RE: JDBCStore

[spring]

> Well, I think it solves your problem. Old session-ids will 
> get routed to 
> the old version of your webapp and thus will be deserialized 
> without a 
> problem. New sessions will be created in the new version.

Yes, but the session persistence will go into the same table rows -> chrash
while deserialization.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Built-in Tomcat Support for Windows Authentication

[Felix Schumacher]

Am 23.10.2014 um 11:07 schrieb Philippe Wijdh:

Hi,

Thank you for the response.
The initial setup of the spn and the keytab was without the port-number, the 
registry key was a suggestion found on internet but this setting does not 
change the outcome.

The command kinit on the Tomcat server returns the following


C:\MyPrograms\Tomcat7\conf>set KRB5_CONFIG=C:\MyPrograms\Tomcat7\conf\krb5.conf


C:\MyPrograms\Tomcat7\conf>c:\MyPrograms\Java\jdk1.7.0_60\bin\kinit -J-Djava.sec
urity.krb5.conf=C:\MyPrograms\Tomcat7\conf\krb5.conf -J-Djava.security.auth.logi
n.config=C:\MyPrograms\Tomcat7\conf\jaas.conf -J-Dsun.security.krb5.debug=true -
k -t C:\MyPrograms\Tomcat7\conf\tomcat8080.keytab HTTP/v3tcat4ad.assai.nl:8080@A
SSAI.NL


HTTP/v3tcat4ad.assai.nl:8...@assai.nl is the wrong spn. You have to use 
one without the port number (as described in the docs).


Maybe it would be best to follow Mark's advice and start with a fresh 
system and follow step for step the documentation.


Felix

KinitOptions cache name is C:\Users\TestUser\krb5cc_testuser

Principal is HTTP/v3tcat4ad.assai.nl:8...@assai.nl

Kinit using keytab
Kinit keytab file name: C:\MyPrograms\Tomcat7\conf\tomcat8080.keytab

Java config name: C:\MyPrograms\Tomcat7\conf\krb5.conf
Loaded from Java config

Kinit realm name is ASSAI.NL
Creating KrbAsReq
KrbKdcReq local addresses for V3TCAT4AD are:

 V3TCAT4AD/10.1.0.67
IPv4 address

 V3TCAT4AD/fe80:0:0:0:d815:81c0:97e7:11d2%11
IPv6 address

KdcAccessibility: reset
KeyTabInputStream, readName(): ASSAI.NL
KeyTabInputStream, readName(): HTTP
KeyTabInputStream, readName(): v3tcat4ad.assai.nl:8080
KeyTab: load() entry length: 72; type: 23

Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
default etypes for default_tkt_enctypes: 23 18 17.

KrbAsReq creating message
KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number of retries

  =3, #bytes=198

KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt =1, #byt

es=198

KrbKdcReq send: #bytes read=173
Pre-Authentication Data:

  PA-DATA type = 11
  PA-ETYPE-INFO etype = 23, salt =


Pre-Authentication Data:

  PA-DATA type = 19
  PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null


Pre-Authentication Data:

  PA-DATA type = 2
  PA-ENC-TIMESTAMP

Pre-Authentication Data:

  PA-DATA type = 16


Pre-Authentication Data:

  PA-DATA type = 15


KdcAccessibility: remove v3dom1.assai.nl:88
KDCRep: init() encoding tag is 126 req type is 11
KRBError:

  sTime is Thu Oct 23 10:21:31 CEST 2014 1414052491000
  suSec is 776700
  error code is 25
  error Message is Additional pre-authentication required
  realm is ASSAI.NL
  sname is krbtgt/ASSAI.NL
  eData provided.
  msgType is 30

Pre-Authentication Data:

  PA-DATA type = 11
  PA-ETYPE-INFO etype = 23, salt =


Pre-Authentication Data:

  PA-DATA type = 19
  PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null


Pre-Authentication Data:

  PA-DATA type = 2
  PA-ENC-TIMESTAMP

Pre-Authentication Data:

  PA-DATA type = 16


Pre-Authentication Data:

  PA-DATA type = 15

KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
default etypes for default_tkt_enctypes: 23 18 17.

EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbAsReq creating message
KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number of retries

  =3, #bytes=283

KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt =1, #byt

es=283

KrbKdcReq send: #bytes read=88
KrbKdcReq send: kdc=v3dom1.assai.nl TCP:88, timeout=3, number of retries

  =3, #bytes=283

KDCCommunication: kdc=v3dom1.assai.nl TCP:88, timeout=3,Attempt =1, #byt

es=283

DEBUG: TCPClient reading 1496 bytes
KrbKdcReq send: #bytes read=1496
KdcAccessibility: remove v3dom1.assai.nl:88

Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.

EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080

New ticket is stored in cache file C:\Users\TestUser\krb5cc_testuser

C:\MyPrograms\Tomcat7\conf>klist

Current LogonId is 0:0x13380b5c

Cached Tickets: (0)




Kind regards,

Philippe Wijdh
Senior Programmer

Assai software services BV, Parallelweg Oost 13a, 4103 NC, Culemborg, The 
Netherlands
P:  +31 (0)345 516 663, E:  p.wi...@assai.nl, W: www.assai-software.com

-Original Message-
From: Felix Schumacher [mailto:felix.schumac...@int

Re: JDBCStore

[Felix Schumacher]

Am 23.10.2014 um 19:45 schrieb spr...@gmx.eu:

You may want to have a look at parallel deployment (
http://tomcat.apache.org/tomcat-7.0-doc/config/context.html).


At the moment /Catalina/localhost/ is used as value in column app. It
is the
root app.

Would a war ROOT##2.war use another value?

No.


OK, then this would not solve the prob.
Well, I think it solves your problem. Old session-ids will get routed to 
the old version of your webapp and thus will be deserialized without a 
problem. New sessions will be created in the new version.


This will enable a smooth transition from your old version to the new one.

Regards
 Felix


Thx!


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: is normal keep value when tomcat restart after JSESSIONID was create?

[KangWoo Lee]

I found a causes. set the context attribute sessioncookiepath="/" is same
affect of emptysessionpath. tomcat document says if set emptysessionpath
then yomcat using session id value of client request.

I solve it. thanks to your comment.
2014. 10. 24. 오전 12:42에 "Christopher Schultz" 님이
작성:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> 이강우,
>
> On 10/23/14 1:56 AM, 이강우(KangWoo Lee) wrote:
> > ok I undertand.
> >
> > -> the session identifier should change to prevent session-fixation
> > attacks.
> >
> > but how I can set tomcat to regenerate id value? I was search
> > document, but can't find it
>
> I'm not sure what you are asking. Can you ask in a different way? Do
> you want Tomcat to reject the requested (invalid) session id and
> generate a new one instead?
>
> - -chris
>
> > 2014-10-22 22:44 GMT+09:00 Christopher Schultz
> >  >> :
> >
> > 이강우,
> >
> > On 10/22/14 4:41 AM, 이강우(KangWoo Lee) wrote:
>  Environment - openjdk 1.7 - tomcat 7.0.55 with native
>  connector - apache 2.4.10 with mod-jk 1.2.40
> 
>  1. Tomcat start 2. Client request -> JSESSIONID is null 3.
>  tomcat response ->
>  JSESSIONID=C5EBF0AA96ADB34E0C28E4D9D2595D98 is create 4.
>  refresh page -> session attribute(name=count, value=count++)
>  is correct. count is increasing.
> >
> > Good so far.
> >
>  5. Tomcat stop -> start (restart) context setting is session
>  is not persist
> >
> > Okay.
> >
>  6. Client refresh -> client request is send
>  JSESSIONID=C5EBF0AA96ADB34E0C28E4D9D2595D98 7. session
>  attribute(name=count, value=0) is reset. but keeping
>  JSESSIONID
> 
>  question. why tomcat using JSESSIONID set by client request
>  value? is not regenerate?
> >
> > If the client requests a session by id, Tomcat will try to give it
> > to them. If it doesn't exist, it will use that session identifier
> > for the new session.
> >
> > Did the user actually authenticate with Tomcat? Or just get an
> > anonymous session? If the user authenticates with Tomcat, the
> > session identifier should change to prevent session-fixation
> > attacks.
> >
>  is this java spec?
> >
> > I believe the spec says nothing about the generation of session
> > ids. Even the above session-fixation behavior is outside of the
> > spec (but definitely does not violate it).
> >
> > -chris
> >>
> >> -
> >>
> >>
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>
> >>
> >
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJUSSGuAAoJEBzwKT+lPKRYHZcP+weLH/AgmnVPs6dxiXG+Qjtg
> ndtap6eKAuys+LBmHYQCki780cmmnX0UZg8sEVENPJ+GSRRuni3/S8RwixTnA4Lv
> YbuEov2d0oxTI+ZzH0HSR40nYPSzKY3m/yzMlB4y+JrvA3ousxiIDZ07tkM6LvCq
> 6Cpn54Bd7InbHWJJJXNyn8iA+snxuJe1QfpxkiFVPrjgZgRFJfsOWCUHN6qsETYG
> EvydlCTR/9b2yPkqApEiYLULSG+K70Wtupp8pPB0jM0dP1i16qZa1SGMh79lP9kO
> FZ3H8PoPwnSluSRefyPnQgCTIWQEP89sJ4Q1fCCN4r/axUgyI6OEWuZ/MGOaN4yg
> Y37sUrcauRCy+Sfh8x7IIJpnVeOZcyPO4sDrmDjySTNKis5hdtpxwNuTY97XxHe+
> 2bD3jierVw05T4lj6zOraRo2yrzVVWujd1RUJ8vCMBnx6l3rvzxGp+10sUqePyeF
> nhc3rWg1vWcdxXDDJ8p853Xb5k1MuR1rQg2kJ9AWJDfMZULi80awPZYQuJOC9O/n
> TFGKcLsXM0xp6ND0ItdLgzTXlj8xhPDvNGp438KSD16ofm27dWM++btD4Ss3DoVs
> Vu+xwL2td0nx94+jEJgibi4SVCCVkgNzO5vu/uyxVFE1oBGxo6OSQTnp4UDc5KkY
> DQ2jHJBmVqVHwxOxS4j7
> =wFKq
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

RE: JDBCStore

[spring]

> >> You may want to have a look at parallel deployment ( 
> >> http://tomcat.apache.org/tomcat-7.0-doc/config/context.html).
> >
> >
> >At the moment /Catalina/localhost/ is used as value in column app. It
> >is the
> >root app.
> >
> >Would a war ROOT##2.war use another value?
> No. 


OK, then this would not solve the prob.

Thx!


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: is normal keep value when tomcat restart after JSESSIONID was create?

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

이강우,

On 10/23/14 1:56 AM, 이강우(KangWoo Lee) wrote:
> ok I undertand.
> 
> -> the session identifier should change to prevent session-fixation
> attacks.
> 
> but how I can set tomcat to regenerate id value? I was search
> document, but can't find it

I'm not sure what you are asking. Can you ask in a different way? Do
you want Tomcat to reject the requested (invalid) session id and
generate a new one instead?

- -chris

> 2014-10-22 22:44 GMT+09:00 Christopher Schultz
> > :
> 
> 이강우,
> 
> On 10/22/14 4:41 AM, 이강우(KangWoo Lee) wrote:
 Environment - openjdk 1.7 - tomcat 7.0.55 with native
 connector - apache 2.4.10 with mod-jk 1.2.40
 
 1. Tomcat start 2. Client request -> JSESSIONID is null 3.
 tomcat response ->
 JSESSIONID=C5EBF0AA96ADB34E0C28E4D9D2595D98 is create 4.
 refresh page -> session attribute(name=count, value=count++)
 is correct. count is increasing.
> 
> Good so far.
> 
 5. Tomcat stop -> start (restart) context setting is session
 is not persist
> 
> Okay.
> 
 6. Client refresh -> client request is send 
 JSESSIONID=C5EBF0AA96ADB34E0C28E4D9D2595D98 7. session 
 attribute(name=count, value=0) is reset. but keeping
 JSESSIONID
 
 question. why tomcat using JSESSIONID set by client request
 value? is not regenerate?
> 
> If the client requests a session by id, Tomcat will try to give it
> to them. If it doesn't exist, it will use that session identifier
> for the new session.
> 
> Did the user actually authenticate with Tomcat? Or just get an 
> anonymous session? If the user authenticates with Tomcat, the
> session identifier should change to prevent session-fixation
> attacks.
> 
 is this java spec?
> 
> I believe the spec says nothing about the generation of session
> ids. Even the above session-fixation behavior is outside of the
> spec (but definitely does not violate it).
> 
> -chris
>> 
>> -
>>
>> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>> 
>> 
> 
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJUSSGuAAoJEBzwKT+lPKRYHZcP+weLH/AgmnVPs6dxiXG+Qjtg
ndtap6eKAuys+LBmHYQCki780cmmnX0UZg8sEVENPJ+GSRRuni3/S8RwixTnA4Lv
YbuEov2d0oxTI+ZzH0HSR40nYPSzKY3m/yzMlB4y+JrvA3ousxiIDZ07tkM6LvCq
6Cpn54Bd7InbHWJJJXNyn8iA+snxuJe1QfpxkiFVPrjgZgRFJfsOWCUHN6qsETYG
EvydlCTR/9b2yPkqApEiYLULSG+K70Wtupp8pPB0jM0dP1i16qZa1SGMh79lP9kO
FZ3H8PoPwnSluSRefyPnQgCTIWQEP89sJ4Q1fCCN4r/axUgyI6OEWuZ/MGOaN4yg
Y37sUrcauRCy+Sfh8x7IIJpnVeOZcyPO4sDrmDjySTNKis5hdtpxwNuTY97XxHe+
2bD3jierVw05T4lj6zOraRo2yrzVVWujd1RUJ8vCMBnx6l3rvzxGp+10sUqePyeF
nhc3rWg1vWcdxXDDJ8p853Xb5k1MuR1rQg2kJ9AWJDfMZULi80awPZYQuJOC9O/n
TFGKcLsXM0xp6ND0ItdLgzTXlj8xhPDvNGp438KSD16ofm27dWM++btD4Ss3DoVs
Vu+xwL2td0nx94+jEJgibi4SVCCVkgNzO5vu/uyxVFE1oBGxo6OSQTnp4UDc5KkY
DQ2jHJBmVqVHwxOxS4j7
=wFKq
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: connectionProperties is failing?

[Mark Thomas]

On 23/10/2014 13:27, Alessandro Manzoni wrote:

> What do you think about AbstractMethodError problem with tomcat 8?

Set testOnBorrow=false

> Am I stuck to version 7, having to use jtOpen jdbc Driver?

No.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: connectionProperties is failing?

[Alessandro Manzoni]

Il 23.10.2014 10.11, Konstantin Kolinko ha scritto:

2014-10-23 10:44 GMT+04:00 Alessandro Manzoni :

Il 23.10.2014 01.49, Christopher Schultz ha scritto:


On 10/22/14 1:04 PM, Alessandro Manzoni wrote:

I configured a Resource datasouce inside context.xml but the
resulting connection is misconfigured.

The failing attribute appears as:

connectionProperties="sort=table;sort table=QSYS/QASCII"

but looking at the connection (while debugging) properties are
messed up, instead of the above 2 properties I see only 1:

sort=table=QSYS/QASCII

It looks like the property "sort table", with a blank inside the
name, was not correctly parsed.

It sure does.


I'm using jtOpen.jar AS400JDBCDriver that supports a lot of such
strange property names:

http://www-01.ibm.com/support/knowledgecenter/api/content/ssw_ibm_i_61/rzahh/javadoc/com/ibm/as400/access/doc-files/JDBCProperties.html

Aah,
AS/400. You are a barrel of laughs.


If I try supplying the same properties using the
connect(Properties) method, or appending them to the url, all is
fine.

Is there some special syntax to achieve my goal?

I think this is likely a bug.

Whose bug it is depends upon which connection pool you are using. Are
you using Tomcat's default pool (based upon commons-dbcp) or
tomcat-pool. If you don't know, it's probably the former.

If the bug belongs to commons-dbcp, you should report it over there
and when it gets fixed, we'll consume the changes and then Tomcat
should work properly.

What version of Tomcat are you using?

I did nothing but inserting a 


I tried both 6.037 and 7.056 versions with the same result.

Itried 8.014 too, but the prgram stops, just while getting the connection
from the datasource, datasource.getConnection() method, with this stack
trace:

java.lang.AbstractMethodError:
com.ibm.as400.access.AS400JDBCConnection.isValid(I)Z
org.apache.tomcat.dbcp.dbcp2.DelegatingConnection.isValid(DelegatingConnection.java:913)
org.apache.tomcat.dbcp.dbcp2.PoolableConnection.validate(PoolableConnection.java:226)
org.apache.tomcat.dbcp.dbcp2.PoolableConnectionFactory.validateConnection(PoolableConnectionFactory.java:302)
org.apache.tomcat.dbcp.dbcp2.BasicDataSource.validateConnectionFactory(BasicDataSource.java:2165)
org.apache.tomcat.dbcp.dbcp2.BasicDataSource.createPoolableConnectionFactory(BasicDataSource.java:2148)
org.apache.tomcat.dbcp.dbcp2.BasicDataSource.createDataSource(BasicDataSource.java:1902)
org.apache.tomcat.dbcp.dbcp2.BasicDataSource.getConnection(BasicDataSource.java:1412)

even if I didn't declare any validate query in datasource definition.


Default connection pool = Apache Commons DBCP.

Searching Apache Commons DBCP source code for "connectionProperties",
there a 2 places where that property is parsed:

A) BasicDataSource.setConnectionProperties(String)

It does
String[] entries = connectionProperties.split(";");
followed by
int index = entry.indexOf('=');

It is OK.

B) BasicDataSourceFactory.getProperties(String)

This is an awful undocumented implementation with a bunch of side effects.

 /**
  * Parse properties from the string. Format of the string must
be [propertyName=property;]*
  * @param propText
  * @return Properties
  * @throws Exception
  */
 private static Properties getProperties(String propText) throws Exception {
   Properties p = new Properties();
   if (propText != null) {
 p.load(new ByteArrayInputStream(
 propText.replace(';',
'\n').getBytes(StandardCharsets.ISO_8859_1)));
   }
   return p;
 }

It replaces ';' with '\n' and feeds the string as ISO-8859-1 into
Properties.load().  The same implementation of that method is present
both in current DBCP2 and in previous DBCP 1.4 used by Tomcat 7.

If this implementation is of any use, it must be properly documented.
As of now, it does not match its own javadoc which only says that
format is "[propertyName=property;]*". Neither it is documented at
[2].

The format of a properties file [1] is that
"The key contains all of the characters in the line starting with the
first non-white space character and up to, but not including, the
first unescaped '=', ':', or white space character other than a line
terminator."

The workaround for you is to escape the whitespace character in key
name with '\'.
That workaround works fine! In my opinion should be documented inside 
tomcat doc pages.


What do you think about AbstractMethodError problem with tomcat 8?
Am I stuck to version 7, having to use jtOpen jdbc Driver?

Thanks, best regards.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: JDBCStore

[Felix Schumacher]

Am 23. Oktober 2014 13:34:22 MESZ, schrieb spr...@gmx.eu:
>> You may want to have a look at parallel deployment ( 
>> http://tomcat.apache.org/tomcat-7.0-doc/config/context.html).
>
>
>At the moment /Catalina/localhost/ is used as value in column app. It
>is the
>root app.
>
>Would a war ROOT##2.war use another value?
No. 

Felix
>
>
>-
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: JDBCStore

[spring]

> Are you using distributed sessions? If so, you'll have to override the
> internal serialization mechanism and do it all manually in a way that
> is going to be cross-version-compatible.
> 
> It's not impossible, but it does take some planning and forethought.

OK; thought so.
Thank you.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: JDBCStore

[spring]

> You may want to have a look at parallel deployment ( 
> http://tomcat.apache.org/tomcat-7.0-doc/config/context.html).


At the moment /Catalina/localhost/ is used as value in column app. It is the
root app.

Would a war ROOT##2.war use another value?


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Built-in Tomcat Support for Windows Authentication

[Philippe Wijdh]

Hi,

Thank you for the response.
The initial setup of the spn and the keytab was without the port-number, the 
registry key was a suggestion found on internet but this setting does not 
change the outcome.

The command kinit on the Tomcat server returns the following


C:\MyPrograms\Tomcat7\conf>set KRB5_CONFIG=C:\MyPrograms\Tomcat7\conf\krb5.conf


C:\MyPrograms\Tomcat7\conf>c:\MyPrograms\Java\jdk1.7.0_60\bin\kinit -J-Djava.sec
urity.krb5.conf=C:\MyPrograms\Tomcat7\conf\krb5.conf -J-Djava.security.auth.logi
n.config=C:\MyPrograms\Tomcat7\conf\jaas.conf -J-Dsun.security.krb5.debug=true -
k -t C:\MyPrograms\Tomcat7\conf\tomcat8080.keytab HTTP/v3tcat4ad.assai.nl:8080@A
SSAI.NL
>>>KinitOptions cache name is C:\Users\TestUser\krb5cc_testuser
Principal is HTTP/v3tcat4ad.assai.nl:8...@assai.nl
>>> Kinit using keytab
>>> Kinit keytab file name: C:\MyPrograms\Tomcat7\conf\tomcat8080.keytab
Java config name: C:\MyPrograms\Tomcat7\conf\krb5.conf
Loaded from Java config
>>> Kinit realm name is ASSAI.NL
>>> Creating KrbAsReq
>>> KrbKdcReq local addresses for V3TCAT4AD are:

V3TCAT4AD/10.1.0.67
IPv4 address

V3TCAT4AD/fe80:0:0:0:d815:81c0:97e7:11d2%11
IPv6 address
>>> KdcAccessibility: reset
>>> KeyTabInputStream, readName(): ASSAI.NL
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): v3tcat4ad.assai.nl:8080
>>> KeyTab: load() entry length: 72; type: 23
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
default etypes for default_tkt_enctypes: 23 18 17.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number of retries
 =3, #bytes=198
>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt =1, #byt
es=198
>>> KrbKdcReq send: #bytes read=173
>>>Pre-Authentication Data:
 PA-DATA type = 11
 PA-ETYPE-INFO etype = 23, salt =

>>>Pre-Authentication Data:
 PA-DATA type = 19
 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

>>>Pre-Authentication Data:
 PA-DATA type = 2
 PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
 PA-DATA type = 16

>>>Pre-Authentication Data:
 PA-DATA type = 15

>>> KdcAccessibility: remove v3dom1.assai.nl:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
 sTime is Thu Oct 23 10:21:31 CEST 2014 1414052491000
 suSec is 776700
 error code is 25
 error Message is Additional pre-authentication required
 realm is ASSAI.NL
 sname is krbtgt/ASSAI.NL
 eData provided.
 msgType is 30
>>>Pre-Authentication Data:
 PA-DATA type = 11
 PA-ETYPE-INFO etype = 23, salt =

>>>Pre-Authentication Data:
 PA-DATA type = 19
 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

>>>Pre-Authentication Data:
 PA-DATA type = 2
 PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
 PA-DATA type = 16

>>>Pre-Authentication Data:
 PA-DATA type = 15

KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
default etypes for default_tkt_enctypes: 23 18 17.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number of retries
 =3, #bytes=283
>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt =1, #byt
es=283
>>> KrbKdcReq send: #bytes read=88
>>> KrbKdcReq send: kdc=v3dom1.assai.nl TCP:88, timeout=3, number of retries
 =3, #bytes=283
>>> KDCCommunication: kdc=v3dom1.assai.nl TCP:88, timeout=3,Attempt =1, #byt
es=283
>>>DEBUG: TCPClient reading 1496 bytes
>>> KrbKdcReq send: #bytes read=1496
>>> KdcAccessibility: remove v3dom1.assai.nl:88
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080
New ticket is stored in cache file C:\Users\TestUser\krb5cc_testuser

C:\MyPrograms\Tomcat7\conf>klist

Current LogonId is 0:0x13380b5c

Cached Tickets: (0)




Kind regards,

Philippe Wijdh
Senior Programmer

Assai software services BV, Parallelweg Oost 13a, 4103 NC, Culemborg, The 
Netherlands
P:  +31 (0)345 516 663, E:  p.wi...@assai.nl, W: www.assai-software.com 

-Original Message-
From: Felix Schumacher [mailto:felix.schumac...@internetallee.de] 
Sent: donderdag 23 oktober 2014 7:53
To: Tomcat Users List
Subject: Re: Built-in Tomcat Support for Windows Authentication



Am 22. Oktober 2014 11:40:56 MESZ, schrieb Philippe Wijdh :
>Hello,
>
>We have spent a long time

Re: Built-in Tomcat Support for Windows Authentication

[Mark Thomas]

On 22/10/2014 10:40, Philippe Wijdh wrote:
> Hello,
> 
> We have spent a long time now, trying to set up Apache Tomcat with Windows 
> Authentication.
> We followed the instructions as per 
> http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html but we cannot 
> make it work properly, the logon dialog keeps appearing and trying to log on 
> fails.
> Additional to that we tried suggestions, like adding the registry key 
> AllowTgtSessionKey and setting it to 0x01
> Seems like we are close but we are missing something (see tomcat output below)
> Does anyone have a more complete documentation or have any suggestions on how 
> to make this work.

The documentation is complete. If you follow the steps in that document
then you will end up with a working system.

Either you aren't following the documentation or something in your
environment differs from that described in the document.

> Kind regards,
> 
> Philippe Wijdh
> 
> 
> 
> Extra information on the setup:
> 
> Windows 2008 r2 sp1
> Apache Tomcat 7.0.54
> jdk1.7.0_60
> 
> Tomcat is running as a service using account  HTTP/v3tcat4ad.assai.nl:8080 
> (have created spn with and without the port number, does not make a 
> difference)
> 
> Test is done with user testu...@assai.nl in IE11 on 
> different machines, with http://v3tcat4ad.assai.nl explicitly added to the 
> Intranet sites.

You haven't provided any information on the Realm configuration or how
you have secured the page you are trying to test with.

You might have hit https://issues.apache.org/bugzilla/show_bug.cgi?id=57022

There are lots of configuration steps listed in the docs you haven't
mentioned.

Mark

> 
> 
> 
> Tomcat Output:
> 
 KeyTabInputStream, readName(): ASSAI.NL
 KeyTabInputStream, readName(): HTTP
 KeyTabInputStream, readName(): v3tcat4ad.assai.nl:8080
 KeyTab: load() entry length: 72; type: 23
> Java config name: C:\MyPrograms\Tomcat7\conf\krb5.conf
> Loaded from Java config
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
 KdcAccessibility: reset
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
> default etypes for default_tkt_enctypes: 23 18 17.
 KrbAsReq creating message
 KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number of 
 retries =3, #bytes=152
 KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt =1, 
 #bytes=152
 KrbKdcReq send: #bytes read=173
 Pre-Authentication Data:
> PA-DATA type = 11
> PA-ETYPE-INFO etype = 23, salt =
> 
 Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
> 
 Pre-Authentication Data:
> PA-DATA type = 2
> PA-ENC-TIMESTAMP
 Pre-Authentication Data:
> PA-DATA type = 16
> 
 Pre-Authentication Data:
> PA-DATA type = 15
> 
 KdcAccessibility: remove v3dom1.assai.nl:88
 KDCRep: init() encoding tag is 126 req type is 11
 KRBError:
> sTime is Wed Oct 22 09:53:56 CEST 2014 1413964436000
> suSec is 403143
> error code is 25
> error Message is Additional pre-authentication required
> realm is ASSAI.NL
> sname is krbtgt/ASSAI.NL
> eData provided.
> msgType is 30
 Pre-Authentication Data:
> PA-DATA type = 11
> PA-ETYPE-INFO etype = 23, salt =
> 
 Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
> 
 Pre-Authentication Data:
> PA-DATA type = 2
> PA-ENC-TIMESTAMP
 Pre-Authentication Data:
> PA-DATA type = 16
> 
 Pre-Authentication Data:
> PA-DATA type = 15
> 
> KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
> default etypes for default_tkt_enctypes: 23 18 17.
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
> default etypes for default_tkt_enctypes: 23 18 17.
 EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
 KrbAsReq creating message
 KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number of 
 retries =3, #bytes=235
 KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt =1, 
 #bytes=235
 KrbKdcReq send: #bytes read=1446
 KdcAccessibility: remove v3dom1.assai.nl:88
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
 EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
 KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4a

Re: connectionProperties is failing?

[Konstantin Kolinko]

2014-10-23 10:44 GMT+04:00 Alessandro Manzoni :
> Il 23.10.2014 01.49, Christopher Schultz ha scritto:
>
>> On 10/22/14 1:04 PM, Alessandro Manzoni wrote:
>>>
>>> I configured a Resource datasouce inside context.xml but the
>>> resulting connection is misconfigured.
>>>
>>> The failing attribute appears as:
>>>
>>> connectionProperties="sort=table;sort table=QSYS/QASCII"
>>>
>>> but looking at the connection (while debugging) properties are
>>> messed up, instead of the above 2 properties I see only 1:
>>>
>>> sort=table=QSYS/QASCII
>>>
>>> It looks like the property "sort table", with a blank inside the
>>> name, was not correctly parsed.
>>
>> It sure does.
>>
>>> I'm using jtOpen.jar AS400JDBCDriver that supports a lot of such
>>> strange property names:
>>>
>>> http://www-01.ibm.com/support/knowledgecenter/api/content/ssw_ibm_i_61/rzahh/javadoc/com/ibm/as400/access/doc-files/JDBCProperties.html
>>
>> Aah,
>> AS/400. You are a barrel of laughs.
>>
>>> If I try supplying the same properties using the
>>> connect(Properties) method, or appending them to the url, all is
>>> fine.
>>>
>>> Is there some special syntax to achieve my goal?
>>
>> I think this is likely a bug.
>>
>> Whose bug it is depends upon which connection pool you are using. Are
>> you using Tomcat's default pool (based upon commons-dbcp) or
>> tomcat-pool. If you don't know, it's probably the former.
>>
>> If the bug belongs to commons-dbcp, you should report it over there
>> and when it gets fixed, we'll consume the changes and then Tomcat
>> should work properly.
>>
>> What version of Tomcat are you using?
>
> I did nothing but inserting a  factory declared, so I think it's Tomcat's default pool fault:
>  type="javax.sql.DataSource" maxActive="100" maxIdle="30"
> maxWait="1"
> username="USER" password="PASS"
> driverClassName="com.ibm.as400.access.AS400JDBCDriver"
> connectionProperties="sort=table;sort table=QSYS/QASCII;"
> url="jdbc:as400://dbserver/SCHEMA" />
>
>
> I tried both 6.037 and 7.056 versions with the same result.
>
> Itried 8.014 too, but the prgram stops, just while getting the connection
> from the datasource, datasource.getConnection() method, with this stack
> trace:
>
> java.lang.AbstractMethodError:
> com.ibm.as400.access.AS400JDBCConnection.isValid(I)Z
> org.apache.tomcat.dbcp.dbcp2.DelegatingConnection.isValid(DelegatingConnection.java:913)
> org.apache.tomcat.dbcp.dbcp2.PoolableConnection.validate(PoolableConnection.java:226)
> org.apache.tomcat.dbcp.dbcp2.PoolableConnectionFactory.validateConnection(PoolableConnectionFactory.java:302)
> org.apache.tomcat.dbcp.dbcp2.BasicDataSource.validateConnectionFactory(BasicDataSource.java:2165)
> org.apache.tomcat.dbcp.dbcp2.BasicDataSource.createPoolableConnectionFactory(BasicDataSource.java:2148)
> org.apache.tomcat.dbcp.dbcp2.BasicDataSource.createDataSource(BasicDataSource.java:1902)
> org.apache.tomcat.dbcp.dbcp2.BasicDataSource.getConnection(BasicDataSource.java:1412)
>
> even if I didn't declare any validate query in datasource definition.
>

Default connection pool = Apache Commons DBCP.

Searching Apache Commons DBCP source code for "connectionProperties",
there a 2 places where that property is parsed:

A) BasicDataSource.setConnectionProperties(String)

It does
String[] entries = connectionProperties.split(";");
followed by
int index = entry.indexOf('=');

It is OK.

B) BasicDataSourceFactory.getProperties(String)

This is an awful undocumented implementation with a bunch of side effects.

/**
 * Parse properties from the string. Format of the string must
be [propertyName=property;]*
 * @param propText
 * @return Properties
 * @throws Exception
 */
private static Properties getProperties(String propText) throws Exception {
  Properties p = new Properties();
  if (propText != null) {
p.load(new ByteArrayInputStream(
propText.replace(';',
'\n').getBytes(StandardCharsets.ISO_8859_1)));
  }
  return p;
}

It replaces ';' with '\n' and feeds the string as ISO-8859-1 into
Properties.load().  The same implementation of that method is present
both in current DBCP2 and in previous DBCP 1.4 used by Tomcat 7.

If this implementation is of any use, it must be properly documented.
As of now, it does not match its own javadoc which only says that
format is "[propertyName=property;]*". Neither it is documented at
[2].

The format of a properties file [1] is that
"The key contains all of the characters in the line starting with the
first non-white space character and up to, but not including, the
first unescaped '=', ':', or white space character other than a line
terminator."

The workaround for you is to escape the whitespace character in key
name with '\'.


[1] 
http://docs.oracle.com/javase/7/docs/api/java/util/Properties.html#load%28java.io.Reader%29
[2] http://commons.apache.org/proper/commons-dbcp/configuration.html

Best regards,
Konstantin Kolinko

---