Re: Tomcat Conflicting with Group Policy Client
On 19.11.2015 05:19, Nick Childs wrote: Tomcat Version: 6.0.39 Operating System: Server 2012 R2 Standard Configuration: We are utilizing Tomcat as part of a Pentaho deployment - Tomcat is utilized for Pentaho's Data Integration and Business Analytics services. Description: We have a custom Deployment of Pentaho using PostgreSQL and Tomcat Apache running within the current version of our proprietary Medical Imaging software. The integration works well, but we have spent months struggling to identify the cause of a major conflict between the PostgreSQL/Tomcat integration and group policy client in windows domain environments. Whenever the PostgreSQL and Tomcat Apache (Pentaho Data Integration) services are running, we begin to see 1 hour + reboot times and gpupdate failures due to the group policy client just hanging for long periods of time with no explanation. If only Pentaho is running, no problem is experienced. If only Tomcat is running, no problem is experienced - it is only when we have both running/communicating the Group Policy updates begin to fail. We have enabled all known debugging in Group Policy, PostgreSQL, Pentaho, and Tomcat, performed xBootMgr traces, performed Process Monitor analysis, and Packet Captures, but have been unable to determine the cause of the conflict. We are also working with Microsoft, Pentaho, and PostgreSQL independently to try and flush out the culprit. After spending weeks analyzing and reviewing our development team's internal notes, I have become fairly confident that the root cause of this problem is related to the way that we deployed Tomcat, and the way that Tomcat/PostgreSQL communicate with each other, but I have not found solid proof that actually indicates this yet. I have learned a lot about how PostgreSQL/Tomcat are functioning in this environment over the last week, but I am not part of the team that deployed this, and am certainly not an expert on Pentaho, PostgreSQL, or Tomcat. I have been collecting a list of debug error/warnings from the Tomcat logs over the last few days (attached), and I am hoping someone who is an expert on this stuff can possibly review this list of errors, provide an explanation/priority for each, and answer the following questions: 1. Are there any known conflicts with Tomcat and GroupPolicy in Windows domain environments? Required Configurations? Workarounds? 3. Are there any special debugging options or monitoring tools that we could use to get more information about what Tomcat is doing during the time periods that Group Policy Client is hung? The built-in logging is not helping us. 4. Do you have any suggestions or options that we can try to see if our behavior changes? Please let me know if there is any additional information I can provide to help. Hi. I don't know anything about the various non-Tomcat softwares you are mentioning, and just a little bit about Tomcat. But the one thing I see in your Tomcat logfile, is that there seem to be a lot of TCP connection errors of the kind "(Connection refused. Check that the hostname and port are correct and that the postmaster is accepting TCP/IP connections.)" These seem to be related mostly to PostgreSQL. Maybe there is a limit (in the PostgreSQL configuration) to how many connections it accepts at the same time ? or maybe the PostgreSQL server is just overloaded ? Anyway, I would check this first, because there is a chance that many of the other errors which you are seeing are cascading down from there. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat's JNDI lookups fail if java.naming.factory.object property is specified
Hi, 2015-11-16 8:39 GMT+02:00 Dimitar Valov: > > Hello, > > It is really easy to reproduce this problem even if the default factory > org.apache.naming.factory.ResourceFactory is used (set > JAVA_OPTS=%JAVA_OPTS% -Djava.naming.factory.object= > org.apache.naming.factory.ResourceFactory) > > Do you think that this should happen? I found this in the archives [1] Regards, Violeta [1] http://markmail.org/message/ux4tbigxqrm3tmzy > Best Regards, > Dimitar > > On Thu, Nov 5, 2015 at 1:51 PM, Dimitar Valov > wrote: > > > Hello, > > > > Exceptions such as this are found in the logs when > > java.naming.factory.object is present > > 04-Nov-2015 15:40:51.560 SEVERE [main] > > org.apache.catalina.realm.UserDatabaseRealm.startInternal Exception looking > > up UserDatabase under key UserDatabase > > java.lang.ClassCastException: Cannot cast class > > org.apache.naming.ResourceRef to interface org.apache.catalina.UserDatabase > > at > > org.apache.catalina.realm.UserDatabaseRealm.startInternal(UserDatabaseRealm.java:232) > > at > > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) > > at > > org.apache.catalina.realm.CombinedRealm.startInternal(CombinedRealm.java:249) > > at > > org.apache.catalina.realm.LockOutRealm.startInternal(LockOutRealm.java:120) > > at > > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) > > at > > org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:905) > > at > > org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:262) > > at > > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) > > at > > org.apache.catalina.core.StandardService.startInternal(StandardService.java:439) > > at > > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) > > at > > org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:769) > > at > > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) > > at org.apache.catalina.startup.Catalina.start(Catalina.java:625) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > at > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:497) > > at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:351) > > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:485) > > It is also not possible to add additional ObjectFactories with > > java.naming.factory.object property. > > > > Steps to reproduce: > > > > setenv.bat: > > set JAVA_OPTS=%JAVA_OPTS% > > -Djava.naming.factory.object=org.apache.naming.factory.ResourceFactory:custom.CustomObjectFactory > > > > setenv.sh: > > export JAVA_OPTS=$JAVA_OPTS > > -Djava.naming.factory.object=org.apache.naming.factory.ResourceFactory:custom.CustomObjectFactory > > > > Details: > > > > 1. org.apache.naming.ResourceRef.getFactoryClassName() returns null: > > https://github.com/apache/tomcat/blob/trunk/java/org/apache/naming/ResourceRef.java#L134 > > > > 2. Consequently > > http://docs.oracle.com/javase/8/docs/api/javax/naming/spi/NamingManager.html#getObjectInstance-java.lang.Object-javax.naming.Name-javax.naming.Context-java.util.Hashtable- falls > > to option 3, however the environment does not contain any values and > > returns the refInfo (An object created using refInfo; or refInfo if an > > object cannot be created using the algorithm described above.). > > > > Possible Reasons: > > > > 1. org.apache.catalina.core.NamingContextListener.lifecycleEvent() uses an > > empty Hashtable for specifying the environment of the NamingContext: > > https://github.com/apache/tomcat/blob/trunk/java/org/apache/catalina/core/NamingContextListener.java#L235 > >This is the place where the environment is initially created before > > lookups are made. > > > > Possible Solutions: > > > > 1. Add the object factories as specified in the environment to the initial > > context environment: > > > >contextEnv.put(javax.naming.Context.OBJECT_FACTORIES, > > System.getProperty(javax.naming.Context.OBJECT_FACTORIES)); > > > >in > > https://github.com/apache/tomcat/blob/trunk/java/org/apache/catalina/core/NamingContextListener.java#L235 > > > > Attachments: > > > > The projects.zip contains two maven projects: a web application that uses > > custom resource type and extension to Tomcat that adds a custom > > ObjectFactory. > > > > Also regarding > > https://tomcat.apache.org/tomcat-8.0-doc/jndi-resources-howto.html#Adding_Custom_Resource_Factories , > > there is step "2. Declare Your Resource Requirements" which states to add a > > resource-env-ref inside web.xml. I've noticed when the resource is > >
Re: Tomcat Conflicting with Group Policy Client
On Thu, Nov 19, 2015 at 10:34:55AM +0100, André Warnier (tomcat) wrote: > I don't know anything about the various non-Tomcat softwares you are > mentioning, and just a little bit about Tomcat. But the one thing I > see in your Tomcat logfile, is that there seem to be a lot of TCP > connection errors of the kind "(Connection refused. Check that the > hostname and port are correct and that the postmaster is accepting > TCP/IP connections.)" These seem to be related mostly to > PostgreSQL. Maybe there is a limit (in the PostgreSQL > configuration) to how many connections it accepts at the same time ? > or maybe the PostgreSQL server is just overloaded ? There is. It is in postgresql.conf: max_connections. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: Digital signature
SSO session expiration
I`m working on migration from tomcat 6 to tomcat 8. On tomcat 8 the following warning occurs when the session is expired or the user signed out: WARN [org.apache.catalina.core.ContainerBase.[Catalina].[localhost]] SSO unable to expire session [Host: [localhost], Context: [/appName], SessionID: [cookieId]] because the Session could not be found I found that in Tomcat 6 session registers like the following: [org.apache.catalina.core.ContainerBase.[Catalina].[localhost]] Registering sso id 'E16F95304C7A0571A392C49BBB5B2B28' for user 'root' with auth type 'FORM' [org.apache.catalina.core.ContainerBase.[Catalina].[localhost]] Associate sso id E16F95304C7A0571A392C49BBB5B2B28 with session StandardSession[68B9BFEC646992D572DEDFBB0BA29BDC] And then session destroys as the following: [org.apache.catalina.core.ContainerBase.[Catalina].[localhost]] Process session destroyed on StandardSession[68B9BFEC646992D572DEDFBB0BA29BDC] [org.apache.catalina.core.ContainerBase.[Catalina].[localhost]] Deregistering sso id 'E16F95304C7A0571A392C49BBB5B2B28' [org.apache.catalina.core.ContainerBase.[Catalina].[localhost]] Process session destroyed on StandardSession[CC36C13B089873D8BCEF2CBAFA1552F5] [org.apache.catalina.core.ContainerBase.[Catalina].[localhost]] Process session destroyed on StandardSession[DAC33294278B915C464EDFF0387A5E8D] Everything looks fine. In Tomcat 8 session registers listed below: [org.apache.catalina.core.ContainerBase.[Catalina].[localhost]] SSO registering SSO session [F869098E903E96139B95170742C613E8] for user [root] with authentication type [FORM] [org.apache.catalina.core.ContainerBase.[Catalina].[localhost]] SSO associating application session [StandardSession[9B741874689B4C8A1296D5BB86B841D0]] with SSO session [F869098E903E96139B95170742C613E8] And when the session has to be destroyed the following messages occurs: [org.apache.catalina.core.ContainerBase.[Catalina].[localhost]] SSO processing a log out for SSO session [F869098E903E96139B95170742C613E8] and application session [StandardSession[A88E8761E6F82CF38ED79590D1FED84D]] [org.apache.catalina.core.ContainerBase.[Catalina].[localhost]] SSO expiring application session [Host: [localhost], Context: [/AppName1], SessionID: [AE27B6B1C4E9C26E7C298A4E1DB7DC27]] associated with SSO session [F869098E903E96139B95170742C613E8] [org.apache.catalina.core.ContainerBase.[Catalina].[localhost]] SSO processing a log out for SSO session [F869098E903E96139B95170742C613E8] and application session [StandardSession[AE27B6B1C4E9C26E7C298A4E1DB7DC27]] [org.apache.catalina.core.ContainerBase.[Catalina].[localhost]] SSO failed to deregister the SSO session [F869098E903E96139B95170742C613E8] because it was not in the cache [org.apache.catalina.core.ContainerBase.[Catalina].[localhost]] SSO expiring application session [Host: [localhost], Context: [/AppName2], SessionID: [9B741874689B4C8A1296D5BB86B841D0]] associated with SSO session [F869098E903E96139B95170742C613E8] [org.apache.catalina.core.ContainerBase.[Catalina].[localhost]] SSO processing a log out for SSO session [F869098E903E96139B95170742C613E8] and application session [StandardSession[9B741874689B4C8A1296D5BB86B841D0]] [org.apache.catalina.core.ContainerBase.[Catalina].[localhost]] SSO failed to deregister the SSO session [F869098E903E96139B95170742C613E8] because it was not in the cache [org.apache.catalina.core.ContainerBase.[Catalina].[localhost]] SSO expiring application session [Host: [localhost], Context: [/AppName3], SessionID: [A88E8761E6F82CF38ED79590D1FED84D]] associated with SSO session [F869098E903E96139B95170742C613E8] [org.apache.catalina.core.ContainerBase.[Catalina].[localhost]] SSO unable to expire session [Host: [localhost], Context: [/AppName3], SessionID: [A88E8761E6F82CF38ED79590D1FED84D]] because the Session could not be found I also found the tomcat's function that destroys sessions. The messaging should look something like this: 1. SSO processing a log out for SSO session [{0}] and application session [{1}] 2. SSO expiring application session [{0}] associated with SSO session [{1}] But as you can see above, the only "AppName1" starts with the "SSO processing...", the others starts with "SSO expiring...", and "AppName1" ends up with a warning message. Could it be related to session association thing? How to switch them and set like in tomcat 6? Or may it be related to something else and if it so where should I look?
Re: Source IP filtering on some URLs before Container-managed authentication
Ognjen, On 11/19/15 10:14 AM, Ognjen Blagojevic wrote: > My webapp have a set of resources, let's call that set R. Some of those > resources need to be accessed only from certain source IP addresses, > let's call that subset R'. And some subset of R' (let's call it R'') > needs authentication. > > I have a reqirement to check source IP address before authentication. > > Right now, R' is specified in web.xml RemoteAddrFilter s, > and R'' is specified in web.xml s. > > The problem is, filters are executed after container-managed > authentication, so login form is presented to the user before > RemoteAddrFilter kicks in, and check source IP address. That is not what > I need. Users outside trusted IP ranges should not be able to even know > about the protected resources, let alone to guess passwords. > > RemoteAddrValve, on the other hand, is called before container-managed > authentication, but it does not allow specifying s. > > What would be a good solution for the above requirement? Extend > RemoteAddrValve with the ability to specify s? I think that may be the only way to do it. IIRC, someone did some work to allow Filters to be used in the valve chain, but I don't think there is any facility for specifying s for those. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Need an application specific common.loader folder, like with EAR
Sebastien, On 11/19/15 8:37 AM, Tardif, Sebastien wrote: > Have two wars in the same Tomcat instance, I want to share some > jars. I want these jars take priority over Tomcat shipped jars. > > However, because I usually reuse the same Tomcat installation > between application (different set of wars), I do not want to modify > common.loader folder (the lib folder). Because if I modify the lib > folder for application 1, like overriding some Tomcat jar, then it’s > lot of work to reset it right. > > That problem doesn’t exist with EAR, which Tomcat doesn’t support. > I’m fine that Tomcat doesn’t support EAR but it could at least > provide clean workaround. > > So I would like to see a new folder called: extraLibs, and the > classloader order will become: > > > Bootstrap classes of your JVM > System class loader classes (described above) > extraLibs > Common class loader classes (described above) > /WEB-INF/classes of your web application > /WEB-INF/lib/*.jar of your web application > > See http://tomcat.apache.org/tomcat-7.0-doc/class-loader-howto.html What about simply modifying CATALINA_BASE/bin/setenv.sh|SETENV.BAT to set a custom CLASSPATH that includes those libraries? You have to modify nothing else, and it easily survives an upgrade. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat catalina.out log is not rolling using log4j DailyRollingFileAppender
I want to say up front that I am not a developer and know enough to brake some stuff. lol I have a software package from a vendor that ships the tomcat web server with it. Below are my environment details: 1) The tomcat version that is running is v8.0.26.0 2) The OS is a Centos v7 UNIX VM 3) Java JDK I have installed that Tomcat is using is 1.8.0_60 4) The vendor has the $CATALINA_HOME and CATALINA_BASE as the same location which is /server 5) The /server directory is the place where the /lib, /bin, /conf, and etc.directory's are found. 6) Due to the catalina.out file growing too large with the default juli.AsyncFileHandler using the logging.properties file that was found in the $CATALINA_HOME/conf directory. I changed it to use the log4j logging. Here are the steps I did to make this happen which I found on Tomcat 8 web site: a. Downloaded log4j-1.2.17.jar and placed it in $CATALINA_HOME/lib b. Downloaded from the Tomcat extras web page for Tomcat 8 the tomcat-juli-adapters.jar and the tomcat-juli.jar. c. Deleted the old tomcat-juli.jar out of the $CATALINA_HOME/bin directory. d. Placed the new tomcat-juli.jar file and the tomcat-juli-adapters.jar file in to the $CATALINA_HOME/bin directory. e. Deleted the old logging.properties file from the $CATALINA_HOME/conf directory. f. Created the log4j.properties file in the $CATALINA_HOME/lib directory and copied the settings that are shown on the Tomcat 8 logging web page that has been there for Tomcat 7 logging web page too that everyone is familiar with. Here is the url just incase: https://tomcat.apache.org/tomcat-8.0-doc/logging.html I know the log4j.properties files is being used as I made 2 changes to the config file that were taken. One changes was to actually verify the log4j.properties file was being used, which was changed the word INFO to OFF for localhost file messages being written by editing the following line at the bottom of the log4j.properties file: log4j.logger.org.apache.catalina,core.ConainerBase.[Catalina].[localhost] = OFF, LOCALHOST The other change I made was I changed the file name in the following line to read catalina.out instead of catalina: log4j.appender,CATALINA.File = ${catalina.base}/logs/catalina.out The reason I did this was I thought the daily roll that was supposed to take place at midnight would occur on the file that was named catalina and not on the file that was named catalina.out. All the INFO messages being written to the file named catalina were also being written to the catalina.out file which was the one I wanted to roll daily anyway so I thought this change would be fine. I stopped tomcat and cleared all the logs out and left the server to run over night. (It is still running now) and it appears the roll did not take place. What I woke up to was everything you see below found in the $CATALINA_HOME/logs directory except for the one file written today which was due to me logging in to the web application that the vendor supports so I could verify I could still login and use the software: -rw-r--r--. root root 33003 Nov 18 21:03 catalina.out -rw-r--r--. root root 0 Nov 18 21:03 host-manager -rw-r--r--. root root 0 Nov 18 21:03 localhost -rw-r--r--. root root 0 Nov 18 21:03 localhost_access_log.2015-11-18.txt -rw-r--r--. root root2498 Nov 19 13:23 localhost_access_log.2015-11-19.txt -rw-r--r--. root root 0 Nov 18 21:03 manager I don't know what I am missing from the configs to make the catalina.out file roll each day at midnight. Some help would be greatly appreciated. Also, no I cannot contact the vendor as they just tell me to hire a professional. So I am the professional. And, no I don't want to use the RollingFileAppender as I need the roll over to be based on day and not the size of catalina.out. I do see when the application starts and in the catalina.out it records the following which I don't know if it should read something else for the log4j logging to be used: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager I'm digging and don't know where else to look and am probably not looking in the right places. Any Help is greatly appreciated. I think I am close.
Source IP filtering on some URLs before Container-managed authentication
Hi, My webapp have a set of resources, let's call that set R. Some of those resources need to be accessed only from certain source IP addresses, let's call that subset R'. And some subset of R' (let's call it R'') needs authentication. I have a reqirement to check source IP address before authentication. Right now, R' is specified in web.xml RemoteAddrFilter s, and R'' is specified in web.xml s. The problem is, filters are executed after container-managed authentication, so login form is presented to the user before RemoteAddrFilter kicks in, and check source IP address. That is not what I need. Users outside trusted IP ranges should not be able to even know about the protected resources, let alone to guess passwords. RemoteAddrValve, on the other hand, is called before container-managed authentication, but it does not allow specifying s. What would be a good solution for the above requirement? Extend RemoteAddrValve with the ability to specify s? -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[ANN] Apache Tomcat 9.0.0.M1 available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 9.0.0.M1. Apache Tomcat 9 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language and Java WebSocket technologies. Apache Tomcat 9.0.0.M1 is the first milestone release of the 9.0.x branch and has been made to provide users with early access to the new features in Apache Tomcat 9.0.x so that they may provide feedback.The notable changes compared to 8.0.x include: - Adding support for HTTP/2, and TLS virtual hosting - An implementation of the current draft of the Servlet 4.0 specification - The BIO connectors, support for Windows Itanium and support for Comet have been removed Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-9.0-doc/changelog.html The first in the new series of short Tomcat webinars will cover a quick start guide to HTTP/2. Details have been posted to the users mailing list: - http://markmail.org/message/suiwwo57fpasyw2g - 10.00 UTC - http://markmail.org/message/xwxq6etj2scjmllp - 20.00 UTC Downloads: http://tomcat.apache.org/download-90.cgi Migration guides from Apache Tomcat 5.5.x, 6.0.x, 7.0.x and 8.0.x: http://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: REMOTE_USER mod_jk
2015-11-19 16:02 GMT+03:00 Teresa Fasano: > Hi, > > I'm using Apache 2.4.6 with mod_jk and mod_shib 2.5.5, so Shibboleth as SSO > authentication. > > Routing Apache request to tomcat (JBoss) we are not able to retreive > REMOTE_USER. > > It seems that the REMOTE_USER is lost. > > In the configuration file shibboleth2.xml we have REMOTE_USER="uid". > > The authentication of shibboleth is successful as you can see from the logs > of the identity provider and the log of the service provider: > <...> > > In the access log of the Apache I see the value of the attribute uid (the > remote_user): > 130.186.19.126 - test [19/Nov/2015:10:38:54 +0100] "GET /u-gov/ HTTP/1.1" > > The authentication of the location is: > >AuthType shibboleth >ShibRequireSession On >ShibExportAssertion On >require valid-user > > > > It seems that the Apache is unable to pass this attribute. How do you test whether it is able or unable to pass it? How your AJP connector in Tomcat is configured? You need to set tomcatAuthentication="false" on [1] [1] http://tomcat.apache.org/connectors-doc/common_howto/proxy.html - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: REMOTE_USER mod_jk
With Apache/2.2.15 the REMOTE_USER is passed to the application (Jboss), while with Apache/2.4.6 is lost. In the log of the application we see this error: "REMOTE_USER variable not assigned." Il 19/11/2015 14:02, Teresa Fasano ha scritto: Hi, I'm using Apache 2.4.6 with mod_jk and mod_shib 2.5.5, so Shibboleth as SSO authentication. Routing Apache request to tomcat (JBoss) we are not able to retreive REMOTE_USER. It seems that the REMOTE_USER is lost. In the configuration file shibboleth2.xml we have REMOTE_USER="uid". The authentication of shibboleth is successful as you can see from the logs of the identity provider and the log of the service provider: 1) IdP: 20151119T092332Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_5c0790590c7a1d003f63b4e5ce58b8da|http://iuav-dev2.sviluppo.u-gov.it/shibboleth|urn:mace:shibboleth:2.0:profiles:saml2:sso|https://idp-univ-dev.cineca.it/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_a8079a3a32dd6bd411be38ed5a8f509a|test|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|uid,eduPersonPrincipalName,surname,commonName,transientId,eduPersonTargetedID,email,employeeNumber,||| 2) SP: 2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: New session (ID: _771b50dad4ec72d57ae5a383a8b8f71e) with (applicationId: iuav-dev2) for principal from (IdP: https://idp-univ-dev.cineca.it/idp/shibboleth) at (ClientAddress: 130.186.19.126) with (NameIdentifier: _5ae86372161ba20460d91773f12241a5) using (Protocol: urn:oasis:names:tc:SAML:2.0:protocol) from (AssertionID: _b7a9d7435d4b2633af811cac17b80683) 2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: Cached the following attributes with session (ID: _771b50dad4ec72d57ae5a383a8b8f71e) for (applicationId: iuav-dev2) { 2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: uid (1 values) 2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: sn (1 values) 2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: cn (1 values) 2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: eduPersonTargetedID (1 values) 2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: mail (1 values) 2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: employeeNumber (1 values) 2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: } In the access log of the Apache I see the value of the attribute uid (the remote_user): 130.186.19.126 - test [19/Nov/2015:10:38:54 +0100] "GET /u-gov/ HTTP/1.1" The authentication of the location is: AuthType shibboleth ShibRequireSession On ShibExportAssertion On require valid-user It seems that the Apache is unable to pass this attribute. Is there anyone that know how to forward REMOTE_USER with mod_jk to the application? Regards. Teresa -- -- L'educazione è il pane dell'anima -- Teresa Fasano CINECA System and Technologies Department Middleware and Infrastructure Group Via Magnanelli, 6/3 Casalecchio di Reno (Bologna) ITALY web: http://www.cineca.it e-mail: t.fas...@cineca.it phone: +39 051 61 71 364 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Need an application specific common.loader folder, like with EAR
Have two wars in the same Tomcat instance, I want to share some jars. I want these jars take priority over Tomcat shipped jars. However, because I usually reuse the same Tomcat installation between application (different set of wars), I do not want to modify common.loader folder (the lib folder). Because if I modify the lib folder for application 1, like overriding some Tomcat jar, then it’s lot of work to reset it right. That problem doesn’t exist with EAR, which Tomcat doesn’t support. I’m fine that Tomcat doesn’t support EAR but it could at least provide clean workaround. So I would like to see a new folder called: extraLibs, and the classloader order will become: Bootstrap classes of your JVM System class loader classes (described above) extraLibs Common class loader classes (described above) /WEB-INF/classes of your web application /WEB-INF/lib/*.jar of your web application See http://tomcat.apache.org/tomcat-7.0-doc/class-loader-howto.html
Tomcat Webinar series admin
This is intended to provide more information for people planning to attend the new Tomcat Webinar series. 1. This is new for all of us Please keep in mind that this is new and that there might be some teething problems. Your understanding will be appreciated. 2. Dial-in from outside the US The conferencing software includes a call back option. It should work with any international number. 3. Mute your line When you join the call *please* mute you line. 4. Recording The webinars will be recorded and uploaded to the (to be created) Apache Tomcat YouTube channel. 5. Q The actual presentation part is intended to be short (10, maybe 15 minutes). There will be plenty of time for Q at the end. Questions should be sent to the presenter / host via the conferencing software. 6. Topics The topics for subsequent sessions are still TBD. Suggestions are always welcome. After the first webinar all of this, plus any additional lessons learned, will be added to the Tomcat web site along with links to the recordings. Thanks, Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
REMOTE_USER mod_jk
Hi, I'm using Apache 2.4.6 with mod_jk and mod_shib 2.5.5, so Shibboleth as SSO authentication. Routing Apache request to tomcat (JBoss) we are not able to retreive REMOTE_USER. It seems that the REMOTE_USER is lost. In the configuration file shibboleth2.xml we have REMOTE_USER="uid". The authentication of shibboleth is successful as you can see from the logs of the identity provider and the log of the service provider: 1) IdP: 20151119T092332Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_5c0790590c7a1d003f63b4e5ce58b8da|http://iuav-dev2.sviluppo.u-gov.it/shibboleth|urn:mace:shibboleth:2.0:profiles:saml2:sso|https://idp-univ-dev.cineca.it/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_a8079a3a32dd6bd411be38ed5a8f509a|test|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|uid,eduPersonPrincipalName,surname,commonName,transientId,eduPersonTargetedID,email,employeeNumber,||| 2) SP: 2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: New session (ID: _771b50dad4ec72d57ae5a383a8b8f71e) with (applicationId: iuav-dev2) for principal from (IdP: https://idp-univ-dev.cineca.it/idp/shibboleth) at (ClientAddress: 130.186.19.126) with (NameIdentifier: _5ae86372161ba20460d91773f12241a5) using (Protocol: urn:oasis:names:tc:SAML:2.0:protocol) from (AssertionID: _b7a9d7435d4b2633af811cac17b80683) 2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: Cached the following attributes with session (ID: _771b50dad4ec72d57ae5a383a8b8f71e) for (applicationId: iuav-dev2) { 2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: uid (1 values) 2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: sn (1 values) 2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: cn (1 values) 2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: eduPersonTargetedID (1 values) 2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: mail (1 values) 2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: employeeNumber (1 values) 2015-11-19 10:23:34 INFO Shibboleth-TRANSACTION [1613]: } In the access log of the Apache I see the value of the attribute uid (the remote_user): 130.186.19.126 - test [19/Nov/2015:10:38:54 +0100] "GET /u-gov/ HTTP/1.1" The authentication of the location is: AuthType shibboleth ShibRequireSession On ShibExportAssertion On require valid-user It seems that the Apache is unable to pass this attribute. Is there anyone that know how to forward REMOTE_USER with mod_jk to the application? Regards. Teresa -- -- L'educazione è il pane dell'anima -- Teresa Fasano CINECA System and Technologies Department Middleware and Infrastructure Group Via Magnanelli, 6/3 Casalecchio di Reno (Bologna) ITALY web: http://www.cineca.it e-mail: t.fas...@cineca.it phone: +39 051 61 71 364 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
WebEx meeting changed: Apache Tomcat 9: HTTP/2 quick start
Hello, Mark Thomas changed the WebEx meeting information. Apache Tomcat 9: HTTP/2 quick start Tuesday, 24 November 2015 10:00 | GMT Time (London, GMT) | 1 hr JOIN WEBEX MEETING https://pivotal.webex.com/pivotal/j.php?MTID=mfa085250004a720ae2cbf026fc2249fa Meeting number: 646 025 783 JOIN BY PHONE Call-in toll-free number: 1-877-8818371 (US) Call-in number: 1-617-3374371 (US) Show global numbers: https://sites.google.com/a/pivotal.io/pivotal-it/pivotal-conferencing Attendee access code: 289 459 03 Add this meeting to your calendar: https://pivotal.webex.com/pivotal/j.php?MTID=m97cccbc4b3d2a27722a0dcea8377113c Can't join the meeting? Contact support here: https://pivotal.webex.com/pivotal/mc IMPORTANT NOTICE: Please note that this WebEx service allows audio and other information sent during the session to be recorded, which may be discoverable in a legal matter. By joining this session, you automatically consent to such recordings. If you do not consent to being recorded, discuss your concerns with the host or do not join the session. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
WebEx meeting changed: Apache Tomcat 9: HTTP/2 quick start
Hello, Mark Thomas changed the WebEx meeting information. Apache Tomcat 9: HTTP/2 quick start Tuesday, 24 November 2015 20:00 | GMT Time (London, GMT) | 1 hr JOIN WEBEX MEETING https://pivotal.webex.com/pivotal/j.php?MTID=mc659a2f2bf4a68cd94ea0a3e702de9a7 Meeting number: 649 296 162 JOIN BY PHONE Call-in toll-free number: 1-877-8818371 (US) Call-in number: 1-617-3374371 (US) Show global numbers: https://sites.google.com/a/pivotal.io/pivotal-it/pivotal-conferencing Attendee access code: 289 459 03 Add this meeting to your calendar: https://pivotal.webex.com/pivotal/j.php?MTID=m4dbdc76580d9af7383b6468ac36c1a68 Can't join the meeting? Contact support here: https://pivotal.webex.com/pivotal/mc IMPORTANT NOTICE: Please note that this WebEx service allows audio and other information sent during the session to be recorded, which may be discoverable in a legal matter. By joining this session, you automatically consent to such recordings. If you do not consent to being recorded, discuss your concerns with the host or do not join the session. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org