6
Handy: 0049 (0)176 / 8 7521576

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: [OT] programming style or mental process ?

2021-04-05 Thread Peter Kreuser
All,

> Am 05.04.2021 um 14:38 schrieb Christopher Schultz 
> :
> 
> André,
> 
>> On 4/4/21 06:23, André Warnier (tomcat/perl) wrote:
>> Hi.
>> I have a question which may be totally off-topic for this list, but this has 
>> been puzzling me for a while and I figure that someone here may be able to 
>> provide some clue as to the answer, or at least some interesting ponts of 
>> view.
>> In various places (including on this list), I have seen multiple occurrences 
>> of a certain way to write a test, namely :
>>  if (null == request.getCharacterEncoding()) {
>> as opposed to
>>  if (request.getCharacterEncoding() == null) {
>> Granted, the two are equivalent in the end.
>> But it would seem to me, maybe naively, that the second form better 
>> corresponds to some "semantic logic", by which one wants to know if a 
>> certain a-priori unknown piece of data (here the value obtained by 
>> retrieving the character encoding of the current request) is defined (not 
>> null) or not (null).
>> Said another way : we don't want to know if "null" is equal to anything; we 
>> want to know if request.getCharacterEncoding() is null or not.
>> Or in yet another way : the focus (or the "subject" of the test) here is on 
>> "request.getCharacterEncoding()" (which we don't know), and not on "null" 
>> (which we know already).
>> Or, more literarily, given that the syntax of most (all?) programming 
>> languages is based on English (if, then, else, new, for, while, until, exit, 
>> continue, etc.), we (*) do normally ask "is your coffee cold ?" and not "is 
>> cold your coffee ?".
> 
> On the other hand, in English, coffee which is not hot is called "cold 
> coffee" but in e.g. Spanish, it's "coffee cold".
> 
>> So why do (some) people write it the other way ?
> 
> I personally put the null first because of my background in C. C compilers 
> (especially older ones) would happily compile this code without batting an 
> eyelash:
> 
>  char *s;
> 
>  s = call_some_function();
> 
>  if(s = null) {
>// do some stuff
>  }
> 
> Guess what? "Do some stuff" is always executed, and s is always null.
> 
> If you switch the operands, the compiler will fail because you can't assign a 
> value to null:
> 
>  if(null = s ) {
>// Compiler will refuse to compile
>  }
> 

Isn‘t it true that only one bit difference would result in false - so result 
would not have to be completely tested?

Peter 


> So it's a defensive programming technique for me.
> 
>> Is it purely a question of individual programming style ?
> 
> Perhaps at this stage in history, it is only "style". But it does have a 
> practical
> 
>> Is there some (temporary ?) fashion aspect involved ?
>> Do the people who write this either way really think in a different way ?
>> Or is there really something "technical" behind this, which makes one or the 
>> other way be slightly more efficient (whether to compile, or optimise, or 
>> run) ?
>> (*) excepting Yoda of course
> 
> -chris
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Understanding issues with connection refused when redirecting internally

2021-04-09 Thread Peter Chamberlain
Hello,
I've been trying to understand the behaviour of tomcat when handling
internal redirects. I'm testing using tomcat 9.0.38. I'm testing using
jdk8 1.8.0_265. My main test cases have been 2 forwards to the same
servlet, and then a response. Or 2 redirects to the same servlet and
then a response. Servlet as follows:

@WebServlet(loadOnStartup = 1, value = "/")
public class ConnectorLimitServlet extends HttpServlet {

  @Override
  protected void doGet(HttpServletRequest req, HttpServletResponse
resp) throws IOException, ServletException {
int number = Integer.parseInt(req.getParameter("number"));
// Fake some work done at each stage of processing
try { Thread.sleep(500); } catch (InterruptedException e) {}
resp.setContentType("text/plain");
if (number <= 1) {
  resp.getWriter().write("Finished " + req.getServletPath());
  return;
}
switch (req.getServletPath()) {
  case "/redirect":
resp.sendRedirect(new URL(req.getScheme() + "://" +
req.getServerName() + ":" + req.getServerPort() +
req.getRequestURI() + "?number=" + (number - 1)).toString());
return;
  case "/forward":
final String forwardAddress = "/forward?number=" + (number - 1);
getServletContext().getRequestDispatcher(forwardAddress).forward(req,
resp);
}
  }
}


It seems that under high load, 1000 threads in jmeter, Tomcat will
refuse some of the connections for nio2 connections but not for nio,
further it seems that these failures happen considerably earlier than
the configuration page would suggest would be the case. The
configuration suggests that if acceptCount is high enough for the
number of connections then they will be queued prior to reaching the
processing threads, so a small number of processing threads can exist
with a queue of connection feeding them, it seems like until
connectionTimeout is reached connections shouldn't be refused, but
that is not what occurs. In fact acceptCount seems to have very little
effect.
In short, my questions are:
Why is the nio2 connector type worse at this than nio type?
Why are connections refused before acceptCount is reached, or
connectionTimeout is reached?
I'm guessing that each forward or redirect effectively counts as an
extra connection, as removing the redirects and multipling the number
of jmeter threads suggests that is the case, am I correct here?

Also, I feel like it would help if there were better documentation
around the differences between nio2 and nio, as, for example, the
connector comparison part makes them sound almost the same.

Apologies if this has been covered elsewhere before, I have been
searching but haven't found anything particularly clear covering this.
Best regards, Peter

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Understanding issues with connection refused when redirecting internally

2021-04-09 Thread Peter Chamberlain
On Fri, 9 Apr 2021, 14:29 Mark Thomas,  wrote:

> On 09/04/2021 11:53, Peter Chamberlain wrote:
> > Hello,
> > I've been trying to understand the behaviour of tomcat when handling
> > internal redirects. I'm testing using tomcat 9.0.38. I'm testing using
> > jdk8 1.8.0_265. My main test cases have been 2 forwards to the same
> > servlet, and then a response. Or 2 redirects to the same servlet and
> > then a response.
>
> The forward case looks like a single HTTP request to both Tomcat and the
> client.
>
> The redirect case looks like 3 separate HTTP requests to both Tomcat and
> the client. The first two receive a 302 response (no body) and finally a
> 200 response with a body. Depending on how the client and Tomcat are
> configured these requests may occur on a single network connection (HTTP
> keep-alive is enabled) or may require a separate connection for each
> request (HTTP keep-alive is disabled).
>
> Once you get into the situation where the network layer is over-loaded,
> behaviour is very much system dependent. It will vary between operating
> systems and between major Java versions.
>
> Note that the OS treats any accept count setting more as a guideline
> than a hard rule and may ignore it completely. Under heavy load you also
> often see other effects (such as port exhaustion impacting the results).
>
> If the backlog is considered to be full, any subsequent connection
> attempts will will refused immediately.
>
> Connection timeout is measured from when the server first tries to read
> the request. From that point the client has connectionTimeout to send
> the first byte.
>
> NIO uses a Poller/Selector approach whereas NIO2 uses completion
> handlers. In many ways there isn't that much difference between them. I
> suspect that NIO will perform better on some systems and NIO2 on others.
>
> When I have looked at this sort of thing in the past, the results have
> nearly always been skewed by other factors. Only by significantly
> reducing the number of client threads and Tomcat threads (less than 10
> each) was I able to start to see the sort of behaviour expected around
> dropped connections, backlog etc and even then it took a fair amount of
> analysis to confirm that what I was observing was as expected.
>
> Mark
>

Okay, that's very helpful. I did find it very difficult to get repeatable
results, so I suspect other layers are causing the issues I've noticed. So
long as I'm not misunderstanding the configuration options, or missing
anything that's fine.

Thanks alot,

Peter

>
>   Servlet as follows:
> >
> > @WebServlet(loadOnStartup = 1, value = "/")
> > public class ConnectorLimitServlet extends HttpServlet {
> >
> >@Override
> >protected void doGet(HttpServletRequest req, HttpServletResponse
> > resp) throws IOException, ServletException {
> >  int number = Integer.parseInt(req.getParameter("number"));
> >  // Fake some work done at each stage of processing
> >  try { Thread.sleep(500); } catch (InterruptedException e) {}
> >  resp.setContentType("text/plain");
> >  if (number <= 1) {
> >resp.getWriter().write("Finished " + req.getServletPath());
> >return;
> >  }
> >  switch (req.getServletPath()) {
> >case "/redirect":
> >  resp.sendRedirect(new URL(req.getScheme() + "://" +
> > req.getServerName() + ":" + req.getServerPort() +
> >  req.getRequestURI() + "?number=" + (number -
> 1)).toString());
> >  return;
> >case "/forward":
> >  final String forwardAddress = "/forward?number=" + (number - 1);
> >
> getServletContext().getRequestDispatcher(forwardAddress).forward(req,
> > resp);
> >  }
> >}
> > }
> >
> >
> > It seems that under high load, 1000 threads in jmeter, Tomcat will
> > refuse some of the connections for nio2 connections but not for nio,
> > further it seems that these failures happen considerably earlier than
> > the configuration page would suggest would be the case. The
> > configuration suggests that if acceptCount is high enough for the
> > number of connections then they will be queued prior to reaching the
> > processing threads, so a small number of processing threads can exist
> > with a queue of connection feeding them, it seems like until
> > connectionTimeout is reached connections shouldn't be refused, but
> > that is not what occurs. In fact acceptCount seems to have very little
> > effect.
> &

Re: Understanding issues with connection refused when redirecting internally

2021-04-09 Thread Peter Chamberlain
On Fri, 9 Apr 2021, 14:10 Christopher Schultz, 
wrote:

> Peter,
>
> On 4/9/21 06:53, Peter Chamberlain wrote:
> > Hello,
> > I've been trying to understand the behaviour of tomcat when handling
> > internal redirects. I'm testing using tomcat 9.0.38. I'm testing using
> > jdk8 1.8.0_265. My main test cases have been 2 forwards to the same
> > servlet, and then a response. Or 2 redirects to the same servlet and
> > then a response. Servlet as follows:
> >
> > @WebServlet(loadOnStartup = 1, value = "/")
> > public class ConnectorLimitServlet extends HttpServlet {
> >
> >@Override
> >protected void doGet(HttpServletRequest req, HttpServletResponse
> > resp) throws IOException, ServletException {
> >  int number = Integer.parseInt(req.getParameter("number"));
> >  // Fake some work done at each stage of processing
> >  try { Thread.sleep(500); } catch (InterruptedException e) {}
> >  resp.setContentType("text/plain");
> >  if (number <= 1) {
> >resp.getWriter().write("Finished " + req.getServletPath());
> >return;
> >  }
> >  switch (req.getServletPath()) {
> >case "/redirect":
> >  resp.sendRedirect(new URL(req.getScheme() + "://" +
> > req.getServerName() + ":" + req.getServerPort() +
> >  req.getRequestURI() + "?number=" + (number -
> 1)).toString());
> >  return;
> >case "/forward":
> >  final String forwardAddress = "/forward?number=" + (number - 1);
> >
> getServletContext().getRequestDispatcher(forwardAddress).forward(req,
> > resp);
> >  }
> >}
> > }
> >
> >
> > It seems that under high load, 1000 threads in jmeter, Tomcat will
> > refuse some of the connections for nio2 connections but not for nio,
> > further it seems that these failures happen considerably earlier than
> > the configuration page would suggest would be the case. The
> > configuration suggests that if acceptCount is high enough for the
> > number of connections then they will be queued prior to reaching the
> > processing threads, so a small number of processing threads can exist
> > with a queue of connection feeding them, it seems like until
> > connectionTimeout is reached connections shouldn't be refused, but
> > that is not what occurs. In fact acceptCount seems to have very little
> > effect.
>
> Are you testing on localhost, or over a real network connection? If a
> real network, what kind of network? How many JMeter instances vs Tomcat
> instances?
>
>
Localhost on Windows,  although similar has been seen across the network on
Linux,  this was an attempt to replicate a live issue in a minimal code
approach.

> In short, my questions are:
> > Why is the nio2 connector type worse at this than nio type?
>
> Let's table that for now.
>
> > Why are connections refused before acceptCount is reached, or
> > connectionTimeout is reached?
>
> How are you measuring the size of the OS's TCP connection queue? What
> makes you think that the OS has allocated exactly acceptCount entries in
> the TCP connection queue? What makes you think acceptCount has been
> reached? Or not yet reached?
>
> What do you think connectionTimeout does, and when do you think it applies?
>
>
>
I was attempting to use netstat for the queue. Tbh, I found it almost
impossible so was trying to gauge it mostly from jmeter results. I found
that it was important to leave a gap between tests as otherwise it was more
likely to fail.

I was just reading the configuration,  and it sounded like acceptCount
connections would be queued, after maxThreads, until connectionTimeout
expired, but it seems connections were refused before then. From Marks
response it sounds like acceptCount is more of a hint than a precise value,
and may not be used at all. And also there are likely to be other factors
outside of these settings that have impacts on these sorts of cases.

> I'm guessing that each forward or redirect effectively counts as an
> > extra connection, as removing the redirects and multipling the number
> > of jmeter threads suggests that is the case, am I correct here?
>
> A redirect will cause one connection to be terminated (at least
> logically) and a new connection established. Assuming you are using
> KeepAlives from JMeter, the same underlying TCP connection will likely
> be used for the first and second requests. acceptCount probably doesn't
> apply, since the connection has definitely been established.
>
&g

Re: Understanding issues with connection refused when redirecting internally

2021-04-11 Thread Peter Chamberlain
On Fri, 9 Apr 2021 at 18:12, Peter Chamberlain 
wrote:

>
>
> On Fri, 9 Apr 2021, 14:10 Christopher Schultz, <
> ch...@christopherschultz.net> wrote:
>
>> Peter,
>>
>> On 4/9/21 06:53, Peter Chamberlain wrote:
>> > Hello,
>> > I've been trying to understand the behaviour of tomcat when handling
>> > internal redirects. I'm testing using tomcat 9.0.38. I'm testing using
>> > jdk8 1.8.0_265. My main test cases have been 2 forwards to the same
>> > servlet, and then a response. Or 2 redirects to the same servlet and
>> > then a response. Servlet as follows:
>> >
>> > @WebServlet(loadOnStartup = 1, value = "/")
>> > public class ConnectorLimitServlet extends HttpServlet {
>> >
>> >@Override
>> >protected void doGet(HttpServletRequest req, HttpServletResponse
>> > resp) throws IOException, ServletException {
>> >  int number = Integer.parseInt(req.getParameter("number"));
>> >  // Fake some work done at each stage of processing
>> >  try { Thread.sleep(500); } catch (InterruptedException e) {}
>> >  resp.setContentType("text/plain");
>> >  if (number <= 1) {
>> >resp.getWriter().write("Finished " + req.getServletPath());
>> >return;
>> >  }
>> >  switch (req.getServletPath()) {
>> >case "/redirect":
>> >  resp.sendRedirect(new URL(req.getScheme() + "://" +
>> > req.getServerName() + ":" + req.getServerPort() +
>> >  req.getRequestURI() + "?number=" + (number -
>> 1)).toString());
>> >  return;
>> >case "/forward":
>> >  final String forwardAddress = "/forward?number=" + (number -
>> 1);
>> >
>> getServletContext().getRequestDispatcher(forwardAddress).forward(req,
>> > resp);
>> >  }
>> >}
>> > }
>> >
>> >
>> > It seems that under high load, 1000 threads in jmeter, Tomcat will
>> > refuse some of the connections for nio2 connections but not for nio,
>> > further it seems that these failures happen considerably earlier than
>> > the configuration page would suggest would be the case. The
>> > configuration suggests that if acceptCount is high enough for the
>> > number of connections then they will be queued prior to reaching the
>> > processing threads, so a small number of processing threads can exist
>> > with a queue of connection feeding them, it seems like until
>> > connectionTimeout is reached connections shouldn't be refused, but
>> > that is not what occurs. In fact acceptCount seems to have very little
>> > effect.
>>
>> Are you testing on localhost, or over a real network connection? If a
>> real network, what kind of network? How many JMeter instances vs Tomcat
>> instances?
>>
>>
> Localhost on Windows,  although similar has been seen across the network
> on Linux,  this was an attempt to replicate a live issue in a minimal code
> approach.
>
> > In short, my questions are:
>> > Why is the nio2 connector type worse at this than nio type?
>>
>> Let's table that for now.
>>
>> > Why are connections refused before acceptCount is reached, or
>> > connectionTimeout is reached?
>>
>> How are you measuring the size of the OS's TCP connection queue? What
>> makes you think that the OS has allocated exactly acceptCount entries in
>> the TCP connection queue? What makes you think acceptCount has been
>> reached? Or not yet reached?
>>
>> What do you think connectionTimeout does, and when do you think it
>> applies?
>>
>>
>>
> I was attempting to use netstat for the queue. Tbh, I found it almost
> impossible so was trying to gauge it mostly from jmeter results. I found
> that it was important to leave a gap between tests as otherwise it was more
> likely to fail.
>
> I was just reading the configuration,  and it sounded like acceptCount
> connections would be queued, after maxThreads, until connectionTimeout
> expired, but it seems connections were refused before then. From Marks
> response it sounds like acceptCount is more of a hint than a precise value,
> and may not be used at all. And also there are likely to be other factors
> outside of these settings that have impacts on these sorts of cases.
>
> > I'm guessing that each forward or redirect effectively counts as an
>> > e

Re: Understanding issues with connection refused when redirecting internally

2021-04-12 Thread Peter Chamberlain
On Mon, 12 Apr 2021, 09:07 Mark Thomas,  wrote:

> On 11/04/2021 11:03, Peter Chamberlain wrote:
>
> 
>
> > I've been investigating this some more, as I'm not convinced nio2 isn't
> > behaving strangely in this case. I think there may of been some sort of
> > reversion as it is much less likely to refuse connections for nio2 in
> > tomcat 9.0.13 when compared to 9.0.14. I'm wondering if it has something
> to
> > do with:
> >
> >   Avoid using a dedicated thread for accept on the NIO2
> connector,
> > it is always less efficient. (remm)
> >
> > And if it is hitting some sort of accept thread starvation case when it
> is
> > fully loaded. In tomcat 9.0.13 I can hit a maxTheads=200 nio2 connector
> > with 5000 jmeter threads and not experience a connection refused, but in
> > 9.0.14 I can't reach 1000 without refused connections. It doesn't seem to
> > be related to forwards or redirects either. If I just sleep for 1500
> > milliseconds for every servlet run and not redirect or forward and it
> > behaves the same.
> > We've been using nio2 in our tomcats exclusively for some time, as we hit
> > an issue with nio in the past (can't remember what it was, it is likely
> > fixed by now I would think), so I guess we're more likely to notice this
> > sort of thing.
>
> I think you are asking the wrong question(s). 200 threads with a 1500ms
> wait means I would expect Tomcat to be processing ~133 requests per
> second. (Assuming you have at least 200 client threads as well). Higher
> numbers of client threads, the timeouts configured on the client, the
> timeouts configured on Tomcat, the accept count etc shouldn't change the
> requests per second results. What will change is the failure scenarios
> you observe - and I think that is what you are seeing here between
> 9.0.13 and 9.0.14. 9.0.13 might be accepting more connections but that
> doesn't mean those connections are being processed faster. Depending on
> timeouts, they might (eventually) get processed or they might timeout.
>
> You might want to try the following:
> - Limit the number of loops to, say, 10 so you get 50,000 requests. Look
> at the response time stats. What is the average? What is the min/max?
> - Repeat the test. Do the results remain consistent?
> - Repeat the test with more loops. Do the results remain consistent?
> - Repeat the test with fewer client threads. At what point do you start
> to get consistent results?
>
> It may well be that changes to Tomcat over time have changed the way
> Tomcat behaves under various (overloaded network) failure scenarios.
>
> My reading of the change that you reference above does mean that Tomcat
> will only accept a new connection over NIO2 when it has a processing
> thread available to process it. That will change the way Tomcat behaves
> when presented with a large spike of new connections. (Significantly)
> increasing the acceptCount (a.k.a. backlog) to more than the number
> connections expected in a single "spike" in 9.0.14 should give 9.0.13
> like behaviour.
>
> HTH,
>
> Mark
>

I understand what you are saying. I'm only actually hitting it with 1000
requests total, and approx 300 are failing with connection refused. This
isn't jus the first run either, so it isn't a jvm warm up issue. I'm
overloading the number of threads (200). But it doesn't really handle that
overloading in the way that might be expected (just delaying processing,
its failing some inside 7 seconds,  even with high accept count, max
connections, and connection timeouts). Essentially we're looking at cases
where we are overloaded for short periods, and trying to cope with that
without a bad customer response. This is for a link server of sorts, so the
result at present is people clicking links get failures, rather than
delays. Obviously we can increase number of threads to mitigate this to
some degree (although that increases resources used),  we're looking at
improving the performance too, and we can spread the load over more servers
if necessary. I'm still concerned this is likely to happen for this
application, so have recommended we switch back to nio instead, as it seems
to cope better with it. There is a difficult balance here with sufficient
performance against coping with ddos attempts, so I understand its not
really a simple area. Just thought you should know that 9.0.14 made it much
worse compared to 9.0.13, in case this query comes up again.
Obviously waiting for a large period of time for link clicks to work is
also undesirable, we are really just looking at worse case scenarios here.

Best regards, Peter.


> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>


Re: Connector Port Issue

2021-08-05 Thread Peter Kreuser
Chris,

> Am 05.08.2021 um 18:32 schrieb Rob Sargent :
> 
> 
>>Caused by: java.lang.IllegalArgumentException: No SSLHostConfig 
>> element was found with the hostName [_default_] to match the 
>> defaultSSLHostConfigName for the connector [https-jsse-nio-9443]
>> 
> 

The ssl-Options are not attributes on the connector, but the SSLHostConfig

http://tomcat.apache.org/tomcat-10.0-doc/config/http.html#Common_Attributes

http://tomcat.apache.org/tomcat-10.0-doc/config/http.html#SSL_Support

Peter

> Isn’t that the real issue?
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


  1   2   3   4   5   6   7   8   9   10   >