Re: JNDIRealm and TLS, was: Re: JNDIRealm Authentication and Roles

2014-10-07 Thread Igor Cicimov 
On Wed, Oct 8, 2014 at 4:16 AM, Felix Schumacher <
felix.schumac...@internetallee.de> wrote:

> Am 07.10.2014 um 14:32 schrieb Igor Cicimov:
>
>> Hi Felix,
>>
>> First thanks for your reply.
>>
>> On Tue, Oct 7, 2014 at 6:35 PM, Felix Schumacher <
>> felix.schumac...@internetallee.de> wrote:
>>
>>  Hi Igor,
>>>
>>> Am 07.10.2014 07:07, schrieb Igor Cicimov:
>>>
>>>  Hi all,

 I've been setting up user authentication based on JNDIRealm and have
 couple
 of questions regarding the operation. I've been using one of the secured
 applications that come with the examples included in Tomcat source for
 testing. My setup with obfuscated names and passwords is as follows.

  Which tomcat version do you use?
>>>
>>>  It's  7.0.52-1ubuntu0.1 from Ubuntu 14.04 repository, sorry I missed
>> mentioning that.
>>
>>
>>  I have the following Realm in the default host:

>>> autoDeploy="false">
  >>> debug="99"

  debug is not used anymore, so just delete it.
>>>
>>>  Done.
>>
>>
>>   connectionURL="ldap://ldap1.mydomain.com:389";
>>>
 alternateURL="ldap://ldap2.mydomain.com:389";
 connectionName="cn=connect,ou=Users,dc=mydomain,dc=com"
 connectionPassword="password"
 userBase="ou=Users,dc=mydomain,dc=com"
 userSearch="uid={0}"
 roleBase="ou=Groups,dc=mydomain,dc=com"
 roleName="cn"
 roleSearch="memberUid={1}"

 contextFactory="org.apache.catalina.ldap.realm.LdapTlsContextFactory"/>

  Do you need the LdapTlsContextFactory? If so, what is your ldap server
>>> setup?
>>>
>>>  Good that you mentioned that I wanted to ask about this in a separate
>> thread. I was searching for STARTTLS support in the JNDIRealm and this was
>> the only solution I could find. I got the directions from here:
>> http://wiki.apache.org/tomcat/JNDI_startTLs_HowTo, so I compiled and
>> installed the context factory since the TLS is a must fro my user case.
>> It's working fine for me but still wanted to ask, since the above HowTo is
>> from 2010, has this been maybe integrated in the Tomcat mainstream now and
>> I have missed something in the documentation or is it still a (only) valid
>> solution for TLS support?
>>
> If TLS is important to you, I hope you have changed the HostnameVerifier to
> something more sensible :)
>
> Hmmm was not aware of that will have a look for sure.


> There is a bug request open https://issues.apache.org/
> bugzilla/show_bug.cgi?id=49785
> but only very few people asked for it in the last four years. You can try
> to vote it up.
>
> Thanks for the link I up voted.


> I have only used ldap servers, which would be reachable by ssl, so there
> was no
> need for me to investigate further. Any reason why your ldap server can't
> be used with ssl?
>
> Well for ldap ssl is considered deprecated in favour of tls which I use
everywhere possible like ldap, postfix etc. I don't see a reason for using
ssl and opening another port on the server but that's maybe just me :-)



> Felix
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Maven Tomcat 6/7/8 plugin

2014-10-07 Thread Matthias Hryniszak 
Daniel,

unfortunately after careful examination it turns out that there is a
difference in how the RemoteIpFilter and RemoteIpValve work.

The filter operates on a wrapped request. This means that the call to
request.getRequestURL() - as used by
org.apache.cxf.transport.http.AbstractHTTPDestination.setupMessage(...) -
since it is not overwritten it is invoked directly on the original
org.apache.catalina.connector.Request (through
org.apache.catalina.connector.RequestFacade) and not on the wrapper. The
latter one doesn't know about the modifications to request properties as
they are implemented in another instance.

The valve modifies directly the underlying
org.apache.catalina.connector.Request and therefore the call to
Request.getRequestURL() returns the actual result.

So I guess we're back to square one where a solution to add the
RequestIpValve is the only viable solution (not just in this case but
basically everywhere where the Request.getRequestURL() method is used since
it does not return proper result).

Any ideas on getting the valve installed when running mvn tomcat7:run in
the current version (2.2) ?

Thanks in advance!


Best regards,
Matthias.

2014-10-06 13:45 GMT+02:00 Matthias Hryniszak :

> Perfect! I didn't know about this one. Thanks!
>
> 2014-10-06 13:37 GMT+02:00 Daniel Mikusa :
>
>>  On Sun, Oct 5, 2014 at 2:00 PM, Matthias Hryniszak 
>> wrote:
>>
>>> It seems I might have expressed myself purely. Let me rephrase:
>>>
>>> I'm looking for RemoteIpValve support in maven-tomcat7-plugin.
>>
>>
>> Perhaps you could use RemoteIPFilter instead?  You can configure that
>> through web.xml.
>>
>>
>> http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#Remote_IP_Filter
>>
>> Dan
>>
>>
>>> I know the
>>> valve itself exists since long before version 7 and I am already using it
>>> in production. What I'm on to here is running Maven-managed web
>>> applications in development and as far as I can see it's been added ~2
>>> weeks after the release of 2.2 version of that plugin
>>>
>>> Alternatively if you know of a way to persuade Apache CXF to present the
>>> endpoint URL using HTTPS scheme when running mvn tomcat7:run. CXF does it
>>> automatically if the RemoteIpValve  is installed and proper header exists
>>> (as in the isSecure() method returns true). Otherwise it does just HTTP
>>> and
>>> that in turn makes my local HAProxy do a 302 to HTTPS which ends up in an
>>> infinite loop and that's not exactly the result I was hoping for...
>>>
>>> Cheers,
>>> Matthias
>>>
>>> 2014-10-05 19:31 GMT+02:00 Konstantin Kolinko :
>>>
>>> > 2014-10-05 18:01 GMT+04:00 Matthias Hryniszak :
>>> > > Hi all,
>>> > >
>>> > > I'm new to this list so let me briefly introduce myself. My name is
>>> > > Matthias and I live in Poland. I'm a software architect for Lumesse,
>>> an
>>> > > British software development company. The core of our development is
>>> > talent
>>> > > acquisition and talent management software. The part I'm working
>>> with is
>>> > > e-learning solutions.
>>> > >
>>> > > Now that you all know me let me ask you a question: are there any
>>> plans
>>> > on
>>> > > releasing a new version of the maven-tomcat7-plugin and/or an
>>> upgrade to
>>> > > maven-tomcat8-plugin? We're falling short a bit on the lack of
>>> remote IP
>>> > > valve in the current release
>>> >
>>> > RemoteIpValve does exist in Tomcat 7
>>> >
>>> http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Remote_IP_Valve
>>> >
>>> > > and I was wondering if that's going to be
>>> > > released any time soon. Please note the last release (2.2) was
>>> November
>>> > > 2013 and there's been lots of changes so it'd be great to have them
>>> > > stabilized and released - not to mention the upgrade over embedded
>>> Tomcat
>>> > > version.
>>> >
>>> > It is being developed on a branch,
>>> > http://svn.apache.org/viewvc/tomcat/maven-plugin/branches/tc8.x/
>>> >
>>> > See archives of tomcat dev mailing list for discussions.
>>> >
>>> > Thus far, integration tests are failing,
>>> > http://markmail.org/message/xc5r6yycrvmjh2vx
>>> >
>>> >
>>> > Best regards,
>>> > Konstantin Kolinko
>>> >
>>> > -
>>> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>> > For additional commands, e-mail: users-h...@tomcat.apache.org
>>> >
>>> >
>>>
>>
>>
>

RE: Help with Apache Tomcat/7.0.53 SSL issue

2014-10-07 Thread Brewer, Edward L 
To all,


Oh...  Here is the entry in our server.xml  (probably the most important part)





Users connect directly to first listed connection The second SSL port is 
not currently used.

Thanks,
Lee

From: Brewer, Edward L [mailto:lee.bre...@vanderbilt.edu]
Sent: Tuesday, October 07, 2014 1:31 PM
To: users@tomcat.apache.org
Subject: Help with Apache Tomcat/7.0.53 SSL issue

To all,

I am using Apache Tomcat 7.0.53 and I am having an intermittent issue with SSL. 
 I am currently running three environments (Dev, UAT, and Prod. Prod comprises 
4 VMs  (uname  states version as  "2.6.32-431.11.2.el6.x86_x86_64 GNU/Linux" ) 
with each containing a local version of Java [ Java(TM) SE Runtime Environment 
(build 1.7.0_55-b13)  Java HotSpot(TM) 64-Bit Server VM (build 24.55-b03, mixed 
mode) ]  As well Tomcat and Java are owned by the user running the app.  The 
VMs are load balanced over two pair of LTMs (LTM1 balances node 1 and node 2;  
LTM2 balances node 3 and node 4).  The test environment is scaled down to just 
one LTM with two nodes and development is just a single VM.

Now, when I deployed dev and test I did not have any issues with SSL 
everything went as planned.  When I deployed into production, I started to get 
complaints about timeouts to the service.  After much troubleshooting... we 
were able to discern, using curl, that in production the LTM was not getting a 
response back from the application (using TCPDUMP) intermittently.   Our LTMs 
are configured to server as a SSL proxy.  On the VM, TCPDUMP shows that traffic 
is being presented to the socket but there is no response.  As far as I can 
tell the three environments (TOMCAT and JAVA) are the same.   I find nothing in 
the logs from both access and catalina.out.  When I restart the servers the 
problem goes away for about one hour then it comes back rapidly.  Using top and 
sar I do not see any issues with operating system performance.  Also,  by going 
done to one node the problem persists.  As well here are the options that are 
in setenv.sh

export JAVA_OPTS="$JAVA_OPTS\
-verbosegc\
-Xms256m\
-XX:+DisableExplicitGC\
-Xmx2g"


Here is the error that I see from curl

curl: (52) SSL read: error::lib(0):func(0):reason(0), errno 104

Help,
Lee Brewer

Lee Brewer | Application Developer | Information Technology | Vanderbilt 
University
lee.bre...@vanderbilt.edu | phone 
615.343.2802 | it.vanderbilt.edu
[Vanderbilt IT logo]

Help with Apache Tomcat/7.0.53 SSL issue

2014-10-07 Thread Brewer, Edward L 
To all,

I am using Apache Tomcat 7.0.53 and I am having an intermittent issue with SSL. 
 I am currently running three environments (Dev, UAT, and Prod. Prod comprises 
4 VMs  (uname  states version as  "2.6.32-431.11.2.el6.x86_x86_64 GNU/Linux" ) 
with each containing a local version of Java [ Java(TM) SE Runtime Environment 
(build 1.7.0_55-b13)  Java HotSpot(TM) 64-Bit Server VM (build 24.55-b03, mixed 
mode) ]  As well Tomcat and Java are owned by the user running the app.  The 
VMs are load balanced over two pair of LTMs (LTM1 balances node 1 and node 2;  
LTM2 balances node 3 and node 4).  The test environment is scaled down to just 
one LTM with two nodes and development is just a single VM.

Now, when I deployed dev and test I did not have any issues with SSL 
everything went as planned.  When I deployed into production, I started to get 
complaints about timeouts to the service.  After much troubleshooting... we 
were able to discern, using curl, that in production the LTM was not getting a 
response back from the application (using TCPDUMP) intermittently.   Our LTMs 
are configured to server as a SSL proxy.  On the VM, TCPDUMP shows that traffic 
is being presented to the socket but there is no response.  As far as I can 
tell the three environments (TOMCAT and JAVA) are the same.   I find nothing in 
the logs from both access and catalina.out.  When I restart the servers the 
problem goes away for about one hour then it comes back rapidly.  Using top and 
sar I do not see any issues with operating system performance.  Also,  by going 
done to one node the problem persists.  As well here are the options that are 
in setenv.sh

export JAVA_OPTS="$JAVA_OPTS\
-verbosegc\
-Xms256m\
-XX:+DisableExplicitGC\
-Xmx2g"


Here is the error that I see from curl

curl: (52) SSL read: error::lib(0):func(0):reason(0), errno 104

Help,
Lee Brewer

Lee Brewer | Application Developer | Information Technology | Vanderbilt 
University
lee.bre...@vanderbilt.edu | phone 615.343.2802 | 
it.vanderbilt.edu
[Vanderbilt IT logo]

JNDIRealm and TLS, was: Re: JNDIRealm Authentication and Roles

2014-10-07 Thread Felix Schumacher 

Am 07.10.2014 um 14:32 schrieb Igor Cicimov:

Hi Felix,

First thanks for your reply.

On Tue, Oct 7, 2014 at 6:35 PM, Felix Schumacher <
felix.schumac...@internetallee.de> wrote:


Hi Igor,

Am 07.10.2014 07:07, schrieb Igor Cicimov:


Hi all,

I've been setting up user authentication based on JNDIRealm and have
couple
of questions regarding the operation. I've been using one of the secured
applications that come with the examples included in Tomcat source for
testing. My setup with obfuscated names and passwords is as follows.


Which tomcat version do you use?


It's  7.0.52-1ubuntu0.1 from Ubuntu 14.04 repository, sorry I missed
mentioning that.



I have the following Realm in the default host:

   
 
debug is not used anymore, so just delete it.


Done.



 connectionURL="ldap://ldap1.mydomain.com:389";

alternateURL="ldap://ldap2.mydomain.com:389";
connectionName="cn=connect,ou=Users,dc=mydomain,dc=com"
connectionPassword="password"
userBase="ou=Users,dc=mydomain,dc=com"
userSearch="uid={0}"
roleBase="ou=Groups,dc=mydomain,dc=com"
roleName="cn"
roleSearch="memberUid={1}"

contextFactory="org.apache.catalina.ldap.realm.LdapTlsContextFactory"/>


Do you need the LdapTlsContextFactory? If so, what is your ldap server
setup?


Good that you mentioned that I wanted to ask about this in a separate
thread. I was searching for STARTTLS support in the JNDIRealm and this was
the only solution I could find. I got the directions from here:
http://wiki.apache.org/tomcat/JNDI_startTLs_HowTo, so I compiled and
installed the context factory since the TLS is a must fro my user case.
It's working fine for me but still wanted to ask, since the above HowTo is
from 2010, has this been maybe integrated in the Tomcat mainstream now and
I have missed something in the documentation or is it still a (only) valid
solution for TLS support?

If TLS is important to you, I hope you have changed the HostnameVerifier to
something more sensible :)

There is a bug request open 
https://issues.apache.org/bugzilla/show_bug.cgi?id=49785
but only very few people asked for it in the last four years. You can 
try to vote it up.


I have only used ldap servers, which would be reachable by ssl, so there 
was no
need for me to investigate further. Any reason why your ldap server 
can't be used with ssl?


Felix


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Debugging Tomcat JDBC pool disconnects.

2014-10-07 Thread Todd Chapman 
Aniket,

That change had not been committed yet.

-Todd

On Tuesday, October 7, 2014, Aniket Bhoi  wrote:

> On Tue, Oct 7, 2014 at 8:41 PM, Todd Chapman  > wrote:
>
> > Chris,
> >
> > Thank you for the detailed reply and sorry for my delayed response. We
> > located the problem.
> >
> > We had setTestOnBorrow(true) but had not set the validation query. When
> the
> > validation query is null the validation fails causing the connection to
> be
> > re-opened.
> >
> > But I do see you have set poolProperties.setValidationQuery("SELECT 1 AS
> data"); earlier
> did that not help?.Is there something that you did differently
>
> Regards
> Aniket
>
> > -Todd
> >
> > On Wed, Sep 24, 2014 at 9:36 AM, Christopher Schultz <
> > ch...@christopherschultz.net > wrote:
> >
> > > -BEGIN PGP SIGNED MESSAGE-
> > > Hash: SHA256
> > >
> > > Todd,
> > >
> > > On 9/23/14 11:41 AM, Todd Chapman wrote:
> > > > My application uses the Tomcat JDBC pool. While using netstat and
> > > > tcpdump to diagnose connection problems I noticed that the client
> > > > side occasionally closes a DB connection and opens a new one. That
> > > > is unexpected based on my configuration.
> > > >
> > > > poolProperties.setInitialSize(10); poolProperties.setMinIdle(10);
> > > > poolProperties.setMaxActive(100); poolProperties.setMaxIdle(100);
> > > > poolProperties.setMaxWait(1);
> > >
> > > Okay.
> > >
> > > > poolProperties.setTimeBetweenEvictionRunsMillis(3);
> > > > poolProperties.setMinEvictableIdleTimeMillis(3);
> > > > poolProperties.setTestWhileIdle(false);
> > >
> > > These 3 settings together don't make any sense: if you have disabled
> > > idle-checking, then setting the schedule for idle-checking isn't
> > > getting you anything.
> > >
> > > > poolProperties.setTestOnBorrow(true);
> > > > poolProperties.setValidationQuery("SELECT 1 AS data");
> > > > poolProperties.setValidationInterval(3);
> > >
> > > The validation interval is specified in milliseconds. Are you sure you
> > > want a value so low?
> > >
> > > > poolProperties.setLogValidationErrors(true);
> > > > poolProperties.setTestOnReturn(false); poolProperties. maxAge(0);
> > >
> > > Note that maxAge=0 is the default.
> > >
> > > > I would expect the pool size to never shrink based on this
> > > > configuration. Well maybe if borrow test fails but no validation
> > > > errors are being logged.
> > > >
> > > > How can I figure out where close() is being called on the physical
> > > > DB connection? I tried writing a JdbcInterceptor but it's
> > > > disconnected() method gets called on the PooledConnection, not the
> > > > physical connection.
> > > >
> > > > Does Tomcat JDBC Pool implement javax.sql.ConnectionEventListener
> > > > interface?
> > >
> > > Could this be the typical firewall-timeout where a network component
> > > is dropping the connection in the middle, rather than one or the other
> > > end of the connection dropping it?
> > >
> > > What about the database itself? Are there any connection timeouts over
> > > there?
> > >
> > > - -chris
> > > -BEGIN PGP SIGNATURE-
> > > Version: GnuPG v1
> > > Comment: GPGTools - http://gpgtools.org
> > >
> > > iQIcBAEBCAAGBQJUIsjfAAoJEBzwKT+lPKRYBsYP/irwy6tz9Xrf4sM9zGCWc/AS
> > > aLVyRua/ZhPy+wLyi/LRXjCXHdEekANIqdrKV9jXOPyyIvnB4kwKo3nubPtzNgA3
> > > GeHeJktLjoz0OMrUI1TPUEU8wab2VNqXBmxF+5yOTExDKSUSfUee4xj/0EVgJ2Jw
> > > +0YvldtF5RCcTtNNSR38+lUreTTkmaMDGCvhfFY6xXwtU3f7jLUhj9RbFMEwjgDs
> > > W9VOHF9YKoleiPrzXVxHzPvvJB7k1aSoGreDOorauDnXHK6s5/9BhX7HxLUFZ1U7
> > > /xdJR8Ul8XjaxNV7zfW1BErUCvjD2V27ASNPNHSnMGrJbElBW8tR23LeH+9Au0fI
> > > w2/G7MsOp4GpU6t/8I0uyLoiEz85USyRJdVn/PuDTrV3X4aKXt3nnT3wUSQelkyq
> > > zW+MASMflDPoxEjXPkvb9WO6a8ZaFFQQlHauqIkT1GUEpM0ii1cY7IJPJYSAyvg/
> > > eMYUFTn17Ml1GCQeLvUWbcbbvisfUJC0SZ7l+5zlUD5FsU/B71gmqgIjVLN+qW6C
> > > CfV7rBUgKBzgb8LfU2GE4e7PxFUj+161pv/Vyaf8UoYvhhzdXCtg76qndRgbwugK
> > > gW2j5FApz934BiHNJKzVKfHI5nJPOpL44N2fQAG+KyT1Ojc8pr0E+8FB67g1eTYE
> > > IvLlYB4adCxQcIy9wqxN
> > > =9crk
> > > -END PGP SIGNATURE-
> > >
> > > -
> > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> 
> > > For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> > >
> > >
> >
>

Re: Debugging Tomcat JDBC pool disconnects.

2014-10-07 Thread Aniket Bhoi 
On Tue, Oct 7, 2014 at 8:41 PM, Todd Chapman  wrote:

> Chris,
>
> Thank you for the detailed reply and sorry for my delayed response. We
> located the problem.
>
> We had setTestOnBorrow(true) but had not set the validation query. When the
> validation query is null the validation fails causing the connection to be
> re-opened.
>
> But I do see you have set poolProperties.setValidationQuery("SELECT 1 AS
data"); earlier
did that not help?.Is there something that you did differently

Regards
Aniket

> -Todd
>
> On Wed, Sep 24, 2014 at 9:36 AM, Christopher Schultz <
> ch...@christopherschultz.net> wrote:
>
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA256
> >
> > Todd,
> >
> > On 9/23/14 11:41 AM, Todd Chapman wrote:
> > > My application uses the Tomcat JDBC pool. While using netstat and
> > > tcpdump to diagnose connection problems I noticed that the client
> > > side occasionally closes a DB connection and opens a new one. That
> > > is unexpected based on my configuration.
> > >
> > > poolProperties.setInitialSize(10); poolProperties.setMinIdle(10);
> > > poolProperties.setMaxActive(100); poolProperties.setMaxIdle(100);
> > > poolProperties.setMaxWait(1);
> >
> > Okay.
> >
> > > poolProperties.setTimeBetweenEvictionRunsMillis(3);
> > > poolProperties.setMinEvictableIdleTimeMillis(3);
> > > poolProperties.setTestWhileIdle(false);
> >
> > These 3 settings together don't make any sense: if you have disabled
> > idle-checking, then setting the schedule for idle-checking isn't
> > getting you anything.
> >
> > > poolProperties.setTestOnBorrow(true);
> > > poolProperties.setValidationQuery("SELECT 1 AS data");
> > > poolProperties.setValidationInterval(3);
> >
> > The validation interval is specified in milliseconds. Are you sure you
> > want a value so low?
> >
> > > poolProperties.setLogValidationErrors(true);
> > > poolProperties.setTestOnReturn(false); poolProperties. maxAge(0);
> >
> > Note that maxAge=0 is the default.
> >
> > > I would expect the pool size to never shrink based on this
> > > configuration. Well maybe if borrow test fails but no validation
> > > errors are being logged.
> > >
> > > How can I figure out where close() is being called on the physical
> > > DB connection? I tried writing a JdbcInterceptor but it's
> > > disconnected() method gets called on the PooledConnection, not the
> > > physical connection.
> > >
> > > Does Tomcat JDBC Pool implement javax.sql.ConnectionEventListener
> > > interface?
> >
> > Could this be the typical firewall-timeout where a network component
> > is dropping the connection in the middle, rather than one or the other
> > end of the connection dropping it?
> >
> > What about the database itself? Are there any connection timeouts over
> > there?
> >
> > - -chris
> > -BEGIN PGP SIGNATURE-
> > Version: GnuPG v1
> > Comment: GPGTools - http://gpgtools.org
> >
> > iQIcBAEBCAAGBQJUIsjfAAoJEBzwKT+lPKRYBsYP/irwy6tz9Xrf4sM9zGCWc/AS
> > aLVyRua/ZhPy+wLyi/LRXjCXHdEekANIqdrKV9jXOPyyIvnB4kwKo3nubPtzNgA3
> > GeHeJktLjoz0OMrUI1TPUEU8wab2VNqXBmxF+5yOTExDKSUSfUee4xj/0EVgJ2Jw
> > +0YvldtF5RCcTtNNSR38+lUreTTkmaMDGCvhfFY6xXwtU3f7jLUhj9RbFMEwjgDs
> > W9VOHF9YKoleiPrzXVxHzPvvJB7k1aSoGreDOorauDnXHK6s5/9BhX7HxLUFZ1U7
> > /xdJR8Ul8XjaxNV7zfW1BErUCvjD2V27ASNPNHSnMGrJbElBW8tR23LeH+9Au0fI
> > w2/G7MsOp4GpU6t/8I0uyLoiEz85USyRJdVn/PuDTrV3X4aKXt3nnT3wUSQelkyq
> > zW+MASMflDPoxEjXPkvb9WO6a8ZaFFQQlHauqIkT1GUEpM0ii1cY7IJPJYSAyvg/
> > eMYUFTn17Ml1GCQeLvUWbcbbvisfUJC0SZ7l+5zlUD5FsU/B71gmqgIjVLN+qW6C
> > CfV7rBUgKBzgb8LfU2GE4e7PxFUj+161pv/Vyaf8UoYvhhzdXCtg76qndRgbwugK
> > gW2j5FApz934BiHNJKzVKfHI5nJPOpL44N2fQAG+KyT1Ojc8pr0E+8FB67g1eTYE
> > IvLlYB4adCxQcIy9wqxN
> > =9crk
> > -END PGP SIGNATURE-
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >
>

Re: Debugging Tomcat JDBC pool disconnects.

2014-10-07 Thread Todd Chapman 
Chris,

Thank you for the detailed reply and sorry for my delayed response. We
located the problem.

We had setTestOnBorrow(true) but had not set the validation query. When the
validation query is null the validation fails causing the connection to be
re-opened.

-Todd

On Wed, Sep 24, 2014 at 9:36 AM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Todd,
>
> On 9/23/14 11:41 AM, Todd Chapman wrote:
> > My application uses the Tomcat JDBC pool. While using netstat and
> > tcpdump to diagnose connection problems I noticed that the client
> > side occasionally closes a DB connection and opens a new one. That
> > is unexpected based on my configuration.
> >
> > poolProperties.setInitialSize(10); poolProperties.setMinIdle(10);
> > poolProperties.setMaxActive(100); poolProperties.setMaxIdle(100);
> > poolProperties.setMaxWait(1);
>
> Okay.
>
> > poolProperties.setTimeBetweenEvictionRunsMillis(3);
> > poolProperties.setMinEvictableIdleTimeMillis(3);
> > poolProperties.setTestWhileIdle(false);
>
> These 3 settings together don't make any sense: if you have disabled
> idle-checking, then setting the schedule for idle-checking isn't
> getting you anything.
>
> > poolProperties.setTestOnBorrow(true);
> > poolProperties.setValidationQuery("SELECT 1 AS data");
> > poolProperties.setValidationInterval(3);
>
> The validation interval is specified in milliseconds. Are you sure you
> want a value so low?
>
> > poolProperties.setLogValidationErrors(true);
> > poolProperties.setTestOnReturn(false); poolProperties. maxAge(0);
>
> Note that maxAge=0 is the default.
>
> > I would expect the pool size to never shrink based on this
> > configuration. Well maybe if borrow test fails but no validation
> > errors are being logged.
> >
> > How can I figure out where close() is being called on the physical
> > DB connection? I tried writing a JdbcInterceptor but it's
> > disconnected() method gets called on the PooledConnection, not the
> > physical connection.
> >
> > Does Tomcat JDBC Pool implement javax.sql.ConnectionEventListener
> > interface?
>
> Could this be the typical firewall-timeout where a network component
> is dropping the connection in the middle, rather than one or the other
> end of the connection dropping it?
>
> What about the database itself? Are there any connection timeouts over
> there?
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJUIsjfAAoJEBzwKT+lPKRYBsYP/irwy6tz9Xrf4sM9zGCWc/AS
> aLVyRua/ZhPy+wLyi/LRXjCXHdEekANIqdrKV9jXOPyyIvnB4kwKo3nubPtzNgA3
> GeHeJktLjoz0OMrUI1TPUEU8wab2VNqXBmxF+5yOTExDKSUSfUee4xj/0EVgJ2Jw
> +0YvldtF5RCcTtNNSR38+lUreTTkmaMDGCvhfFY6xXwtU3f7jLUhj9RbFMEwjgDs
> W9VOHF9YKoleiPrzXVxHzPvvJB7k1aSoGreDOorauDnXHK6s5/9BhX7HxLUFZ1U7
> /xdJR8Ul8XjaxNV7zfW1BErUCvjD2V27ASNPNHSnMGrJbElBW8tR23LeH+9Au0fI
> w2/G7MsOp4GpU6t/8I0uyLoiEz85USyRJdVn/PuDTrV3X4aKXt3nnT3wUSQelkyq
> zW+MASMflDPoxEjXPkvb9WO6a8ZaFFQQlHauqIkT1GUEpM0ii1cY7IJPJYSAyvg/
> eMYUFTn17Ml1GCQeLvUWbcbbvisfUJC0SZ7l+5zlUD5FsU/B71gmqgIjVLN+qW6C
> CfV7rBUgKBzgb8LfU2GE4e7PxFUj+161pv/Vyaf8UoYvhhzdXCtg76qndRgbwugK
> gW2j5FApz934BiHNJKzVKfHI5nJPOpL44N2fQAG+KyT1Ojc8pr0E+8FB67g1eTYE
> IvLlYB4adCxQcIy9wqxN
> =9crk
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: JNDIRealm Authentication and Roles

2014-10-07 Thread Igor Cicimov 
Hi Felix,

First thanks for your reply.

On Tue, Oct 7, 2014 at 6:35 PM, Felix Schumacher <
felix.schumac...@internetallee.de> wrote:

> Hi Igor,
>
> Am 07.10.2014 07:07, schrieb Igor Cicimov:
>
>> Hi all,
>>
>> I've been setting up user authentication based on JNDIRealm and have
>> couple
>> of questions regarding the operation. I've been using one of the secured
>> applications that come with the examples included in Tomcat source for
>> testing. My setup with obfuscated names and passwords is as follows.
>>
> Which tomcat version do you use?
>

It's  7.0.52-1ubuntu0.1 from Ubuntu 14.04 repository, sorry I missed
mentioning that.


>
>> I have the following Realm in the default host:
>>
>>   > autoDeploy="false">
>> >debug="99"
>>
> debug is not used anymore, so just delete it.
>

Done.


>
> connectionURL="ldap://ldap1.mydomain.com:389";
>>alternateURL="ldap://ldap2.mydomain.com:389";
>>connectionName="cn=connect,ou=Users,dc=mydomain,dc=com"
>>connectionPassword="password"
>>userBase="ou=Users,dc=mydomain,dc=com"
>>userSearch="uid={0}"
>>roleBase="ou=Groups,dc=mydomain,dc=com"
>>roleName="cn"
>>roleSearch="memberUid={1}"
>>
>> contextFactory="org.apache.catalina.ldap.realm.LdapTlsContextFactory"/>
>>
> Do you need the LdapTlsContextFactory? If so, what is your ldap server
> setup?
>

Good that you mentioned that I wanted to ask about this in a separate
thread. I was searching for STARTTLS support in the JNDIRealm and this was
the only solution I could find. I got the directions from here:
http://wiki.apache.org/tomcat/JNDI_startTLs_HowTo, so I compiled and
installed the context factory since the TLS is a must fro my user case.
It's working fine for me but still wanted to ask, since the above HowTo is
from 2010, has this been maybe integrated in the Tomcat mainstream now and
I have missed something in the documentation or is it still a (only) valid
solution for TLS support?


>
>  ...
>>   
>>
>>  and have modified the security constraint roles in the web.xml of the
>> examples application to match my LDAP groups:
>>
>>   
>>  
>>  
>>  
>>  MyCompany Users
>>  
>>   
>>   ...
>>   
>>  tomcat-users
>>   
>>   
>>  MyCompany Users
>>   
>>
>> Now when I hit the protected application,
>> https://myserver/examples/jsp/security/protected/, I can successfully
>> login
>> but only if the role-name is set to "MyCompany Users". When I replace it
>> with the tomcat-users, comment it out and uncomment the tomcat-users role
>> name, the authentication fails. The following are the traces from the
>> Tomcat log and LDAP log:
>>
> As you are finding below, the realm will only use one rolename from each
> group it found.
>

Good to have that confirmed, thanks.


>
> Do you have a real usecase for setting more than one name in a group?
>

No, not really so shouldn't be a problem to remove the extra ones.


>
> If you only want to alias a role to another name, you could try adding
> security-role-ref
> links to your web.xml.
>

Good point.


>
> If you can modify the ldap values, you could use user-attributes to
> specify roles.
>

Was also considering that but using the groups for role reference seamed
simpler ie did not require any changes in LDAP. Simpler before I realised
the cn problem which will need LDAP changes to get resolved so I might
reconsider putting the role(s) in user attributes after all.

Cheers,
Igor


>
> Regards
>  Felix
>
>
>
>> Oct 07, 2014 2:35:06 PM org.apache.catalina.realm.RealmBase hasRole
>> FINE: Username user1 does NOT have role tomcat-users
>> Oct 07, 2014 2:35:06 PM org.apache.catalina.realm.RealmBase
>> hasResourcePermission
>> FINE: No role found:  tomcat-users
>>
>> Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=1 BIND
>> dn="cn=connect,ou=Users,dc=mydomain,dc=com" method=128
>> Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=1 BIND
>> dn="cn=connect,ou=Users,dc=mydomain,dc=com" mech=SIMPLE ssf=0
>> Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=1 RESULT tag=97 err=0
>> text=
>> Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=2 SRCH
>> base="ou=Users,dc=mydomain,dc=com" scope=1 deref=3 filter="(uid=user1)"
>> Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=2 SRCH attr=1.1
>> Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=2 SEARCH RESULT tag=101
>> err=0 nentries=1 text=
>> Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=3 BIND anonymous
>> mech=implicit ssf=0
>> Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=3 BIND
>> dn="uid=user1,ou=Users,dc=mydomain,dc=com" method=128
>> Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=3 BIND
>> dn="uid=user1,ou=Users,dc=mydomain,dc=com" mech=SIMPLE ssf=0
>> Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=3 RESULT tag=97 err=0
>> text=
>> Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123

[ANN] Apache Tomcat 7.0.56 released

2014-10-07 Thread Violeta Georgieva 
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 7.0.56.

Apache Tomcat is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Expression Language and Java
WebSocket technologies.

This release contains a number of bug fixes and improvements compared to
version 7.0.55. The notable changes since 7.0.55 include:

- Update the Java WebSocket support to version 1.1 of the Java WebSocket
  specification.
- Add support for the WebSocket permessage-deflate extension.


Please refer to the change log for the complete list of changes:
http://tomcat.apache.org/tomcat-7.0-doc/changelog.html

Note: This version has 4 zip binaries: a generic one and
  three bundled with Tomcat native binaries for Windows operating
  systems running on different CPU architectures.

Note: Use of the Java WebSocket 1.1 implementation requires Java 7.

Note: If you use the APR/native AJP or HTTP connector you *must* upgrade
  to version 1.1.31 or later of the APR/native library.

Downloads:
http://tomcat.apache.org/download-70.cgi

Migration guides from Apache Tomcat 5.5.x and 6.0.x:
http://tomcat.apache.org/migration.html

- The Apache Tomcat team

Re: JNDIRealm Authentication and Roles

2014-10-07 Thread Felix Schumacher 

Hi Igor,

Am 07.10.2014 07:07, schrieb Igor Cicimov:

Hi all,

I've been setting up user authentication based on JNDIRealm and have 
couple
of questions regarding the operation. I've been using one of the 
secured

applications that come with the examples included in Tomcat source for
testing. My setup with obfuscated names and passwords is as follows.

Which tomcat version do you use?



I have the following Realm in the default host:

  

debug is not used anymore, so just delete it.


   connectionURL="ldap://ldap1.mydomain.com:389";
   alternateURL="ldap://ldap2.mydomain.com:389";
   connectionName="cn=connect,ou=Users,dc=mydomain,dc=com"
   connectionPassword="password"
   userBase="ou=Users,dc=mydomain,dc=com"
   userSearch="uid={0}"
   roleBase="ou=Groups,dc=mydomain,dc=com"
   roleName="cn"
   roleSearch="memberUid={1}"

contextFactory="org.apache.catalina.ldap.realm.LdapTlsContextFactory"/>
Do you need the LdapTlsContextFactory? If so, what is your ldap server 
setup?



...
  

 and have modified the security constraint roles in the web.xml of the
examples application to match my LDAP groups:

  
 

 
 
 MyCompany Users
 
  
  ...
  
 tomcat-users
  
  
 MyCompany Users
  

Now when I hit the protected application,
https://myserver/examples/jsp/security/protected/, I can successfully 
login
but only if the role-name is set to "MyCompany Users". When I replace 
it
with the tomcat-users, comment it out and uncomment the tomcat-users 
role

name, the authentication fails. The following are the traces from the
Tomcat log and LDAP log:
As you are finding below, the realm will only use one rolename from each 
group it found.


Do you have a real usecase for setting more than one name in a group?

If you only want to alias a role to another name, you could try adding 
security-role-ref

links to your web.xml.

If you can modify the ldap values, you could use user-attributes to 
specify roles.


Regards
 Felix



Oct 07, 2014 2:35:06 PM org.apache.catalina.realm.RealmBase hasRole
FINE: Username user1 does NOT have role tomcat-users
Oct 07, 2014 2:35:06 PM org.apache.catalina.realm.RealmBase
hasResourcePermission
FINE: No role found:  tomcat-users

Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=1 BIND
dn="cn=connect,ou=Users,dc=mydomain,dc=com" method=128
Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=1 BIND
dn="cn=connect,ou=Users,dc=mydomain,dc=com" mech=SIMPLE ssf=0
Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=1 RESULT tag=97 err=0 
text=

Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=2 SRCH
base="ou=Users,dc=mydomain,dc=com" scope=1 deref=3 filter="(uid=user1)"
Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=2 SRCH attr=1.1
Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=2 SEARCH RESULT tag=101
err=0 nentries=1 text=
Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=3 BIND anonymous
mech=implicit ssf=0
Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=3 BIND
dn="uid=user1,ou=Users,dc=mydomain,dc=com" method=128
Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=3 BIND
dn="uid=user1,ou=Users,dc=mydomain,dc=com" mech=SIMPLE ssf=0
Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=3 RESULT tag=97 err=0 
text=

Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=4 SRCH base="" scope=0
deref=3 filter="(objectClass=*)"
Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=4 SEARCH RESULT tag=101
err=0 nentries=1 text=
Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=5 BIND anonymous
mech=implicit ssf=0
Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=5 BIND
dn="cn=connect,ou=Users,dc=mydomain,dc=com" method=128
Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=5 BIND
dn="cn=connect,ou=Users,dc=mydomain,dc=com" mech=SIMPLE ssf=0
Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=5 RESULT tag=97 err=0 
text=

Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=6 SRCH
base="ou=Groups,dc=mydomain,dc=com" scope=1 deref=3
filter="(memberUid=user1)"
Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=6 SRCH attr=cn
Oct  7 14:35:06 ldap1 slapd[1367]: conn=1123 op=6 SEARCH RESULT tag=101
err=0 nentries=2 text=

So the LDAP server returns 2 entries for the role query (filtering by
attr=cn) which can be confirmed by the following LDAP command doing the
same:

$ ldapsearch -LLL -Z -H ldap://myldap:389/ -D
"cn=connect,ou=Users,dc=mydomain,dc=com" -W -b 
ou=Groups,dc=mydomain,dc=com

"(memberUid=user1)" cn
Enter LDAP Password:
dn: cn=tomcat-users,ou=Groups,dc=mydomain,dc=com
cn: MyCompany Users
cn: tomcat-users

dn: cn=user1,ou=Groups,dc=mydomain,dc=com
cn: MyCompany Users
cn: user1


Not sure if understand it correctly, but I thought the Realm would loop
through the cn's returned and find the right one before it fails but 
looks
like it picks up the first cn only? Is there something I can modify in 
my

Realm without changing anything