Externalize properties file on tomcat 8

[samanth marisetty]

Hi,

  I am trying to externalize the database properties config file. I have
created a folder env-conf and set a -Dconfig property in the catalina.sh,
to point to the config file. Tomcat does not pickup this file, instead it
picks the properties file from the .war. How would I be able to pick up the
external properties file, instead of the one bundled in the war file?

Thanks,
Samanth.

Tomcat APR protocol SSL certificate information.

[Nithesh Kb]

HI,
I have build APR libraries Openssl and tc-native also i have created
openssl libraries. both HTTP and HTTPS is working fine.

*openssl genrsa -des3 -out server.key 2048 *
*openssl req -new -key server.key -out server.csr*
*cp server.key server.key.org *
*openssl rsa -in server.key.org  -out server.key*
*openssl x509 -req -days 365 -in server.csr -signkey server.key -out
server.crt*

i get server.crt and server.key.

I added this entry,in connector


*protocol="org.apache.coyote.http11.Http11AprProtocol"*
*SSLCertificateFile="/aa/server.crt"*
*SSLCertificateKeyFile="/aa/server.key"*

*If i do this much, it will work!!*

*But the question is, is it possible to put these two certificate in
keystore and can we add only that keystore in our connector ?*
*something like, keystoreFile="/aa/tomcat.keystore"*

*i tried this but didn't worked,*

*http://stackoverflow.com/questions/17695297/importing-the-private-key-public-certificate-pair-in-the-java-keystore
*

*please help me to understand these certificate stuffs. *



*Thanks,*
*Nithesh*

Re: Custom Connector class

[Roel Storms]

I don't believe that your suggestion works, but correct me if I'm wrong.
You aren't overwriting the getInputStream or getReader method. You are
wrapping them, which is a big difference. Since the internal
Request#parseParameter() won't use your wrapped version of the method but
rather uses it's own version which won't work since you've already called
getInputStream or getReader.

In your case it works since you aren't calling getParameter(). You're
implementation works as long as you restrict your application to using
getReader or getInputStream. Again, correct me if I'm wrong. Calling
HttpRequestRecorderWrapper.getParameter() in the web application, should
mess up your wrapper since it doesn't intercepts this method call and will
invoke the Request.getParameter() which will call Request.getStream() and
not HttpRequestRecorderWrapper.getStream() as you're implementation
requires.

Overwriting the getStream, getInputStream and getReader methods would
indeed solve the problem, but the problem is that you aren't overwriting
the method. By the way, I believe that parseParameter uses getStream. But
again, a wrapper does not overwrite the Request.getInputStream or
getReader. I made this same mistake when trying a similar solution to yours.

So in order for getParameter to work in a wrapper, you need to wrap
parseParameter and implement all the other methods that depend on
getStream, getInputStream or getReader, in the wrapper itself. I did the
research and I would have to rewrite more then you suggest (getReader(),
getStream(), getInputStream(), parseParameter(), readPostBody(),
readChunkedPostBody, getParameterMap, getParameterNames,
getParameterValues)  and maybe it's not even possible since some fields
that are used by these implementations are protected and have been set
before the Valve is encountered. These fields don't always have getters and
you might not be able to reproduce the behavior of getParameter (or any
other method) in a wrapper due to this fact. This last part is just an
assumption. I haven't validated that this last issue, indeed renders an
implementation in a wrapper impossible, but it makes it fairly difficult
and error prone. By the way, this is not my only reason for diving into
Tomcat. I need modification to the Manager as well and since it is just a
proof of concept, I am not worried about maintaining this code, which would
indeed be almost impossible.

Thanks for the advice on the size of requests. I'm still pondering on that
issue.

Roel


2015-12-15 2:10 GMT+01:00 Christopher Schultz 
:

> Roel,
>
> On 12/12/15 11:17 AM, Roel Storms wrote:
> > I believe that this is not entirely what I need. As far as I understand
> the
> > code it will detect if getInputStream or getReader has been called by the
> > servlet application. Depending on the usingReader boolean that was set
> as a
> > result, it will either use _inputReaderBuffer or _inputStreamBuffer to
> > fetch the body.
> >
> > In my case I need to retrieve the body in advance and still allow the web
> > application to call either method, getInputStream, getReader,
> getParameter.
> > If I choose to call getInputStream in my Valve to retrieve the body then
> > the web application will be restricted to using getInputStream. If I
> choose
> > getReader then the web application will be restricted to using getReader.
> > If a web application would use ServletRequest.getParameter the
> > documentation says the following:
> >
> > "If the parameter data was sent in the request body, such as occurs with
> an
> > HTTP POST request, then reading the body directly via getInputStream()
> > <
> https://tomcat.apache.org/tomcat-8.0-doc/servletapi/javax/servlet/ServletRequest.html#getInputStream()
> >
> >  or getReader()
> > <
> https://tomcat.apache.org/tomcat-8.0-doc/servletapi/javax/servlet/ServletRequest.html#getReader()
> >
> > can
> > interfere with the execution of this method."
> >
> > According to my understanding of the original Tomcat request code,
> > Request.getParam depends on Request.parseParameters which in turn uses
> > Request.readPostBody that uses Request.getStream to obtain the data.
> > getStream also fetches the inputStream of a request so I believe it won't
> > work in combination with a call to getReader.
> >
> > Since your wrapper is not overwriting any method like getParam
> > (getParameterNames, getParameterValues, getParameterMap) I believe these
> > methods will still behave incorrectly when called by the target
> application.
> >
> > I could indeed build a wrapper that would overwrite getStream, getReader,
> > getInputStream, getParam, getParameterNames, etc. But then I would be
> > generating a lot of duplicate code. Since my implementation is purely
> > experimental I don't think it's such big of a problem to modify Tomcat
> > internals (the Connector class).
>
> Honestly, it will be easier to implement this as a Valve. I have posted
> all the code you need for what you want... you 

Re: CSRF errors after upgrade of tomcat 8

[Baron Fujimoto]

On Tue, Dec 15, 2015 at 09:37:45AM +0200, Violeta Georgieva wrote:
>Hello,
>
>2015-12-15 4:35 GMT+02:00 Baron Fujimoto :
>>
>> On Mon, Dec 14, 2015 at 09:12:20PM +, Mark Thomas wrote:
>> >On 14/12/2015 20:49, Baron Fujimoto wrote:
>> >> On Fri, Dec 11, 2015 at 05:02:43PM -1000, Baron Fujimoto wrote:
>> >>> On Sat, Dec 12, 2015 at 12:16:01AM +, Mark Thomas wrote:
>> >
>> >
>> >
>> >>> I've confirmed that the problem begins with 8.0.29.
>> >
>> >Looking through the changelog it is hard to see how any of the changes
>> >not in the Catalina section could trigger this. So, focussing on that
>> >section...
>> >
>>  If you can find out how the CSRF protection is adding the token then
>>  that will also help since it gives an idea of what to look for in the
>>  changelog.
>> >>>
>> >>> I believe it's done using the OWASP CSRFGuard Project, and I have the
>> >>> property files generated by the Grouper devs that define its
>> >>> configuration. I'll query the Grouper folks to confirm and see if they
>> >>> can provide a relevant and succinct explanation about this in
>particular.
>> >>
>> >> The Grouper devs explain, "Javascript sets an HTTP header called
>> >> OWASP_CSRFTOKEN: on requests (some excluded per properties file)".
>> >
>> >That doesn't explain how/where the token is generated or what component
>> >validates it server side. I'm guessing a Filter does the validation.
>> >
>> >> Per the properties file, I believe the following are excluded:
>> >>
>> >> org.owasp.csrfguard.unprotected.Default=%servletContext%/
>> >
>> >Hmm. This first one combined with the last entry in the Catalina section
>> >of the 8.0.29 changelog look like a possibility.
>> >
>> >Try each of the following (one at a time, not together) to see if they
>> >fix it:
>>
>> Neither of these, tried independently, appeared to have any effect.
>>
>> >a) Add the following (note the lack of trailing slash) to the properties
>> >file:
>> >
>> >org.owasp.csrfguard.unprotected.Upload=%servletContext%
>>
>> I tried this as described, but since I wasn't sure if you really meant the
>> .Default property I also tried that, just in case (separate tests,
>> performed independently). I tried both by adding the suggested definitions
>> after their original definitions (in case they superceded them) and by
>> replacing the original definitions.
>>
>>
>> >b) Set mapperContextRootRedirectEnabled="true" and
>> >mapperDirectoryRedirectEnabled="true" on the Context in
>> >$CATALINA_BASE/conf/context.xml
>>
>> The resulting $CATALINA_BASE/conf/context.xml was:
>>
>> 
>> WEB-INF/web.xml
>> ${catalina.base}/conf/web.xml
>>
>> mapperContextRootRedirectEnabled="true"
>> mapperDirectoryRedirectEnabled="true"
>> 
>
>mapperContextRootRedirectEnabled and
>mapperDirectoryRedirectEnabled
>
>are attributes of the Context so your context.xml should look like the one
>below:
>
>mapperDirectoryRedirectEnabled="true">
>WEB-INF/web.xml
>${catalina.base}/conf/web.xml
>
>
>Regards,
>Violeta

That works! Mahalo for correcting the context.xml syntax. This workaround
will allow us to stay current with the latest Tomcat release. Is this
expected to be the default behavior going forward?

Aloha,
-baron

>> >>
>> >> [...]

-- 
Baron Fujimoto  :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Externalize properties file on tomcat 8

[Christopher Schultz]

Samanth,

On 12/15/15 2:52 PM, samanth marisetty wrote:
> I am trying to externalize the database properties config file.

Are you using Tomcat to configure your database, or some other component
(e.g. Spring, Hibernate, etc.)?

> I have created a folder env-conf and set a -Dconfig property in the
> catalina.sh, to point to the config file.

If you want to set system properties, it would be better to set them in
bin/setenv.sh instead of bin/catalina.sh, because setenv.sh will never
be changed by a Tomcat release.

Specifically, what property did you set, and what value did you use?

> Tomcat does not pickup this file, instead it picks the properties
> file from the .war.

Which one? I don't believe Tomcat reads properties files /at all/ for
configuring a database connection, so this is likely to be whatever
component you are using (e.g. Spring, etc.) that is making a mistake.

> How would I be able to pick up the external properties file, instead
> of the one bundled in the war file?

You can probably fix this with a few tweaks to the effective class
loader configuration, but it largely depends upon the answers to tbe
questions above.

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Custom Connector class

[Christopher Schultz]

Roel,

On 12/15/15 5:13 PM, Roel Storms wrote:
> I don't believe that your suggestion works, but correct me if I'm wrong.
> You aren't overwriting the getInputStream or getReader method. You are
> wrapping them, which is a big difference. Since the internal
> Request#parseParameter() won't use your wrapped version of the method but
> rather uses it's own version which won't work since you've already called
> getInputStream or getReader.

My code is a Filter which executes too late. If you implement this as a
Valve, you ought to be able to capture the input data (whether it is a
stream or a reader) and re-play it to any code later in the valve
pipeline. I must admit I haven't read all the Connector/Request code so
I don't know for sure if a Valve wrapping the (non-spec-defined) request
object will be sufficient.

> In your case it works since you aren't calling getParameter(). You're
> implementation works as long as you restrict your application to using
> getReader or getInputStream. Again, correct me if I'm wrong. Calling
> HttpRequestRecorderWrapper.getParameter() in the web application, should
> mess up your wrapper since it doesn't intercepts this method call and will
> invoke the Request.getParameter() which will call Request.getStream() and
> not HttpRequestRecorderWrapper.getStream() as you're implementation
> requires.

Servlet code calling HttpServletRequest.getParameter* should end up
calling getInputStream on the wrapper. If that's not what Tomcat does,
I'd consider it a bug because Filters are supposed to be able to replace
request entities and things like that.

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat APR protocol SSL certificate information.

[David Newman]

When you use APR the SSL implementation is coming from openssl instead of
java.  openssl has no use for java keystore files.  So it becomes more like
an apache httpd config with separate files for keys and certificates.

On Tue, Dec 15, 2015 at 5:12 AM, Nithesh Kb  wrote:

> HI,
> I have build APR libraries Openssl and tc-native also i have created
> openssl libraries. both HTTP and HTTPS is working fine.
>
> *openssl genrsa -des3 -out server.key 2048 *
> *openssl req -new -key server.key -out server.csr*
> *cp server.key server.key.org *
> *openssl rsa -in server.key.org  -out server.key*
> *openssl x509 -req -days 365 -in server.csr -signkey server.key -out
> server.crt*
>
> i get server.crt and server.key.
>
> I added this entry,in connector
>
>
> *protocol="org.apache.coyote.http11.Http11AprProtocol"*
> *SSLCertificateFile="/aa/server.crt"*
> *SSLCertificateKeyFile="/aa/server.key"*
>
> *If i do this much, it will work!!*
>
> *But the question is, is it possible to put these two certificate in
> keystore and can we add only that keystore in our connector ?*
> *something like, keystoreFile="/aa/tomcat.keystore"*
>
> *i tried this but didn't worked,*
>
> *
> http://stackoverflow.com/questions/17695297/importing-the-private-key-public-certificate-pair-in-the-java-keystore
> <
> http://stackoverflow.com/questions/17695297/importing-the-private-key-public-certificate-pair-in-the-java-keystore
> >*
>
> *please help me to understand these certificate stuffs. *
>
>
>
> *Thanks,*
> *Nithesh*
>

Re: Tomcat APR protocol SSL certificate information.

[Garcia Aparici, Carlos]

In many of our tomcats we use the pfx directly on the conector. Its similar to 
a keystore


Enviado de Samsung Mobile



 Mensaje original 
De: Nithesh Kb 
Fecha: 15/12/2015 16:21 (GMT+01:00)
Para: Tomcat Users List 
Asunto: Re: Tomcat APR protocol SSL certificate information.


*Thanks David,Thomas.*
If my understanding is not wrong.
Till tomcat version 8, we need to provide cert and key separately for
openssl ssl APR, like
*(SSLCertificateFile="/aa/server.crt"SSLCertificateKeyFile="/aa/server.key")*
But tomcat 9 we can use keystore to store cert and key and configure it to
connector like  *keystoreFile="/aa/tomcat.**keystore"*

*Thanks,*
*Nithesh*

On Tue, Dec 15, 2015 at 8:40 PM, Mark Thomas  wrote:

> On 15/12/2015 15:07, David Newman wrote:
> > When you use APR the SSL implementation is coming from openssl instead of
> > java.  openssl has no use for java keystore files.  So it becomes more
> like
> > an apache httpd config with separate files for keys and certificates.
>
> True, but as of Tomcat 9 (and will hopefully be back-ported to an 8.1.x
> at some point) you can use Java keystores with OpenSSL.
>
> Mark
>
> >
> > On Tue, Dec 15, 2015 at 5:12 AM, Nithesh Kb 
> wrote:
> >
> >> HI,
> >> I have build APR libraries Openssl and tc-native also i have created
> >> openssl libraries. both HTTP and HTTPS is working fine.
> >>
> >> *openssl genrsa -des3 -out server.key 2048 *
> >> *openssl req -new -key server.key -out server.csr*
> >> *cp server.key server.key.org *
> >> *openssl rsa -in server.key.org  -out
> server.key*
> >> *openssl x509 -req -days 365 -in server.csr -signkey server.key -out
> >> server.crt*
> >>
> >> i get server.crt and server.key.
> >>
> >> I added this entry,in connector
> >>
> >>
> >> *protocol="org.apache.coyote.http11.Http11AprProtocol"*
> >> *SSLCertificateFile="/aa/server.crt"*
> >> *SSLCertificateKeyFile="/aa/server.key"*
> >>
> >> *If i do this much, it will work!!*
> >>
> >> *But the question is, is it possible to put these two certificate in
> >> keystore and can we add only that keystore in our connector ?*
> >> *something like, keystoreFile="/aa/tomcat.keystore"*
> >>
> >> *i tried this but didn't worked,*
> >>
> >> *
> >>
> http://stackoverflow.com/questions/17695297/importing-the-private-key-public-certificate-pair-in-the-java-keystore
> >> <
> >>
> http://stackoverflow.com/questions/17695297/importing-the-private-key-public-certificate-pair-in-the-java-keystore
> >>> *
> >>
> >> *please help me to understand these certificate stuffs. *
> >>
> >>
> >>
> >> *Thanks,*
> >> *Nithesh*
> >>
> >
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>


Este correo electrónico y, en su caso, cualquier fichero anexo al mismo, 
contiene información de carácter confidencial exclusivamente dirigida a su 
destinatario o destinatarios. Si no es vd. el destinatario indicado, queda 
notificado que la lectura, utilización, divulgación y/o copia sin autorización 
está prohibida en virtud de la legislación vigente. En el caso de haber 
recibido este correo electrónico por error, se ruega notificar inmediatamente 
esta circunstancia mediante reenvío a la dirección electrónica del remitente.
Evite imprimir este mensaje si no es estrictamente necesario.

This email and any file attached to it (when applicable) contain(s) 
confidential information that is exclusively addressed to its recipient(s). If 
you are not the indicated recipient, you are informed that reading, using, 
disseminating and/or copying it without authorisation is forbidden in 
accordance with the legislation in effect. If you have received this email by 
mistake, please immediately notify the sender of the situation by resending it 
to their email address.
Avoid printing this message if it is not absolutely necessary.

Re: Tomcat APR protocol SSL certificate information.

[Mark Thomas]

On 15/12/2015 15:07, David Newman wrote:
> When you use APR the SSL implementation is coming from openssl instead of
> java.  openssl has no use for java keystore files.  So it becomes more like
> an apache httpd config with separate files for keys and certificates.

True, but as of Tomcat 9 (and will hopefully be back-ported to an 8.1.x
at some point) you can use Java keystores with OpenSSL.

Mark

> 
> On Tue, Dec 15, 2015 at 5:12 AM, Nithesh Kb  wrote:
> 
>> HI,
>> I have build APR libraries Openssl and tc-native also i have created
>> openssl libraries. both HTTP and HTTPS is working fine.
>>
>> *openssl genrsa -des3 -out server.key 2048 *
>> *openssl req -new -key server.key -out server.csr*
>> *cp server.key server.key.org *
>> *openssl rsa -in server.key.org  -out server.key*
>> *openssl x509 -req -days 365 -in server.csr -signkey server.key -out
>> server.crt*
>>
>> i get server.crt and server.key.
>>
>> I added this entry,in connector
>>
>>
>> *protocol="org.apache.coyote.http11.Http11AprProtocol"*
>> *SSLCertificateFile="/aa/server.crt"*
>> *SSLCertificateKeyFile="/aa/server.key"*
>>
>> *If i do this much, it will work!!*
>>
>> *But the question is, is it possible to put these two certificate in
>> keystore and can we add only that keystore in our connector ?*
>> *something like, keystoreFile="/aa/tomcat.keystore"*
>>
>> *i tried this but didn't worked,*
>>
>> *
>> http://stackoverflow.com/questions/17695297/importing-the-private-key-public-certificate-pair-in-the-java-keystore
>> <
>> http://stackoverflow.com/questions/17695297/importing-the-private-key-public-certificate-pair-in-the-java-keystore
>>> *
>>
>> *please help me to understand these certificate stuffs. *
>>
>>
>>
>> *Thanks,*
>> *Nithesh*
>>
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat APR protocol SSL certificate information.

[Nithesh Kb]

*Thanks David,Thomas.*
If my understanding is not wrong.
Till tomcat version 8, we need to provide cert and key separately for
openssl ssl APR, like
*(SSLCertificateFile="/aa/server.crt"SSLCertificateKeyFile="/aa/server.key")*
But tomcat 9 we can use keystore to store cert and key and configure it to
connector like  *keystoreFile="/aa/tomcat.**keystore"*

*Thanks,*
*Nithesh*

On Tue, Dec 15, 2015 at 8:40 PM, Mark Thomas  wrote:

> On 15/12/2015 15:07, David Newman wrote:
> > When you use APR the SSL implementation is coming from openssl instead of
> > java.  openssl has no use for java keystore files.  So it becomes more
> like
> > an apache httpd config with separate files for keys and certificates.
>
> True, but as of Tomcat 9 (and will hopefully be back-ported to an 8.1.x
> at some point) you can use Java keystores with OpenSSL.
>
> Mark
>
> >
> > On Tue, Dec 15, 2015 at 5:12 AM, Nithesh Kb 
> wrote:
> >
> >> HI,
> >> I have build APR libraries Openssl and tc-native also i have created
> >> openssl libraries. both HTTP and HTTPS is working fine.
> >>
> >> *openssl genrsa -des3 -out server.key 2048 *
> >> *openssl req -new -key server.key -out server.csr*
> >> *cp server.key server.key.org *
> >> *openssl rsa -in server.key.org  -out
> server.key*
> >> *openssl x509 -req -days 365 -in server.csr -signkey server.key -out
> >> server.crt*
> >>
> >> i get server.crt and server.key.
> >>
> >> I added this entry,in connector
> >>
> >>
> >> *protocol="org.apache.coyote.http11.Http11AprProtocol"*
> >> *SSLCertificateFile="/aa/server.crt"*
> >> *SSLCertificateKeyFile="/aa/server.key"*
> >>
> >> *If i do this much, it will work!!*
> >>
> >> *But the question is, is it possible to put these two certificate in
> >> keystore and can we add only that keystore in our connector ?*
> >> *something like, keystoreFile="/aa/tomcat.keystore"*
> >>
> >> *i tried this but didn't worked,*
> >>
> >> *
> >>
> http://stackoverflow.com/questions/17695297/importing-the-private-key-public-certificate-pair-in-the-java-keystore
> >> <
> >>
> http://stackoverflow.com/questions/17695297/importing-the-private-key-public-certificate-pair-in-the-java-keystore
> >>> *
> >>
> >> *please help me to understand these certificate stuffs. *
> >>
> >>
> >>
> >> *Thanks,*
> >> *Nithesh*
> >>
> >
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>