-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 James,
On 1/7/20 8:24 PM, James H. H. Lampert wrote: > On 1/7/20 4:19 PM, Christopher Schultz wrote: > >> You probably "spelled" something incorrectly. It might be a >> quoting/escaping issue. It might be a literal misspelling/typo. >> >> The JMXProxyServlet shouldn't NPE like that, though. >> >> I'll take a look and see if we can give you a better error >> message than that when it happens. > > Well given that (1) there's no production data at stake, (2) you > don't know where this server is, (3) the test user will be removed > permanently and replaced with something else once this problem is > resolved, and (4) the test user will never be active if I'm not > running actual tests, there's no reason to censor the curl call. > > curl -k -u test:test > https://localhost:8443/manager/jmxproxy?invoke=Catalina%3Atype%3DProto colHandler%2Cport%3D8443%2Caddress%3D%22127.0.0.1%22&op=reloadSslHostCon figs > > > > > I tried it with or without quote marks around the URL; I tried it > both with the user in a "-u" clause, as above, or with the user > prefixing the domain. In all four cases, I get what appears to be > the exact same stacktrace as before. You will absolutely have to quote the whole URL, otherwise the embedded "&" character will cause the shell to do weird things. In a local VisualVM, I grabbed the path to a random protocol handler. The JMX bean object name was: Catalina:type=ProtocolHandler,port=8215 I'm only missing the address portion, because I haven't set any address in the configuration. I don't believe any of those characters need to be escaped except for the "=" because the object name needs to be a parameter value. That would give me: Catalina:type%3DProtocolHandler,port%3D8215 Now the URL line becomes (for me, using a management port): http://localhost:8217/manager/jmxproxy?invoke=Catalina:type%3DProtocolHa ndler,port%3D8215&op=reloadSslHostConfigs This gives me the same stack trace as you; same line numbers, etc. In my case, I have no SSL configured, so maybe I can't reload those configs for some reason. If I call an arbitrary other method, it works: http://localhost:8217/manager/jmxproxy?invoke=Catalina:type%3DProtocolHa ndler,port%3D8215&op=findSslHostConfigs OK - Operation findSslHostConfigs returned: There is no other output. So there aren't any SSLHostConfigs. Have you configured any <SSLHostConfig> elements, or are you using the old-style configuration like: <Connector SSLProtocol="TLS" keystoreFile="..." /> ? You may need to change your connector configuration to use nested <SSLHostConfig> elements if it's not that way already. Try invoking the "findSslHostConfigs" operation to see if it completes. That will at least tell you if you have your objectname correct. Like this: $ curl -k -u "test:test" "https://localhost:8443/manager/jmxproxy?invoke=Catalina:type%3DProtocol Handler,port%3D8443,address%3D127.0.0.1&op=findSslHostConfigs" > I can't tell any difference, other than the user, and specifying a > port, between that and the "hard-coded" curl call on slide 35 of > the presentation. And if I leave out the port number, I get > "connection refused." > > FYI, the relevant lines in tomcat-users.xml (with the actual admin > user definition redacted) are: > >> <role rolename="manager-gui"/> <role rolename="manager-jmx"/> >> [line redacted] <user username="test" password="test" >> roles="manager-gui,manager-jmx"/> Your role is fine, now. You would have gotten a 401 response if you didn't have the right credentials. - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4V1okACgkQHPApP6U8 pFgdjw//SJZPMvvfo322JDngUr6Sdv5MAmV0rfJZ0CQYmQ54LnhAIVX4I3TsgXae OwDtoQqi9tBk/1qhv9a9GZneXfox28FFb8PiTcwmUSAMcJfzoNFAESqC1HPZGqtD ET+cNXAde7N4bfaV/+HJGkTUEl5Ze2SBnONBxaBwMQgSUiYCwfr9iv/K2LIpGnjt PdCts7/XuvGmbWLsZFUpR6tWOwVYUGjXlT042mBegJPQoHkabAFv0xknrgk8oKaD bUKk2MSB/KZvR6Pzeq+pltSsjoE4C5zMx04gmMndcD7costp+1l2gXk7yOuC2qlI IRY3LxfI2qIstxcbX9DeuPuQcR0NBsUCcC4CNfBldJy2MEexiwlYp61JPwWr51f3 2gR9MKO11uAlVI1+xXXUsd5wTaXWOvAniphhO35ef88iLsNKQCEo24XhC0x9fYX9 MvbOMFO6w5jlslnrfTxSJyqMm1MT/uBnhoZx1lGHwTswF2/Zp9VDSgOiFCzNLkc9 UfRd+KY/Bk3pDkkkQ3BvEjLg/Lirudtaa9xTjfHDjpEIOUXFsYmALY9cqBvocrtF BVJIMUrvv4LlzzOtFXEqhnr5nh9HZJR9+3AggY0yy3gqa3fdiSli/I3JZNfYBSWx c0XR/sex2+vMeIAL+F89Bwp5AV5Q3ncs5Dp8xYIHnCx8yRd2eDo= =Yj+m -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
