Issue in reading SSL certificate

[Hirnya Kaushal]

Dear,

 

I am facing a very peculiar issue with the SSL certificate for Tomcat7. I am
using Java 7 and Tomcat 1.7.075. and facing the below issue with the SSL
certificate. I have followed the below steps to generate the certificate and
apply same on server.xml.

 

Generated the CSR file by using the keytool on the server.

1)  $JAVA_HOME/bin/keytool  -genkey -alias server -keyalg RSA -keysize
2048 -keystore /opt/hirnya/mobileweyakae.jks

2)  $JAVA_HOME/bin/keytool -certreq -alias server -file
/opt/hirnya/csr.txt -keystore /opt/hirnya/mobileweyakae.jks

Shared my case file with CA provider and received back chain.p7b file. And
followed the below step to import the key tool (I tried 2 ways to apply the
same but the end results and the error on the tomcat logs are almost same.)

1.  Double click .p7b file on windows
2.  Expand the node certificates from the left side.
3.  On the right side the list of certificate occurred.
4.  Double click the required certificate to open it.
5.  Click the details tab.
6.  Click the "copy to file..." button
7.  click next
8.  select the 2nd format (Base-64 encoded X.509 (.CER))
9.  Enter the file name (As original file name). Please make sure the
file location (Directory)
10. Read the export wizard setting and then Press "Finish" button.
11. Repeat the same steps for all 3 certificates.

Then, transferred the all certificate on same path where I have generated
the csr file and imported the file with 2 different way. 

 

Steps of Process one applied:

Imported the files received from CA with below command and applied with all
files received from CA.

$JAVA_HOME/bin/keytool -import -trustcacerts -alias root -file
/opt/hirnya/root.cer -keystore /opt/hirnya/mobileweyakae.jks

$JAVA_HOME/bin/keytool -import -trustcacerts -alias abc -file
/opt/hirnya/server.cer -keystore /opt/hirnya/mobileweyakae.jks

$JAVA_HOME/bin/keytool -import -trustcacerts -alias mobile -file
/opt/hirnya/mobile.cer -keystore /opt/hirnya/mobileweyakae.jks

 

Attached is the view of certificate generated (crtifacate-process1.txt) and
the tomcat logs ()tomcatand below is the configuration for SSL on tomcat.

 



 

 

Steps of Process Two applied:

 

Exported the keystore to the pem file.

 

1)  $JAVA_HOME/bin/keytool -exportcert -rfc -file /opt/hirnya/server.pem
-keystore /opt/hirnya/mobileweyakae.jks -alias server

2)  Open the pem file with cat and added the other certificates received
from CA into the same file and generated the bundle.pem file, attached is
the file for reference. (this includes all the certificates)

3)  Then imported the certificates to the keytool with below command

$JAVA_HOME/bin/keytool -importcert -keystore /opt/hirnya/mobileweyakae.jks
-alias server -file /opt/hirnya/bundle.pem.
 
 
The certificate generated output is attached as certificate-process2.txt for
reference and the logs of the tomcat as well.

 

 

In both the case I am able to reach the https:// but receiving the security
error and only reading the self-generated key and not able to read the
imported key.

 

Attaching the generated key files(mobileweyakae.jks) and certificate
(hirnya.zip) as well for your reference.

 

Thanks in advance for your support.

 

 

Thanks & Regards,

Hirnya Garbh Kaushal,

MobiSoft Telesolutions(Altruist Group)

Mobile(Dubai,UAE): +971 564745875

Office(Dubai,UAE): +971 43261893

mobisoft

 


Keystore type: JKS
Keystore provider: SUN

Your keystore contains 4 entries

Alias name: root
Creation date: Sep 6, 2015
Entry type: trustedCertEntry

Owner: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
Issuer: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
Serial number: 2b9
Valid from: Fri May 12 22:46:00 GST 2000 until: Tue May 13 03:59:00 GST 2025
Certificate fingerprints:
 MD5:  AC:B6:94:A5:9C:17:E0:D7:91:52:9B:B1:97:06:A6:E4
 SHA1: D4:DE:20:D0:5E:66:FC:53:FE:1A:50:88:2C:78:DB:28:52:CA:E4:74
 SHA256: 
16:AF:57:A9:F6:76:B0:AB:12:60:95:AA:5E:BA:DE:F2:2A:B3:11:19:D6:44:AC:95:CD:4B:93:DB:F3:F2:6A:EB
 Signature algorithm name: SHA1withRSA
 Version: 3

Extensions: 

#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:3
]

#2: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
: E5 9D 59 30 82 47 58 CC   AC FA 08 54 36 86 7B 3A  ..Y0.GXT6..:
0010: B5 04 4D F0..M.
]
]



***
***


Alias name: mobile
Creation date: Sep 6, 2015
Entry type: trustedCertEntry

Owner: CN=mobile.weyak.ae, OU=Marketing, O=Etisalat, L=Abu Dhabi, ST=Abu Dhabi, 
C=AE
Issuer: CN=Cybertrust Public SureServer SV CA, O=Cybertrust Inc
Serial number: 1014ede39d478814690
Valid from: Thu Jul 30 13:10:10 GST 2015 until: Sat Jul

RE: Multiple JSESSIONID cookies being presented.

[Igor Cicimov]

On 09/09/2015 7:13 AM, "Jeffrey Janner"  wrote:
>
> > -Original Message-
> > From: Jose María Zaragoza [mailto:demablo...@gmail.com]
> > Sent: Tuesday, September 08, 2015 9:22 AM
> > To: Tomcat Users List 
> > Subject: Re: Multiple JSESSIONID cookies being presented.
> >
> > 2015-09-08 15:51 GMT+02:00 Jeffrey Janner :
> > >> -Original Message-
> > >> From: Christopher Schultz [mailto:ch...@christopherschultz.net]
> > >> Sent: Friday, September 04, 2015 12:46 PM
> > >> To: Tomcat Users List 
> > >> Subject: Re: Multiple JSESSIONID cookies being presented.
> > >>
> > >> -BEGIN PGP SIGNED MESSAGE-
> > >> Hash: SHA256
> > >>
> > >> Jeffrey,
> > >>
> > > Now, it's been doing this since at least Tomcat 6, I have one running
> > now, and I've never had a problem with it using direct connections.  But
> > now we are front-ending with HaProxy and going to two backend tomcats,
> > and using the JSESSIONID to support sticky-sessions.  I'm afraid the
> > multiple cookies is confusing HaProxy. (Yes, I'm going to ask that user
> > community.)
> > > Jeff
> >
> >
> > You could use another cookie to implement stickyness
> >
> > "You can add a cookie SOME-COOKIE-NAME prefix directive into the
> > backend. Then simply add the cookie directive within each server. Then
> > HAProxy will append a cookie (or add onto an existing one) a
> > identifier for each server. This cookie will be sent back in
> > subsequent requests from the client, letting HAProxy know which server
> > to send the request to. This looks like the following:"
> >
> > backend nodes
> > # Other options above omitted for brevity
> >  cookie SRV_ID prefix
> > server web01 127.0.0.1:9000 cookie check
> > server web02 127.0.0.1:9001 cookie check
> > server web03 127.0.0.1:9002 cookie check
> >
> >
> > https://serversforhackers.com/load-balancing-with-haproxy
> >
> Thanks Jose.  We considered that, as well as having HaProxy just generate
its own sticky-session cookie, but it seemed like a better idea to just let
Tomcat handle it and use stick-tables. We are moving towards a
fully-clustered tomcat, so already having the config in place such that we
only have to turn off the stick-tables and we'd be set to go. I'll
eventually be supporting a fairly large number of backends and don't want
to make the configuration of new ones very complicated. Making them simple
and pushing the complication down to the tomcat level just seemed to make
more sense.

If using more than one haproxy inserting its own cookie is much better
solution since you don't have to sync the stick tables between the lb's.

> In fact, I've parameterized the jvmRoute setting in the Tomcat server.xml
and use the setenv.sh script to calculate the value based on the server the
Tomcat is running on.
> If only there were some way to have HaProxy read an already existing
suffix in the cookie string, like httpd, my life would be perfect.
> Jeff
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

RE: Multiple JSESSIONID cookies being presented.

[Caldarale, Charles R]

> From: Jose María Zaragoza [mailto:demablo...@gmail.com] 
> Subject: Re: Multiple JSESSIONID cookies being presented.

> > Thanks for the clarification of what's supposed to happen on receipt, Jose.
> > However, I am describing what happens on first contact from the client to 
> > the server.
> > The browser sends https://hostname/APP2, and Tomcat returns:
> > JSESSIONID=, path=/and   JSESSIONID=, path=/APP2/

> Indeed, it doesn't make sense for me to return different id (  ,
>  ) if you are accesing to only one context (/APP2)

> Are you sure that your webapp deployed in /APP2 is not accesing to
> resources ( session-aware resources as JSP, servlet, .. .I mean)
> stored in ROOT context ?

As I think someone previously mentioned, the client (browser) may well be 
sending an unsolicited request to the default webapp, such as when trying to 
retrieve favicon.ico.  You might want to run Fiddler or Wireshark on the client 
to see exactly what's being sent to the server.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: ServletRequest.getRemoteHost() not working when Tomcat is behind Nginx (Nginx as a reverse proxy)

[Brian]

mm..
... Well, so far I have always assumed that Tomcat itself has always made this 
effort (assuming that it is enabled to do so in the connector), so that when I 
execute the method I'm just retrieving the value. I'm I wrong?

In this case when using Nginx+Tomcat, I assume that Nginx already made the 
effort to get the remoteHost value as well, so Tomcat just receives it and I 
just need to invoke the method to get it. Maybe I'm wrong here.

I really appreciate your help!


> -Original Message-
> From: Jose María Zaragoza [mailto:demablo...@gmail.com]
> Sent: martes, 08 de septiembre de 2015 03:59 p.m.
> To: Tomcat Users List 
> Subject: Re: ServletRequest.getRemoteHost() not working when Tomcat is
> behind Nginx (Nginx as a reverse proxy)
> 
> 2015-09-08 22:10 GMT+02:00 Brian :
> > Hello Jos�,
> >
> > That�s a nice idea indeed (A VERY NICE ONE!), but an extra work because of
> the networking effort. I'm talking about a site that can get hundreds of 
> requests
> per second.
> 
> But you would want to execute ServletRequest.getRemoteHost() in every
> request , right ? That was your question.
> I don't know how is the Tomcat 6's ServletRequest.getRemoteHost()
> implementation , but I guess it's not very different to my code
> 
> Regards
> 
> 
> 
> 
> >
> > Since Nginx has access to this information, I bet there must be a way to 
> > pass it
> to Tomcat the same way the IP address can be passed! But for some reason I
> can't find it and I have spent quite some time looking for it.
> >
> > Thanks a lot!
> >
> >
> >> -Original Message-
> >> From: Jose Mar�a Zaragoza [mailto:demablo...@gmail.com]
> >> Sent: martes, 08 de septiembre de 2015 02:58 p.m.
> >> To: Tomcat Users List 
> >> Subject: Re: ServletRequest.getRemoteHost() not working when Tomcat is
> >> behind Nginx (Nginx as a reverse proxy)
> >>
> >> 2015-09-08 21:22 GMT+02:00 Brian :
> >> > Hi,
> >> >
> >> >
> >> >
> >> > First of all, I'm using:
> >> >
> >> > - Tomcat 7.0.50
> >> >
> >> > - Nginx 1.4.7
> >> >
> >> >
> >> >
> >> > When I use Tomcat alone, ServletRequest.getRemoteHost()
> >> >
> >>
> (http://docs.oracle.com/javaee/6/api/javax/servlet/ServletRequest.html#getRe
> >> > moteHost()
> >> >
> >>
>  >> > moteHost())>  )  works fine. But when Tomcat is behind Nginx (Nginx 
> >> > acting
> >> > as a reverse proxy), it does not.
> >> >
> >> > Just to make myself clear, this is the architecture I'm talking about:
> >> >
> >> >
> >> >
> >> > Client -> Nginx (as a reverse proxy) -> Tomcat.
> >> >
> >> >
> >> >
> >> > The problem is that ServletRequest.getRemoteHost() gives me the
> hostname of
> >> > the proxy itself (meaning Nginx) and not that of the client.
> >> >
> >> >
> >> >
> >> > I was able to get the IP address of the visitor (and not that of the host
> >> > where Nginx is running) doing this on Nginx:
> >> >
> >> >
> >> >
> >> > server {
> >> >
> >> > listen 80;
> >> >
> >> > server_name www.acme.com acme.com;
> >> >
> >> > location / {
> >> >
> >> > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> >> > <--- This line did the trick
> >> >
> >> > proxy_set_header Host $http_host;
> >> >
> >> > proxy_pass http://152.53.163.220:80/;
> >> >
> >> > }
> >> >
> >> > }
> >> >
> >> >
> >> >
> >> > And then inspecting the content of the "X-Forwarded-For" header in my 
> >> > java
> >> > programming. But what do I do to obtain the remote hostname? I guess it 
> >> > is
> >> > something similar, but I haven't found a solution. What I want to know 
> >> > is:
> >> >
> >> > - Exactly what configuration do I need in Nginx
> >> >
> >> > - Exactly what do I do from Java to obtain the value.
> >>
> >> Why not do you perform a reverse DNS lookup by code ? Something like :
> >>
> >> InetAddress addr = InetAddress.getByName("xx.xx.xx.xx");
> >> String host = addr.getCanonicalHostName();
> >> System.out.println(host);
> >>
> >> You only need to extract 'X-Forwarded-For' header from request  and
> >> execute that piece of code
> >>
> >>
> >> Regards
> >>
> >> >
> >> >
> >> >
> >> > Thanks in advance,
> >> >
> >> >
> >> >
> >> > Brian
> >> >
> >>
> >> -
> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additio

Re: Multiple JSESSIONID cookies being presented.

[Jose María Zaragoza]

2015-09-08 22:57 GMT+02:00 Jeffrey Janner :
>> -Original Message-
>> From: Jose María Zaragoza [mailto:demablo...@gmail.com]
>> Sent: Tuesday, September 08, 2015 9:08 AM
>> To: Tomcat Users List 
>> Subject: Re: Multiple JSESSIONID cookies being presented.
>>
>> 2015-09-08 15:51 GMT+02:00 Jeffrey Janner :
>> >> -Original Message-
>> >> From: Christopher Schultz [mailto:ch...@christopherschultz.net]
>> >> Sent: Friday, September 04, 2015 12:46 PM
>> >> To: Tomcat Users List 
>> >> Subject: Re: Multiple JSESSIONID cookies being presented.
>> >>
>> >> -BEGIN PGP SIGNED MESSAGE-
>> >> Hash: SHA256
>> >>
>> >> Jeffrey,
>> >>
>> >> On 9/4/15 12:37 PM, Jeffrey Janner wrote:
>> >> > I'm running Tomcat 8.0.24 on Ubuntu 14.04 with Java 8u45, but I'm
>> >> > also seeing this on Windows (version doesn't matter), with Tomcat
>> >> > 7.0.57 and Java 7u71, and Tomcat 6.0.43 and Java 7U51.
>> >> >
>> >> > I have 2 contexts installed in Tomcat, one is ROOT, the other
>> >> > APP2. Both contexts start off at a login screen unique to the
>> >> > context and provided by it (not using container auth).
>> >> >
>> >> > When I connect to ROOT, no problem, but when I connect to APP2, I
>> >> > get 2 JSESSIONID cookies, one with the path "/" and the other with
>> >> > the path "/APP2/".
>> >>
>> >> I would expect this behavior: you have one ROOT app (cookie path=/)
>> >> and one APP2 app (cookie path=/APP2). Your browser will send both
>> >> cookies to /APP2 because / is a prefix of /APP2.
>> >>
>> > Chris -
>> > I wanted to come back to this case.
>> > Why is the above "expected behavior"?
>> > The client is connecting directly as "https://hostname/APP2"; and never
>> going directly to the ROOT app, yet gets both JSESSIONIDs from Tomcat on
>> first connection.  To me, this seems like a bug.
>> > Only being an admin, I've not fully read the spec, so not sure if the
>> above is really expected behavior.
>>
>>
>> http://www.ietf.org/rfc/rfc2109.txt
>>
>> The following rules apply to choosing applicable cookie-values from
>>among all the cookies the user agent has.
>>
>> Domain Selection
>> The origin server's fully-qualified host name must domain-match
>> the Domain attribute of the cookie.
>>
>>Path Selection
>> The Path attribute of the cookie must match a prefix of the
>> request-URI.
>>
>>Max-Age Selection
>> Cookies that have expired should have been discarded and thus
>> are not forwarded to an origin server.
>>
>>If multiple cookies satisfy the criteria above, they are ordered in
>>the Cookie header such that those with more specific Path attributes
>>precede those with less specific.  Ordering with respect to other
>>attributes (e.g., Domain) is unspecified.
>>
>>
>>
> Thanks for the clarification of what's supposed to happen on receipt, Jose.
> However, I am describing what happens on first contact from the client to the 
> server.
> The browser sends https://hostname/APP2, and Tomcat returns:
> JSESSIONID=, path=/and   JSESSIONID=, path=/APP2/

Sorry, I misunderstood
IMHO, that behaviour is strange .
Indeed, it doesn't make sense for me to return different id (  ,
 ) if you are accesing to only one context (/APP2)

Are you sure that your webapp deployed in /APP2 is not accesing to
resources ( session-aware resources as JSP, servlet, .. .I mean)
stored in ROOT context ?


>
> My contention is that it shouldn't be sending the first one, since it should 
> never route the request to the ROOT app, so it should not be generating a 
> cookie for it.
>
> However, taking what you say above at face value, are you saying that HaProxy 
> should only be forwarding the cookie with path=/APP2/ or should it forward 
> all of them and let Tomcat figure it out.

I don't know.
In a later email, I talked you about using another cookie ( SRV_ID )
to balance between backend servers. This feature is implemented by HA
Proxy ( 1.5 at least )


>
> Jeff

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Multiple JSESSIONID cookies being presented.

[Jeffrey Janner]

> -Original Message-
> From: Jose María Zaragoza [mailto:demablo...@gmail.com]
> Sent: Tuesday, September 08, 2015 9:22 AM
> To: Tomcat Users List 
> Subject: Re: Multiple JSESSIONID cookies being presented.
> 
> 2015-09-08 15:51 GMT+02:00 Jeffrey Janner :
> >> -Original Message-
> >> From: Christopher Schultz [mailto:ch...@christopherschultz.net]
> >> Sent: Friday, September 04, 2015 12:46 PM
> >> To: Tomcat Users List 
> >> Subject: Re: Multiple JSESSIONID cookies being presented.
> >>
> >> -BEGIN PGP SIGNED MESSAGE-
> >> Hash: SHA256
> >>
> >> Jeffrey,
> >>
> > Now, it's been doing this since at least Tomcat 6, I have one running
> now, and I've never had a problem with it using direct connections.  But
> now we are front-ending with HaProxy and going to two backend tomcats,
> and using the JSESSIONID to support sticky-sessions.  I'm afraid the
> multiple cookies is confusing HaProxy. (Yes, I'm going to ask that user
> community.)
> > Jeff
> 
> 
> You could use another cookie to implement stickyness
> 
> "You can add a cookie SOME-COOKIE-NAME prefix directive into the
> backend. Then simply add the cookie directive within each server. Then
> HAProxy will append a cookie (or add onto an existing one) a
> identifier for each server. This cookie will be sent back in
> subsequent requests from the client, letting HAProxy know which server
> to send the request to. This looks like the following:"
> 
> backend nodes
> # Other options above omitted for brevity
>  cookie SRV_ID prefix
> server web01 127.0.0.1:9000 cookie check
> server web02 127.0.0.1:9001 cookie check
> server web03 127.0.0.1:9002 cookie check
> 
> 
> https://serversforhackers.com/load-balancing-with-haproxy
> 
Thanks Jose.  We considered that, as well as having HaProxy just generate its 
own sticky-session cookie, but it seemed like a better idea to just let Tomcat 
handle it and use stick-tables. We are moving towards a fully-clustered tomcat, 
so already having the config in place such that we only have to turn off the 
stick-tables and we'd be set to go. I'll eventually be supporting a fairly 
large number of backends and don't want to make the configuration of new ones 
very complicated. Making them simple and pushing the complication down to the 
tomcat level just seemed to make more sense.
In fact, I've parameterized the jvmRoute setting in the Tomcat server.xml and 
use the setenv.sh script to calculate the value based on the server the Tomcat 
is running on.
If only there were some way to have HaProxy read an already existing suffix in 
the cookie string, like httpd, my life would be perfect.
Jeff

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: ServletRequest.getRemoteHost() not working when Tomcat is behind Nginx (Nginx as a reverse proxy)

[Jose María Zaragoza]

2015-09-08 22:10 GMT+02:00 Brian :
> Hello José,
>
> That’s a nice idea indeed (A VERY NICE ONE!), but an extra work because of 
> the networking effort. I'm talking about a site that can get hundreds of 
> requests per second.

But you would want to execute ServletRequest.getRemoteHost() in every
request , right ? That was your question.
I don't know how is the Tomcat 6's ServletRequest.getRemoteHost()
implementation , but I guess it's not very different to my code

Regards




>
> Since Nginx has access to this information, I bet there must be a way to pass 
> it to Tomcat the same way the IP address can be passed! But for some reason I 
> can't find it and I have spent quite some time looking for it.
>
> Thanks a lot!
>
>
>> -Original Message-
>> From: Jose María Zaragoza [mailto:demablo...@gmail.com]
>> Sent: martes, 08 de septiembre de 2015 02:58 p.m.
>> To: Tomcat Users List 
>> Subject: Re: ServletRequest.getRemoteHost() not working when Tomcat is
>> behind Nginx (Nginx as a reverse proxy)
>>
>> 2015-09-08 21:22 GMT+02:00 Brian :
>> > Hi,
>> >
>> >
>> >
>> > First of all, I'm using:
>> >
>> > - Tomcat 7.0.50
>> >
>> > - Nginx 1.4.7
>> >
>> >
>> >
>> > When I use Tomcat alone, ServletRequest.getRemoteHost()
>> >
>> (http://docs.oracle.com/javaee/6/api/javax/servlet/ServletRequest.html#getRe
>> > moteHost()
>> >
>> > > moteHost())>  )  works fine. But when Tomcat is behind Nginx (Nginx acting
>> > as a reverse proxy), it does not.
>> >
>> > Just to make myself clear, this is the architecture I'm talking about:
>> >
>> >
>> >
>> > Client -> Nginx (as a reverse proxy) -> Tomcat.
>> >
>> >
>> >
>> > The problem is that ServletRequest.getRemoteHost() gives me the hostname of
>> > the proxy itself (meaning Nginx) and not that of the client.
>> >
>> >
>> >
>> > I was able to get the IP address of the visitor (and not that of the host
>> > where Nginx is running) doing this on Nginx:
>> >
>> >
>> >
>> > server {
>> >
>> > listen 80;
>> >
>> > server_name www.acme.com acme.com;
>> >
>> > location / {
>> >
>> > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
>> > <--- This line did the trick
>> >
>> > proxy_set_header Host $http_host;
>> >
>> > proxy_pass http://152.53.163.220:80/;
>> >
>> > }
>> >
>> > }
>> >
>> >
>> >
>> > And then inspecting the content of the "X-Forwarded-For" header in my java
>> > programming. But what do I do to obtain the remote hostname? I guess it is
>> > something similar, but I haven't found a solution. What I want to know is:
>> >
>> > - Exactly what configuration do I need in Nginx
>> >
>> > - Exactly what do I do from Java to obtain the value.
>>
>> Why not do you perform a reverse DNS lookup by code ? Something like :
>>
>> InetAddress addr = InetAddress.getByName("xx.xx.xx.xx");
>> String host = addr.getCanonicalHostName();
>> System.out.println(host);
>>
>> You only need to extract 'X-Forwarded-For' header from request  and
>> execute that piece of code
>>
>>
>> Regards
>>
>> >
>> >
>> >
>> > Thanks in advance,
>> >
>> >
>> >
>> > Brian
>> >
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Multiple JSESSIONID cookies being presented.

[Jeffrey Janner]

> -Original Message-
> From: Jose María Zaragoza [mailto:demablo...@gmail.com]
> Sent: Tuesday, September 08, 2015 9:08 AM
> To: Tomcat Users List 
> Subject: Re: Multiple JSESSIONID cookies being presented.
> 
> 2015-09-08 15:51 GMT+02:00 Jeffrey Janner :
> >> -Original Message-
> >> From: Christopher Schultz [mailto:ch...@christopherschultz.net]
> >> Sent: Friday, September 04, 2015 12:46 PM
> >> To: Tomcat Users List 
> >> Subject: Re: Multiple JSESSIONID cookies being presented.
> >>
> >> -BEGIN PGP SIGNED MESSAGE-
> >> Hash: SHA256
> >>
> >> Jeffrey,
> >>
> >> On 9/4/15 12:37 PM, Jeffrey Janner wrote:
> >> > I'm running Tomcat 8.0.24 on Ubuntu 14.04 with Java 8u45, but I'm
> >> > also seeing this on Windows (version doesn't matter), with Tomcat
> >> > 7.0.57 and Java 7u71, and Tomcat 6.0.43 and Java 7U51.
> >> >
> >> > I have 2 contexts installed in Tomcat, one is ROOT, the other
> >> > APP2. Both contexts start off at a login screen unique to the
> >> > context and provided by it (not using container auth).
> >> >
> >> > When I connect to ROOT, no problem, but when I connect to APP2, I
> >> > get 2 JSESSIONID cookies, one with the path "/" and the other with
> >> > the path "/APP2/".
> >>
> >> I would expect this behavior: you have one ROOT app (cookie path=/)
> >> and one APP2 app (cookie path=/APP2). Your browser will send both
> >> cookies to /APP2 because / is a prefix of /APP2.
> >>
> > Chris -
> > I wanted to come back to this case.
> > Why is the above "expected behavior"?
> > The client is connecting directly as "https://hostname/APP2"; and never
> going directly to the ROOT app, yet gets both JSESSIONIDs from Tomcat on
> first connection.  To me, this seems like a bug.
> > Only being an admin, I've not fully read the spec, so not sure if the
> above is really expected behavior.
> 
> 
> http://www.ietf.org/rfc/rfc2109.txt
> 
> The following rules apply to choosing applicable cookie-values from
>among all the cookies the user agent has.
> 
> Domain Selection
> The origin server's fully-qualified host name must domain-match
> the Domain attribute of the cookie.
> 
>Path Selection
> The Path attribute of the cookie must match a prefix of the
> request-URI.
> 
>Max-Age Selection
> Cookies that have expired should have been discarded and thus
> are not forwarded to an origin server.
> 
>If multiple cookies satisfy the criteria above, they are ordered in
>the Cookie header such that those with more specific Path attributes
>precede those with less specific.  Ordering with respect to other
>attributes (e.g., Domain) is unspecified.
> 
> 
> 
Thanks for the clarification of what's supposed to happen on receipt, Jose.
However, I am describing what happens on first contact from the client to the 
server.
The browser sends https://hostname/APP2, and Tomcat returns:
JSESSIONID=, path=/and   JSESSIONID=, path=/APP2/

My contention is that it shouldn't be sending the first one, since it should 
never route the request to the ROOT app, so it should not be generating a 
cookie for it.

However, taking what you say above at face value, are you saying that HaProxy 
should only be forwarding the cookie with path=/APP2/ or should it forward all 
of them and let Tomcat figure it out.

Jeff

RE: ServletRequest.getRemoteHost() not working when Tomcat is behind Nginx (Nginx as a reverse proxy)

[Brian]

Hello José,

That’s a nice idea indeed (A VERY NICE ONE!), but an extra work because of the 
networking effort. I'm talking about a site that can get hundreds of requests 
per second.

Since Nginx has access to this information, I bet there must be a way to pass 
it to Tomcat the same way the IP address can be passed! But for some reason I 
can't find it and I have spent quite some time looking for it.

Thanks a lot!


> -Original Message-
> From: Jose María Zaragoza [mailto:demablo...@gmail.com]
> Sent: martes, 08 de septiembre de 2015 02:58 p.m.
> To: Tomcat Users List 
> Subject: Re: ServletRequest.getRemoteHost() not working when Tomcat is
> behind Nginx (Nginx as a reverse proxy)
> 
> 2015-09-08 21:22 GMT+02:00 Brian :
> > Hi,
> >
> >
> >
> > First of all, I'm using:
> >
> > - Tomcat 7.0.50
> >
> > - Nginx 1.4.7
> >
> >
> >
> > When I use Tomcat alone, ServletRequest.getRemoteHost()
> >
> (http://docs.oracle.com/javaee/6/api/javax/servlet/ServletRequest.html#getRe
> > moteHost()
> >
>  > moteHost())>  )  works fine. But when Tomcat is behind Nginx (Nginx acting
> > as a reverse proxy), it does not.
> >
> > Just to make myself clear, this is the architecture I'm talking about:
> >
> >
> >
> > Client -> Nginx (as a reverse proxy) -> Tomcat.
> >
> >
> >
> > The problem is that ServletRequest.getRemoteHost() gives me the hostname of
> > the proxy itself (meaning Nginx) and not that of the client.
> >
> >
> >
> > I was able to get the IP address of the visitor (and not that of the host
> > where Nginx is running) doing this on Nginx:
> >
> >
> >
> > server {
> >
> > listen 80;
> >
> > server_name www.acme.com acme.com;
> >
> > location / {
> >
> > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> > <--- This line did the trick
> >
> > proxy_set_header Host $http_host;
> >
> > proxy_pass http://152.53.163.220:80/;
> >
> > }
> >
> > }
> >
> >
> >
> > And then inspecting the content of the "X-Forwarded-For" header in my java
> > programming. But what do I do to obtain the remote hostname? I guess it is
> > something similar, but I haven't found a solution. What I want to know is:
> >
> > - Exactly what configuration do I need in Nginx
> >
> > - Exactly what do I do from Java to obtain the value.
> 
> Why not do you perform a reverse DNS lookup by code ? Something like :
> 
> InetAddress addr = InetAddress.getByName("xx.xx.xx.xx");
> String host = addr.getCanonicalHostName();
> System.out.println(host);
> 
> You only need to extract 'X-Forwarded-For' header from request  and
> execute that piece of code
> 
> 
> Regards
> 
> >
> >
> >
> > Thanks in advance,
> >
> >
> >
> > Brian
> >
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: ServletRequest.getRemoteHost() not working when Tomcat is behind Nginx (Nginx as a reverse proxy)

[Jose María Zaragoza]

2015-09-08 21:22 GMT+02:00 Brian :
> Hi,
>
>
>
> First of all, I'm using:
>
> - Tomcat 7.0.50
>
> - Nginx 1.4.7
>
>
>
> When I use Tomcat alone, ServletRequest.getRemoteHost()
> (http://docs.oracle.com/javaee/6/api/javax/servlet/ServletRequest.html#getRe
> moteHost()
>  moteHost())>  )  works fine. But when Tomcat is behind Nginx (Nginx acting
> as a reverse proxy), it does not.
>
> Just to make myself clear, this is the architecture I'm talking about:
>
>
>
> Client -> Nginx (as a reverse proxy) -> Tomcat.
>
>
>
> The problem is that ServletRequest.getRemoteHost() gives me the hostname of
> the proxy itself (meaning Nginx) and not that of the client.
>
>
>
> I was able to get the IP address of the visitor (and not that of the host
> where Nginx is running) doing this on Nginx:
>
>
>
> server {
>
> listen 80;
>
> server_name www.acme.com acme.com;
>
> location / {
>
> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> <--- This line did the trick
>
> proxy_set_header Host $http_host;
>
> proxy_pass http://152.53.163.220:80/;
>
> }
>
> }
>
>
>
> And then inspecting the content of the "X-Forwarded-For" header in my java
> programming. But what do I do to obtain the remote hostname? I guess it is
> something similar, but I haven't found a solution. What I want to know is:
>
> - Exactly what configuration do I need in Nginx
>
> - Exactly what do I do from Java to obtain the value.

Why not do you perform a reverse DNS lookup by code ? Something like :

InetAddress addr = InetAddress.getByName("xx.xx.xx.xx");
String host = addr.getCanonicalHostName();
System.out.println(host);

You only need to extract 'X-Forwarded-For' header from request  and
execute that piece of code


Regards

>
>
>
> Thanks in advance,
>
>
>
> Brian
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

ServletRequest.getRemoteHost() not working when Tomcat is behind Nginx (Nginx as a reverse proxy)

[Brian]

Hi,

 

First of all, I'm using:

- Tomcat 7.0.50

- Nginx 1.4.7

 

When I use Tomcat alone, ServletRequest.getRemoteHost()
(http://docs.oracle.com/javaee/6/api/javax/servlet/ServletRequest.html#getRe
moteHost()
  )  works fine. But when Tomcat is behind Nginx (Nginx acting
as a reverse proxy), it does not.

Just to make myself clear, this is the architecture I'm talking about: 

 

Client -> Nginx (as a reverse proxy) -> Tomcat.

 

The problem is that ServletRequest.getRemoteHost() gives me the hostname of
the proxy itself (meaning Nginx) and not that of the client.

 

I was able to get the IP address of the visitor (and not that of the host
where Nginx is running) doing this on Nginx:

 

server {

listen 80; 

server_name www.acme.com acme.com;

location / {

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
<--- This line did the trick 

proxy_set_header Host $http_host;

proxy_pass http://152.53.163.220:80/;

}

}

 

And then inspecting the content of the "X-Forwarded-For" header in my java
programming. But what do I do to obtain the remote hostname? I guess it is
something similar, but I haven't found a solution. What I want to know is:

- Exactly what configuration do I need in Nginx 

- Exactly what do I do from Java to obtain the value.

 

Thanks in advance,

 

Brian

Re: Multiple JSESSIONID cookies being presented.

[Jose María Zaragoza]

2015-09-08 15:51 GMT+02:00 Jeffrey Janner :
>> -Original Message-
>> From: Christopher Schultz [mailto:ch...@christopherschultz.net]
>> Sent: Friday, September 04, 2015 12:46 PM
>> To: Tomcat Users List 
>> Subject: Re: Multiple JSESSIONID cookies being presented.
>>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA256
>>
>> Jeffrey,
>>
> Now, it's been doing this since at least Tomcat 6, I have one running now, 
> and I've never had a problem with it using direct connections.  But now we 
> are front-ending with HaProxy and going to two backend tomcats, and using the 
> JSESSIONID to support sticky-sessions.  I'm afraid the multiple cookies is 
> confusing HaProxy. (Yes, I'm going to ask that user community.)
> Jeff


You could use another cookie to implement stickyness

"You can add a cookie SOME-COOKIE-NAME prefix directive into the
backend. Then simply add the cookie directive within each server. Then
HAProxy will append a cookie (or add onto an existing one) a
identifier for each server. This cookie will be sent back in
subsequent requests from the client, letting HAProxy know which server
to send the request to. This looks like the following:"

backend nodes
# Other options above omitted for brevity
 cookie SRV_ID prefix
server web01 127.0.0.1:9000 cookie check
server web02 127.0.0.1:9001 cookie check
server web03 127.0.0.1:9002 cookie check


https://serversforhackers.com/load-balancing-with-haproxy

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Multiple JSESSIONID cookies being presented.

[Jose María Zaragoza]

2015-09-08 15:51 GMT+02:00 Jeffrey Janner :
>> -Original Message-
>> From: Christopher Schultz [mailto:ch...@christopherschultz.net]
>> Sent: Friday, September 04, 2015 12:46 PM
>> To: Tomcat Users List 
>> Subject: Re: Multiple JSESSIONID cookies being presented.
>>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA256
>>
>> Jeffrey,
>>
>> On 9/4/15 12:37 PM, Jeffrey Janner wrote:
>> > I'm running Tomcat 8.0.24 on Ubuntu 14.04 with Java 8u45, but I'm
>> > also seeing this on Windows (version doesn't matter), with Tomcat
>> > 7.0.57 and Java 7u71, and Tomcat 6.0.43 and Java 7U51.
>> >
>> > I have 2 contexts installed in Tomcat, one is ROOT, the other
>> > APP2. Both contexts start off at a login screen unique to the
>> > context and provided by it (not using container auth).
>> >
>> > When I connect to ROOT, no problem, but when I connect to APP2, I
>> > get 2 JSESSIONID cookies, one with the path "/" and the other with
>> > the path "/APP2/".
>>
>> I would expect this behavior: you have one ROOT app (cookie path=/)
>> and one APP2 app (cookie path=/APP2). Your browser will send both
>> cookies to /APP2 because / is a prefix of /APP2.
>>
> Chris -
> I wanted to come back to this case.
> Why is the above "expected behavior"?
> The client is connecting directly as "https://hostname/APP2"; and never going 
> directly to the ROOT app, yet gets both JSESSIONIDs from Tomcat on first 
> connection.  To me, this seems like a bug.
> Only being an admin, I've not fully read the spec, so not sure if the above 
> is really expected behavior.


http://www.ietf.org/rfc/rfc2109.txt

The following rules apply to choosing applicable cookie-values from
   among all the cookies the user agent has.

Domain Selection
The origin server's fully-qualified host name must domain-match
the Domain attribute of the cookie.

   Path Selection
The Path attribute of the cookie must match a prefix of the
request-URI.

   Max-Age Selection
Cookies that have expired should have been discarded and thus
are not forwarded to an origin server.

   If multiple cookies satisfy the criteria above, they are ordered in
   the Cookie header such that those with more specific Path attributes
   precede those with less specific.  Ordering with respect to other
   attributes (e.g., Domain) is unspecified.



> Now, it's been doing this since at least Tomcat 6, I have one running now, 
> and I've never had a problem with it using direct connections.  But now we 
> are front-ending with HaProxy and going to two backend tomcats, and using the 
> JSESSIONID to support sticky-sessions.  I'm afraid the multiple cookies is 
> confusing HaProxy. (Yes, I'm going to ask that user community.)
> Jeff
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Multiple JSESSIONID cookies being presented.

[Jeffrey Janner]

> -Original Message-
> From: Christopher Schultz [mailto:ch...@christopherschultz.net]
> Sent: Friday, September 04, 2015 12:46 PM
> To: Tomcat Users List 
> Subject: Re: Multiple JSESSIONID cookies being presented.
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> Jeffrey,
> 
> On 9/4/15 12:37 PM, Jeffrey Janner wrote:
> > I'm running Tomcat 8.0.24 on Ubuntu 14.04 with Java 8u45, but I'm
> > also seeing this on Windows (version doesn't matter), with Tomcat
> > 7.0.57 and Java 7u71, and Tomcat 6.0.43 and Java 7U51.
> >
> > I have 2 contexts installed in Tomcat, one is ROOT, the other
> > APP2. Both contexts start off at a login screen unique to the
> > context and provided by it (not using container auth).
> >
> > When I connect to ROOT, no problem, but when I connect to APP2, I
> > get 2 JSESSIONID cookies, one with the path "/" and the other with
> > the path "/APP2/".
> 
> I would expect this behavior: you have one ROOT app (cookie path=/)
> and one APP2 app (cookie path=/APP2). Your browser will send both
> cookies to /APP2 because / is a prefix of /APP2.
> 
Chris -
I wanted to come back to this case. 
Why is the above "expected behavior"?
The client is connecting directly as "https://hostname/APP2"; and never going 
directly to the ROOT app, yet gets both JSESSIONIDs from Tomcat on first 
connection.  To me, this seems like a bug.
Only being an admin, I've not fully read the spec, so not sure if the above is 
really expected behavior.
Now, it's been doing this since at least Tomcat 6, I have one running now, and 
I've never had a problem with it using direct connections.  But now we are 
front-ending with HaProxy and going to two backend tomcats, and using the 
JSESSIONID to support sticky-sessions.  I'm afraid the multiple cookies is 
confusing HaProxy. (Yes, I'm going to ask that user community.)
Jeff

Unable to get the jmx information for tomcat 8 from command line(curl command)

[Andrew M]

Hi Guys, 
Any idea why it is saying "401 Unauthorized" 
I execute the following command: curl -1 --max-time 10 -s -k -u 
tomcat_jmx:'eyFW$&$FvSIp#FUk' --url https://pentagon505:8443/deploy/jmxproxy?
I have added the user to tomcat-users.xml configuration file as well 
       
Where are the things going wrong? 
Please note that I am executing the command from a remote server: 
Complete output is as follows:http://www.w3.org/TR/html4/strict.dtd";>   401 
Unauthorized             401 Unauthorized       
You are not authorized to view this page. If you have not changed    any 
configuration files, please examine the file    conf/tomcat-users.xml 
in your installation. That    file must contain the credentials to let you use 
this webapp.          For example, to add the manager-gui role 
to a user named    tomcat with a password of s3cret, add the 
following to the    config file listed above.          Note that for Tomcat 7 onwards, the roles 
required to use the manager    application were changed from the single 
manager role to the    following four roles. You will need to assign 
the role(s) required for    the functionality you wish to access.       
      manager-gui - allows access to the HTML GUI and the 
status          pages      manager-script - allows access to 
the text interface and the          status pages      
manager-jmx - allows access to the JMX proxy and the status        
  pages      manager-status - allows access to the status 
pages only           The HTML interface is protected against CSRF 
but the text and JMX interfaces    are not. To maintain the CSRF protection:   
       Users with the manager-gui role should not be 
granted either        the manager-script or manager-jmx 
roles.    If the text or jmx interfaces are accessed through a browser 
(e.g. for        testing since these interfaces are intended for tools not 
humans) then        the browser must be closed afterwards to terminate the 
session.          For more information - please see the    Manager App HOW-TO.     
Would greatly appreciate your help. 
Thanks !
Andrew

WARNING [Tribes-Task-Receiver-3] org.apache.catalina.ha.session.ClusterSessionListener.messageReceived Context manager doesn't exist

[Martijn Bos]

Hi all,

I tried to create a cluster two hosts. At which I did not succeeded
completely.

OS(both systems):
SMP Debian 3.16.7

java (both systems):
martijn@bloemkool:~/apache-tomcat-8.0.26/conf$ java -version
java version "1.8.0_05"
Java(TM) SE Runtime Environment (build 1.8.0_05-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.5-b02, mixed mode)

Tomcat (both systems):
Apache Tomcat/8.0.26

I installed 2 tomcat's
One on host bloemkool.bos.
The server.xml:
-



  
  
  
  
  

  

  

  


  

  
  
  

  



  




  
  
  
  
  


  

  

-

And one on broccoli.bos.
The server.xml:
-


  
  
  
  
  

  

  
  


  

  
  

  

  
  
  

  
  
  






  

  

  

-

I see some communication between the nodes, which indicates to me that a
lot is going OK.

However, if I deploy a webapp on one host, I'll get a warning on the
other host and the webapp will not be deployed:

Logging from the host on which I deploy:
-
08-Sep-2015 12:55:35.144 INFO [http-nio-8080-exec-9]
org.apache.catalina.startup.HostConfig.deployWAR Deploying web
application archive /home/martijn/apache-tomcat-8.0.26/webapps/hw2.war
08-Sep-2015 12:55:35.291 WARNING [http-nio-8080-exec-9]
org.apache.catalina.startup.SetContextPropertiesRule.begin
[SetContextPropertiesRule]{Context} Setting property 'antiJARLocking' to
'true' did not find a matching property.
08-Sep-2015 12:55:35.576 INFO [http-nio-8080-exec-9]
org.apache.catalina.ha.session.DeltaManager.startInternal Register
manager /hw2 to cluster element Host with name bloemkool.bos
08-Sep-2015 12:55:35.577 INFO [http-nio-8080-exec-9]
org.apache.catalina.ha.session.DeltaManager.startInternal Starting
clustering manager at /hw2
08-Sep-2015 12:55:35.736 INFO [http-nio-8080-exec-9]
org.apache.catalina.ha.session.DeltaManager.getAllClusterSessions
Manager [/hw2], requesting session state from
org.apache.catalina.tribes.membership.MemberImpl[tcp://{192, 168, 2,
124}:4000,{192, 168, 2, 124},4000, alive=210612, securePort=-1, UDP
Port=-1, id={-43 -36 -16 -70 71 113 74 112 -79 39 -47 -84 51 -124 72 -70
}, payload={}, command={}, domain={}, ]. This operation will timeout if
no session state has been received within 60 seconds.
08-Sep-2015 12:55:35.857 WARNING [http-nio-8080-exec-9]
org.apache.catalina.ha.session.DeltaManager.waitForSendAllSessions
Manager [/hw2]: No context manager send at 9/8/15 12:55 PM received in
260 ms.
08-Sep-2015 12:55:35.867 INFO [http-nio-8080-exec-9]
org.apache.catalina.startup.HostConfig.deployWAR Deployment of web
application archive /home/martijn/apache-tomcat-8.0.26/webapps/hw2.war
has finished in 722 ms
08-Sep-2015 12:55:35.867 INFO [http-nio-8080-exec-9]
org.apache.catalina.core.ApplicationContext.log HTMLManager: list:
Listing contexts for virtual host 'bloemkool.bos'
-

And logging from the host which fails:
-
08-Sep-2015 12:55:35.789 WARNING [Tribes-Task-Receiver-3]
org.apache.catalina.ha.session.ClusterSessionListener.messageReceived
Context manager doesn't exist:/hw2
-

I'm a bit out of options. Google did not came up with a solution (at
least not for me).

Can someone point me in the right direction (or is there a solution
available?).

Any pointers or advice are greatly appreciated.


Best Regards,
Martijn



signature.asc
Description: OpenPGP digital signature

Undefined behaviour with Credential Handler

[Sreyan Chakravarty]

Okay is if I have stored my password in my DB with SHA256 encryption, can
the credential handler declared in the realm work if the it is declared
with SHA512 ?

As far as I know it must be same algorithm, salt and iterations for the
hash to be matched perfectly.

Now take my case-:

 

Okay this my credential handler that I am using. In my DB the password is
stored using PBEWITHHMACSHA384ANDAES_256. A completely different algorithm
that the one specified before. So how come when I put in my user-id and
password on my form-login page I am not getting an authentication error
instead I am being forwarded to the protected resource.

It should use the algorithm in the CredentialHandler to mutate the
password. Now don't tell me that two different algorithms offer the same
hash.

What is going on here ?

Regards
Sreyan Chakravarty

Tomcat access log customization

[Eric Tang]

Dear Tomcat support,

I am a developer working on Java applications and have been using different
containers and deployment platforms. I would like to have a question on the
access logs.

The access logs of Tomcat is configured in $TOMCAT_HOME/conf/server.xml,
the "Valve" attribute
with className="org.apache.catalina.valves.AccessLogValve". The format of
log is governed by the pattern expression, referenced in the documentation
of Tomcat (TOMCAT_URI/config/valve.html).

Is it possible to format the log with customized field name and string
contents? I've been looking for answer in the web but no clear answer is
found.
I read through the usage / developer docs and source codes of Tomcat and
find some clues. Would such require modifications of Tomcat source codes:

Editing "protected AccessLogElement createAccessLogElement()" to add new
pattern items in the switch-case flow for any new field-value pairs, and
implement new element class(es) for AccessLogValue.

Could you please kindly help to advise?
Thank you.

Eric

Re: Tomcat 8 Session Timeout

[Theo . Sweeny]

Hi Chris - I added this value to the Engine container - 

backgroundProcessorDelay="20"

This has made a big improvement  - there is much more frequent clear down 
of the sessions.

Is there a config setting for maximum session age?

The reason for asking is that in a REST stateless environment the concept 
is to tear down after each request is served. However - this may have 
performance implications for Tomcat. Are there any best practices papers / 
pointers for stateless setup?

Theo




From:   Christopher Schultz 
To: Tomcat Users List , 
Date:   04/09/2015 18:39
Subject:Re: Tomcat 8 Session Timeout



-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Theo,

On 9/4/15 6:14 AM, theo.swe...@avios.com wrote:
> Hi Chris - the servlet spec states "If the time out is 0 or less,
> the container ensures the default behavior of sessions is never to
> time out."
> 
> Currently the timeout value is set to 2 minutes.
> 
> However the problem is persisting - the environment is using
> Jersery Servlet 1.3 for REST.
> 
> If we look inside web service stats -
> 
> Longest session alive time: 183 s / Processing time: 625 ms Longest
> session alive time: 207 s / Processing time: 232 ms
> 
> The current session timeout is set to 120 seconds, so neither of
> these above session times make any sense, unless a dependency is
> hanging?

Remember that the session timeout is not session age. If you have a
process which is touching the session more often than every 2 minutes
or so, then the session will live indefinitely.

Is the background processing thread still running? If it dies, your
sessions will never time out. Also, the background processing thread
is the thread that reaps old sessions... if you have the background
processor thread set to run infrequently, you'll see the behavior you
describe.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJV6dciAAoJEBzwKT+lPKRYyogP+wfP5lNV8SxFTNDmiwLYxG/9
GnUxSQN8rQmWI6r1pl4UpWU+WFoUtL2BCTfnUuH2qP6Pg0KWn46P4Lon5XnThEqk
4mnHNCe4NYdGlw4rvVYgdy4zTP62hFvSm3ECb/QkZ1gcO1f8w4+0wqZh5k1g+0PQ
HkOg9SYSHRAUUKtG2YBPZWbEMnjKnkQKeKO3WjNBDLTbEU9mMyyJgZCsJCC4fmZa
sJN8yFW7JcG0jhhsEoBzYznT1dLxNliNs9kMiINoS1wWmIjHLHnHvaTDqDCE4Npd
VQh/ZrI7paRdVI4wOJ299CuZ4cpB9lxWEKi4vQAP5Jg/EgZrACrmZFnPMJG5np/v
lR2g+KCNxIvIpIlaGLbUOn4Ah0QMrfPEDFsLXHlYjfixdIrDjugbqdNnVYRvSOSt
LsR+xZcPOJ/ZiJCnD+2MK8dy8QYgq62oW8xpvald58x/gUk/uR8IuwdvswTIUVTV
+5k2YUcL+xcH1uEKHyMK3KCjty8aC+Rq+oEpkJjyFKJA1K0x161PIAdFq8P50VLn
rcJUjxTIcMP7hgg3BCQzdXH5qucVnFTlHNwKrX4MoT9LsGiraTOqhRt5EJLWBy+/
oYg3k/Vgkm2HzmRBuMGydv8RMNCq2hZaEXWDKoMtWRRvmYTOKcNC4nUiE/V8Dbr0
KaYwkgTvycLJzzohkMIn
=9riB
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

-
The Mileage Company Limited is a limited company registered in England under 
company number 2260073 whose registered office address is at
Astral Towers, Betts Way, London Road, Crawley, West Sussex, RH10 9XY.

This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify the 
system manager.

This footnote also confirms that this email message has been swept by Mimecast 
for the presence of computer viruses. 
-

Re: tomcat virtualhost configuration confuse

[Mike.Guo]

Found one hack solutions: create a soft link from other folder to ROOT


Sent from my iPhone

> 在 2015年9月7日，09:51，Mike Guo  写道：
> 
> Hi,  folks. 
> 
> 
> I really need your guys help. I got so confuse about the tomcat 8.0.26 
> virtual host configuration .
> 
> 
> per tomcat document. it is really easy to configuration.
> 
> so, I did what need to as document. 
> 
> let me have a example here.
> 
> I got two hosting : localhostting and www.demo.com.
> 
> 
> I add those configuration into con/server.xml
> 
>unpackWARs="true" autoDeploy="true">
>  directory="logs"
>prefix=“demo_access_log" suffix=".txt"
>pattern="%h %l %u %t "%r" %s %b" />
> 
>   
> 
> 
> and then startup the tomcat directly.  and I know there are some directory 
> that need to create, but I found tomcat will do it automatic.  like tomcat 
> already created the directory for host www.demo.com the app base directly.  
> demo. 
> 
> so, let me count them:
> %tomcat_install%/demo (which is the hosting app base folder)
> %tomcat_install%/conf/Catalina/www.demo.com (which is the hosting 
> configuration folder)
> %tomcat_install%/work/Catalina/www.demo.com (which is the hosting work 
> folder).
> 
> what’s I mean is all folder already were created.  no missed.  
> 
> then,  I shutdown the virtual hosting, I did not do anything testing yet. I 
> just want to put a application into my virtual hosting.  also, I want to my 
> application will be deploy the ROOT application.
> 
> so, per the document.  I have two choice.  copy the whole application to 
> %tomcat_install%/demo/ROOT fold (or make a war package named ROOT).  I know 
> this will be work. but I am in development phrase. I don’t want to I need 
> deploy my application always when I debug or development. because every time 
> re-deploy, the session will be gone,  it will make me trouble when I do the 
> debugging on page. so, I checked the “context” document,  I found we can use 
> docbase put the application into somewhere. right now, let us assume my app 
> which I development  is here: /home/ghw/demo which is a web content too.
> 
> 
> so, per tomcat 8 document.
> 
> I put a ROOT.xml here:  %tomcat_install%/conf/Catalina/www.demo.com/ and same 
> time, I delete the ROOT folder in %tomcat_install%/demo/ which is the place 
> we need deploy application here. 
> 
> so, I suppose the virtual host should be work like this.
> one thing,  the ROOT.xml content like this:
> 
> 
> 
> 
> and then, I restart the tomcat.
> 
> and access: www.demo.com/index.jsp (which is a very simple jsp file, just say 
> “hello world”)
> 
> 
> but I got 404 error.
> 
> 
> I tried to make the the appBase to “” empty (someone said like this, but I 
> didn’t get any official document on tomcat) in con/server.xml,  it doesn’t 
> work.  I tried many times. many ways.  and no logs, no any error tips. just 
> give me a blank page or 404.
> 
> 
> it almost kill me. is there any one can give me a tips?
> 
> 
> look like the docBase never work for tomcat 8. why?
> any thing I did wrong?
> 
> 
> thanks so much
> 
> 
> Mike.G
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
>