Re: Adding a custom configurations file globally and at web-app level for Apache Tomcat

[Chiranga Alwis]

Hi Chris,

There are some custom configurations which we intend to add to this config
file. We have a custom made single-sign-on valve based on SAML 2.0 which
has plenty of configuration properties plus there are some custom
classloading code which I am not that entirely proficient about.

We intend to separate out these from default Tomcat configs in web.xml and
improve the users' usability.

On Thu, Feb 11, 2016 at 10:53 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Chiranga,
>
> On 2/11/16 6:45 AM, Chiranga Alwis wrote:
> > Hi,
> >
> > I have been working on adding a custom configurations file which
> > follow a pattern similar to the web.xml, i.e. the file can be
> > defined globally but several predefined configuration properties
> > can be overridden at web-app level.
> >
> > For this purpose, my initial plan was to load the content in global
> > level file by implementing the LifeCycleListener interface and in
> > the case of a web-app or context use a ServletContextListener.
> >
> > Is this the most appropriate procedure to achieve this or is it an
> > incorrect approach?
>
> Can you explain how this is different from what is possible using
> conf/web.xml and conf/context.xml for site-wide defaults?
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEARECAAYFAla8w58ACgkQ9CaO5/Lv0PA4kwCgnfVzmTmLmJfDBnpIeKtLaov/
> DkUAnjeSgd35fxMROx7pXCu26sUD2zqE
> =is8C
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

tomcat jndi ldap userSearchAsUser not used

[Sascha Monteiro]

Hi,
When I configure this, it does not bind with the user (checked with
wireshark on the ad server)
(only when I use userPattern, but I cannot seem to use that as it needs a
user for both bind and search)
I don't want to have a username/password of a delegated user)

Realm  className="org.apache.catalina.realm.JNDIRealm"

debug="99"

connectionURL="ldap://x.1.1.22:389;

userSearch="userPrincipalName={0}"

userBase="cn=Users,dc=mydomain,dc=lab"

userSubtree="true"

userRoleName="memberOf"

userSearchAsUser="true"

/>

Async servlet timeout behaviour

[Thomas Boniface]

Hi,

I'm using async servlet with a timeout configured to 300ms but I can
observe in live environnement some big differences with the actual applied
timeout  700ms or more for instance.

I was wondering how are triggered onTimeout events to AsyncListeners, is
there a limited number of thread handling this ? Could this be explained by
too many onTimeout occuring concurrently on a busy server ?

I also wonder what can be done or not while in the onTimeout thread, can I
still do some asynchronous operation (retrieving content from http request)
and is writing to the reponse from this thread, as long as I ensured this
done in a thread safe way, ok ?

Thanks,
Thomas

Adding a custom configurations file globally and at web-app level for Apache Tomcat

[Chiranga Alwis]

Hi,

I have been working on adding a custom configurations file which follow a
pattern similar to the web.xml, i.e. the file can be defined globally but
several predefined configuration properties can be overridden at web-app
level.

For this purpose, my initial plan was to load the content in global level
file by implementing the LifeCycleListener interface and in the case of a
web-app or context use a ServletContextListener.

Is this the most appropriate procedure to achieve this or is it an
incorrect approach?

Re: Async servlet timeout behaviour

[Thomas Boniface]

2016-02-11 12:16 GMT+01:00 Mark Thomas :

> On 11/02/2016 11:07, Thomas Boniface wrote:
> > Hi,
> >
> > I'm using async servlet with a timeout configured to 300ms but I can
> > observe in live environnement some big differences with the actual
> applied
> > timeout  700ms or more for instance.
> >
> > I was wondering how are triggered onTimeout events to AsyncListeners, is
> > there a limited number of thread handling this ? Could this be explained
> by
> > too many onTimeout occuring concurrently on a busy server ?
>
> Timeouts are only checked once a second.
>
That's explains this use case indeed.

>
> > I also wonder what can be done or not while in the onTimeout thread, can
> I
> > still do some asynchronous operation (retrieving content from http
> request)
> > and is writing to the reponse from this thread, as long as I ensured this
> > done in a thread safe way, ok ?
>
> This is all in the Servlet spec.
>
I'll study the spec, I spent a lot of time looking for some documentation
without thinking of reading the specs themselves, my bad.

>
> In summary:
> - You can perform any operation that is valid for a request in async mode.
>
This will have no impact on other request onTimeout triggering no matter
what I do within the onTimeout ?

> - You MUST call complete() or dispatch() before exiting onTimeout().
>
If the onTimeout occurs but another thread created by the same request is
already writing the response I assume this thread will call complete() and
the onTimeout thread must not do anything ?

>
> Mark
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Does Tomcat need a non-ssl connector?

[msh]

On Thu, Feb 11, 2016 at 07:19:10PM +, Mark Thomas wrote:
> On 11/02/2016 19:17, m...@kimwana.com wrote:
> > If I want to run Tomcat using ssl only do I still need to set up a non-ssl 
> > connector and redirect the port?
> 
> That depends if you want Tomcat to respond at all if a user tries to use
> a non-TLS connection.

I do not want any unencrypted traffic. Ideally I would have iptables redirect 
requests to port 80 to 8443.
I need to run Tomcat as the tomcat user so I can't listen on port 80 or 443. 

I'm making iptables redirect inbound 80 --> 8443 but I think I need an outbound 
rule to allow the replies out.

Inbound:
iptables -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT 
--to-ports 8443

Or perhaps I need to set up httpd in front of Tomcat.


> 
> Mark
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat Failure Modes

[David kerber]

On 2/11/2016 2:20 PM, Edward Hart (c) wrote:

Q1:  Can Tomcat be configured to 'roll back' if a patch update causes a TC 
failure on a production server?
Q2:  Can TC be configured to fail to a known safe state in the event of server 
failure during operation?

I am developing a Security Technical Implement Guide (STIG) for Tomcat.  A STIG 
is essentially a detailed checklist for hardening a given technology.  DoD uses 
them to provide cyber defense.

Finding configurable ways to satisfy the below 2 requirements is proving 
difficult.

Req 1 : The web server must augment re-creation to a stable and known baseline.

Req 2 : The web server must be built to fail to a known safe state if system 
initialization fails, shutdown fails, or aborts fail.


Req 1 is intended to provide a means to roll back to a last known stable 
environment in case a patch fails.  Req 2 is intended to provide fail safe 
environments in case something (perhaps an attacker) causes system failure.


#1 is probably doable with some kind of version control.

#2 seems to be to be most easily answered by staying shut down as its 
known stable state.




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

SSL between modcluster and tomcat 7

[Qadeer Khan]

I am looking for any good instructions on configuring ssl between mod_cluster 
and Tomcat 7 including creating certs.

Greatly appreciate any help

Thanks
Qadeer

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Does Tomcat need a non-ssl connector?

[Mark Thomas]

On 11/02/2016 19:17, m...@kimwana.com wrote:
> If I want to run Tomcat using ssl only do I still need to set up a non-ssl 
> connector and redirect the port?

That depends if you want Tomcat to respond at all if a user tries to use
a non-TLS connection.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Why session on manager screen not updated?

[Mark Thomas]

On 11/02/2016 19:24, Qadeer Khan wrote:
> There is a running application on tomcat server but the session is always a 
> zero on manager ui screen.
> 
> For other applications like manager, host manager and sample we have session 
> updated but not for one application.
> 
> The application is jackrabbit which is a messaging application.
> 
> Any thoughts?

Stop hi-jacking threads.

New question == new thread.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Does Tomcat need a non-ssl connector?

[msh]

If I want to run Tomcat using ssl only do I still need to set up a non-ssl 
connector and redirect the port?

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Tomcat Failure Modes

[Edward Hart (c)]

Q1:  Can Tomcat be configured to 'roll back' if a patch update causes a TC 
failure on a production server?
Q2:  Can TC be configured to fail to a known safe state in the event of server 
failure during operation?

I am developing a Security Technical Implement Guide (STIG) for Tomcat.  A STIG 
is essentially a detailed checklist for hardening a given technology.  DoD uses 
them to provide cyber defense.

Finding configurable ways to satisfy the below 2 requirements is proving 
difficult.

Req 1 : The web server must augment re-creation to a stable and known baseline.

Req 2 : The web server must be built to fail to a known safe state if system 
initialization fails, shutdown fails, or aborts fail.


Req 1 is intended to provide a means to roll back to a last known stable 
environment in case a patch fails.  Req 2 is intended to provide fail safe 
environments in case something (perhaps an attacker) causes system failure.

Thanks,

Ed

Why session on manager screen not updated?

[Qadeer Khan]

There is a running application on tomcat server but the session is always a 
zero on manager ui screen.

For other applications like manager, host manager and sample we have session 
updated but not for one application.

The application is jackrabbit which is a messaging application.

Any thoughts?

Thanks
Qadeer

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat Failure Modes

[Mark Thomas]

On 11/02/2016 19:20, Edward Hart (c) wrote:
> Q1:  Can Tomcat be configured to 'roll back' if a patch update causes a TC 
> failure on a production server?

The question makes no sense since there is no such thing as a patch
update for Tomcat.

> Q2:  Can TC be configured to fail to a known safe state in the event of 
> server failure during operation?

Define "server failure". Define "safe state".

Generally if Tomcat ever entered an "unsafe state" that would be a
security vulnerability.

> I am developing a Security Technical Implement Guide (STIG) for Tomcat.  A 
> STIG is essentially a detailed checklist for hardening a given technology.  
> DoD uses them to provide cyber defense.
> 
> Finding configurable ways to satisfy the below 2 requirements is proving 
> difficult.
> 
> Req 1 : The web server must augment re-creation to a stable and known 
> baseline.
> 
> Req 2 : The web server must be built to fail to a known safe state if system 
> initialization fails, shutdown fails, or aborts fail.

Define "an abort"

> Req 1 is intended to provide a means to roll back to a last known stable 
> environment in case a patch fails.

One could argue that is met by using separate $CATALINA_HOME and
$CATALINA_BASE (see RUINNING.txt).

One could also argue that since all configuration is in the
$CATALINA_BASE/conf directory, integration with the DoD configuration
management system of choice should be trivial

> Req 2 is intended to provide fail safe environments in case something 
> (perhaps an attacker) causes system failure.

See comment above regarding unsafe states.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Async servlet timeout behaviour

[Mark Thomas]

On 11/02/2016 11:07, Thomas Boniface wrote:
> Hi,
> 
> I'm using async servlet with a timeout configured to 300ms but I can
> observe in live environnement some big differences with the actual applied
> timeout  700ms or more for instance.
> 
> I was wondering how are triggered onTimeout events to AsyncListeners, is
> there a limited number of thread handling this ? Could this be explained by
> too many onTimeout occuring concurrently on a busy server ?

Timeouts are only checked once a second.

> I also wonder what can be done or not while in the onTimeout thread, can I
> still do some asynchronous operation (retrieving content from http request)
> and is writing to the reponse from this thread, as long as I ensured this
> done in a thread safe way, ok ?

This is all in the Servlet spec.

In summary:
- You can perform any operation that is valid for a request in async mode.
- You MUST call complete() or dispatch() before exiting onTimeout().

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Async servlet timeout behaviour

[tomcat]

On 11.02.2016 12:07, Thomas Boniface wrote:

Hi,

I'm using async servlet with a timeout configured to 300ms


naive question : is that not awfully short, if this relates to some over-the-Internet 
communication ?


but I can

observe in live environnement some big differences with the actual applied
timeout  700ms or more for instance.

I was wondering how are triggered onTimeout events to AsyncListeners, is
there a limited number of thread handling this ? Could this be explained by
too many onTimeout occuring concurrently on a busy server ?

I also wonder what can be done or not while in the onTimeout thread, can I
still do some asynchronous operation (retrieving content from http request)
and is writing to the reponse from this thread, as long as I ensured this
done in a thread safe way, ok ?

Thanks,
Thomas




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: 'javax.xml.parsers.FactoryConfigurationError: Provider for class javax.xml.parsers.DocumentBuilderFactory cannot be created' for Tomcat Valve

[Chiranga Alwis]

Hi Chris,

I will check if it works by sticking to the default.

On Mon, Feb 8, 2016 at 8:21 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Chiranga,
>
> On 2/7/16 2:27 AM, Chiranga Alwis wrote:
> > I think OpenSAML seems to be using
> > org.apache.xerces.jaxp.DocumentBuilderFactoryImpl. I am actually
> > having this class within the lib folder of Tomcat.
>
> Replacing XML parsers within applications is always a sticky business.
> Have you tried simply removing your local Xerces implementation from
> your web application to see if that works?
>
> - -chris
>
> > On Sun, Feb 7, 2016 at 12:41 PM, Chiranga Alwis
> >  wrote:
> >
> >> Hi Chris,
> >>
> >> Yes I do. This is a SAML based single-sign-on valve for Tomcat.
> >>
> >> On Sat, Feb 6, 2016 at 2:58 AM, Christopher Schultz <
> >> ch...@christopherschultz.net> wrote:
> >>
> > Chiranga,
> >
> > On 2/4/16 3:10 PM, Chiranga Alwis wrote:
> > I have specified the following issue in stackoverflow:
> > http://stackoverflow.com/questions/35210472/javax-xml-parsers-fact
> oryc
> >
> >
> onfigurationerror-provider-for-class-javax-xml-parse
> >  configurationerror-provider-for-class-javax-xml-parse>
> >
> >  So
> >
> > you have a serialized SAML object, and it's trying to parse XML as
> > it's being deserialized?
> >
> > Are you (or is OpenSAML) using any kind of custom XML parser?
> >
> > -chris
> >
> >>>
> >>> 
> - -
> >>>
> >>>
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >>> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>>
> >>>
> >>
> >
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEARECAAYFAla4q48ACgkQ9CaO5/Lv0PDK8wCgsgGKJK0xwYrcDJPk4glV4pyg
> Z7oAnR+nNPS0eyjQ6MYYiffDzsiAJdeL
> =K9nv
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Async servlet timeout behaviour

[Thomas Boniface]

2016-02-11 12:31 GMT+01:00 André Warnier (tomcat) :

> On 11.02.2016 12:07, Thomas Boniface wrote:
>
>> Hi,
>>
>> I'm using async servlet with a timeout configured to 300ms
>>
>
> naive question : is that not awfully short, if this relates to some
> over-the-Internet communication ?
>
That's a matter of context I guess, in a real time bidding context for
video advertising we expect to have a non noticable delay before being able
to reply to a request.

>
> but I can
>
>> observe in live environnement some big differences with the actual applied
>> timeout  700ms or more for instance.
>>
>> I was wondering how are triggered onTimeout events to AsyncListeners, is
>> there a limited number of thread handling this ? Could this be explained
>> by
>> too many onTimeout occuring concurrently on a busy server ?
>>
>> I also wonder what can be done or not while in the onTimeout thread, can I
>> still do some asynchronous operation (retrieving content from http
>> request)
>> and is writing to the reponse from this thread, as long as I ensured this
>> done in a thread safe way, ok ?
>>
>> Thanks,
>> Thomas
>>
>>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Async servlet timeout behaviour

[Mark Thomas]

On 11/02/2016 11:44, Thomas Boniface wrote:
> 2016-02-11 12:16 GMT+01:00 Mark Thomas :
>> On 11/02/2016 11:07, Thomas Boniface wrote:



>>> I also wonder what can be done or not while in the onTimeout thread, can
>> I
>>> still do some asynchronous operation (retrieving content from http
>> request)
>>> and is writing to the reponse from this thread, as long as I ensured this
>>> done in a thread safe way, ok ?
>>
>> This is all in the Servlet spec.
>>
> I'll study the spec, I spent a lot of time looking for some documentation
> without thinking of reading the specs themselves, my bad.
> 
>>
>> In summary:
>> - You can perform any operation that is valid for a request in async mode.
>>
> This will have no impact on other request onTimeout triggering no matter
> what I do within the onTimeout ?

Correct. The timeout thread dispatches the processing of the timeout to
a separate thread for each AsyncContext that is timing out.

>> - You MUST call complete() or dispatch() before exiting onTimeout().
>>
> If the onTimeout occurs but another thread created by the same request is
> already writing the response I assume this thread will call complete() and
> the onTimeout thread must not do anything ?

No. The onTimeout thread MUST call complete() or dispatch(). If another
application thread is still performing processing then onTimeout() needs
to cancel that processing. Applications are responsible for making sure
all of this happens in a thread-safe manner.

If onTimeout() doesn't call complete(), Tomcat will followed by a 500
response.

If the application thread continues to processing then all sorts of
nasty things will happen because Tomcat will recycle the request and
response and at some point they will be re-used.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Mark Thomas]

On 11/02/2016 22:56, Dougherty, Gregory T., M.S. wrote:
> I would like to have a jar file in tomcat/lib that can be called from any of 
> the running web apps.  I need for the code in the jar to behave differently 
> depending on which web app called it.  It is not in this case possible for 
> the code to “trust” the caller to tell it the URL of the caller.
> 
> Is it possible for that code to independently determine the URL of the caller?

If you can't trust the caller to tell you the URL, you can't trust that
the caller isn't going to tinker with whatever mechanism you do use to
determine the URL.

You'd have a better chance of doing this if you ran under a
SecurityManager but unless you write an application from the start with
the intention of running it under a SecurityManager it is usually a lot
of additional effort to update the app so it runs correctly.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Is there a way for code running on Tomcat 7+ to determine the URL of the Web App it's running under?

[Dougherty, Gregory T., M.S.]

I would like to have a jar file in tomcat/lib that can be called from any of 
the running web apps.  I need for the code in the jar to behave differently 
depending on which web app called it.  It is not in this case possible for the 
code to “trust” the caller to tell it the URL of the caller.

Is it possible for that code to independently determine the URL of the caller?

Thank you,
--
Gregory Dougherty
Sr. Analyst/Programmer | Information Technology
Information Technology
(507) 284-8493 | dougherty.greg...@mayo.edu

Re: NIO Thread Behavior With Http Connections

[Mark Thomas]

On 11/02/2016 21:54, Bart Wood wrote:
> Will the NIO connector reuse a thread for multiple http connections in
> flight?

No. Once a thread enters the filter chain it is dedicated to that
request until it exists the filter chain (plus some Tomcat internal
processing).

> For example, an nio thread begins processing a request for an http
> connection. The thread begins blocking on a slow database socket read. Will
> Tomcat let the thread be reused in flight for other http connections? If
> code was storing data in thread local storage I'd imagine there could be
> problems.

ThreadLocals are problematic in a container environment for all sorts of
reasons. See the archives for details.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: NIO Thread Behavior With Http Connections

[Bart Wood]

Thanks Mark.

I normally see around 20 active http connections and around 10 active NIO
threads.  Why isn't there a 1-to-1 ratio between active http connections
and active nio threads?  What is happening when a connection is "active"
but it isn't being processed via the filter chain?

On Thu, Feb 11, 2016 at 2:59 PM, Mark Thomas  wrote:

> On 11/02/2016 21:54, Bart Wood wrote:
> > Will the NIO connector reuse a thread for multiple http connections in
> > flight?
>
> No. Once a thread enters the filter chain it is dedicated to that
> request until it exists the filter chain (plus some Tomcat internal
> processing).
>
> > For example, an nio thread begins processing a request for an http
> > connection. The thread begins blocking on a slow database socket read.
> Will
> > Tomcat let the thread be reused in flight for other http connections? If
> > code was storing data in thread local storage I'd imagine there could be
> > problems.
>
> ThreadLocals are problematic in a container environment for all sorts of
> reasons. See the archives for details.
>
> Mark
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

NIO Thread Behavior With Http Connections

[Bart Wood]

Will the NIO connector reuse a thread for multiple http connections in
flight?

For example, an nio thread begins processing a request for an http
connection. The thread begins blocking on a slow database socket read. Will
Tomcat let the thread be reused in flight for other http connections? If
code was storing data in thread local storage I'd imagine there could be
problems.

Thanks,
-Bart Wood

Re: NIO Thread Behavior With Http Connections

[Mark Thomas]

On 11/02/2016 22:11, Bart Wood wrote:
> Thanks Mark.
> 
> I normally see around 20 active http connections and around 10 active NIO
> threads.  Why isn't there a 1-to-1 ratio between active http connections
> and active nio threads?  What is happening when a connection is "active"
> but it isn't being processed via the filter chain?

Connections in HTTP keep-alive are managed by the Poller thread until
there is some data on it that needs processing. Connections are then
passed to a container thread for processing. Tomcat will use
non-blocking (i.e. only allocate a thread to a conenction when there is
data to process) until the HTTP request headers have been fully read at
which point it will switch to blocking mode until the exit of the
service() method (plus some internal processing).

Mark


> 
> On Thu, Feb 11, 2016 at 2:59 PM, Mark Thomas  wrote:
> 
>> On 11/02/2016 21:54, Bart Wood wrote:
>>> Will the NIO connector reuse a thread for multiple http connections in
>>> flight?
>>
>> No. Once a thread enters the filter chain it is dedicated to that
>> request until it exists the filter chain (plus some Tomcat internal
>> processing).
>>
>>> For example, an nio thread begins processing a request for an http
>>> connection. The thread begins blocking on a slow database socket read.
>> Will
>>> Tomcat let the thread be reused in flight for other http connections? If
>>> code was storing data in thread local storage I'd imagine there could be
>>> problems.
>>
>> ThreadLocals are problematic in a container environment for all sorts of
>> reasons. See the archives for details.
>>
>> Mark
>>
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: [PossibleSpam] Re: Tomcat Rewrite Valve

[Joe Aldrich]

>Am 10.02.2016 um 15:23 schrieb Rémy Maucherat:
>> 2016-02-10 15:06 GMT+01:00 Joe Aldrich :
>>
 Am 29.01.2016 15:34, schrieb Joe Aldrich:
> Hello,
>
> I am using Tomcat 8.0.28 on Windows 10 and am having a problem with 
> the Rewrite Value. I must include the escaped form of an ampersand 
> '%26' in the output URL.
>
> My rewrite.config has the following:
>
> RewriteCond %{QUERY_STRING} ^(.*&)?SCID=8(&.*)?$ RewriteRule 
> ^/(product|specs|avail-options|avail-category)\.php$
> /Product.action?select=Model+4+\%26+4C [R=301,L,NE]
>
> I am escaping the percent sign with a backslash, and I have tried 
> using the NE flag. However, Tomcat always is treating the percent 
> symbol as a back reference to the above RewriteCond. If I don't 
> have a second capture group, then I get a 500 error from a 
> NullPointerException.
 The current tomcat code does not allow escaping of percent or dollar sign.

 The parser just looks for percent (or dollar) and applies it either 
 as a
>>> backreference (when it is followed by a digit), or a map.
 I have not found any indication, that escaping is possible with httpd.
 Could you provide a link to the doc, that states it is possible?
>>> In Apache mod_rewrite it is possible per this documentation:
>>> https://httpd.apache.org/docs/2.2/mod/mod_rewrite.html#quoting
>>
>> Ok, I added an item for that since the mod_rewrite behavior should be
>> implemented:
>> https://bz.apache.org/bugzilla/show_bug.cgi?id=58988
>The fix will be included in 9.0.0.M4 and 8.0.33. The syntax will be the same 
>as with httpd 2.2 using a backslash to quota a percent sign.
>
>@Joe, could you test the current trunk for 8 or 9?

Yes, I will test it out as soon as I get the chance.

Thanks again,
Joe

>Regards,
>  Felix
>> Rémy
>>
>>>
 If you are willing to build tomcat yourself, you could try the 
 attached
>>> patch, which will allow escaping of percent signs by specifying them as %%.
 Your example would thus look like
 "/Product.action?select=Model+4+%%26+4C".

 Regards,
   Felix
>>> I will look into applying the patch as I need to be able to redirect 
>>> to URLs that contain %26 in the query string.
>>> Much thanks,
>>> Joe
>>>
> I was working with the documentation on this page:
>
> http://tomcat.apache.org/tomcat-8.0-doc/rewrite.html
>
> The desired output URL would be:
>
> http://www.domain.com/Product.html?select=Model+4+%26+4C
>
> In the example given for the NE flag on the page reference above, 
> the percent sign is escaped by a backslash to prevent it from being 
> treated as a back-reference. This is not working for me. Instead I
> get:
>
> http://www.domain.com/Product.action?select=Model+4+\null6+4C
>
> Where the "null" is due to an empty second back-reference.  I 
> believe this is a bug in that it is not escaping the percent sign 
> (making it impossible to create the %26 in the redirect URL). Or am 
> I misunderstanding something here?
>
> As a side question, shouldn't an empty back-reference be blank 
> instead of adding 'null' to the URL?
>
> Joseph B Aldrich
>
>
> ---
> -- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Adding a custom configurations file globally and at web-app level for Apache Tomcat

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Chiranga,

On 2/11/16 6:45 AM, Chiranga Alwis wrote:
> Hi,
> 
> I have been working on adding a custom configurations file which
> follow a pattern similar to the web.xml, i.e. the file can be
> defined globally but several predefined configuration properties
> can be overridden at web-app level.
> 
> For this purpose, my initial plan was to load the content in global
> level file by implementing the LifeCycleListener interface and in
> the case of a web-app or context use a ServletContextListener.
> 
> Is this the most appropriate procedure to achieve this or is it an 
> incorrect approach?

Can you explain how this is different from what is possible using
conf/web.xml and conf/context.xml for site-wide defaults?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAla8w58ACgkQ9CaO5/Lv0PA4kwCgnfVzmTmLmJfDBnpIeKtLaov/
DkUAnjeSgd35fxMROx7pXCu26sUD2zqE
=is8C
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [PossibleSpam] Re: Tomcat Rewrite Valve

[Felix Schumacher]

Am 10.02.2016 um 15:23 schrieb Rémy Maucherat:

2016-02-10 15:06 GMT+01:00 Joe Aldrich :


Am 29.01.2016 15:34, schrieb Joe Aldrich:

Hello,

I am using Tomcat 8.0.28 on Windows 10 and am having a problem with
the Rewrite Value. I must include the escaped form of an ampersand
'%26' in the output URL.

My rewrite.config has the following:

RewriteCond %{QUERY_STRING} ^(.*&)?SCID=8(&.*)?$ RewriteRule
^/(product|specs|avail-options|avail-category)\.php$
/Product.action?select=Model+4+\%26+4C [R=301,L,NE]

I am escaping the percent sign with a backslash, and I have tried
using the NE flag. However, Tomcat always is treating the percent
symbol as a back reference to the above RewriteCond. If I don't have a
second capture group, then I get a 500 error from a
NullPointerException.

The current tomcat code does not allow escaping of percent or dollar sign.

The parser just looks for percent (or dollar) and applies it either as a

backreference (when it is followed by a digit), or a map.

I have not found any indication, that escaping is possible with httpd.
Could you provide a link to the doc, that states it is possible?

In Apache mod_rewrite it is possible per this documentation:
https://httpd.apache.org/docs/2.2/mod/mod_rewrite.html#quoting


Ok, I added an item for that since the mod_rewrite behavior should be
implemented:
https://bz.apache.org/bugzilla/show_bug.cgi?id=58988
The fix will be included in 9.0.0.M4 and 8.0.33. The syntax will be the 
same as with httpd 2.2 using a backslash to quota a percent sign.


@Joe, could you test the current trunk for 8 or 9?

Regards,
 Felix

Rémy




If you are willing to build tomcat yourself, you could try the attached

patch, which will allow escaping of percent signs by specifying them as %%.

Your example would thus look like
"/Product.action?select=Model+4+%%26+4C".

Regards,
  Felix

I will look into applying the patch as I need to be able to redirect to
URLs that contain %26 in the query string.
Much thanks,
Joe


I was working with the documentation on this page:

http://tomcat.apache.org/tomcat-8.0-doc/rewrite.html

The desired output URL would be:

http://www.domain.com/Product.html?select=Model+4+%26+4C

In the example given for the NE flag on the page reference above, the
percent sign is escaped by a backslash to prevent it from being
treated as a back-reference. This is not working for me. Instead I
get:

http://www.domain.com/Product.action?select=Model+4+\null6+4C

Where the "null" is due to an empty second back-reference.  I believe
this is a bug in that it is not escaping the percent sign (making it
impossible to create the %26 in the redirect URL). Or am I
misunderstanding something here?

As a side question, shouldn't an empty back-reference be blank instead
of adding 'null' to the URL?

Joseph B Aldrich


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: ssl config questions

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Msh,

On 2/10/16 7:04 PM, m...@kimwana.com wrote:
> I have the fillowing problem to solve for a job interview.

Hmm. On the one hand, its YOUR job interview. On the other hand, if
you don't know this answer, you need to be able to find out the
answer, of course. How about we help you *just a little* to help yoursel
f.

> Install the latest version of Apache Tomcat 7 using the latest
> version of Oracle Java 8. Done. Running under a non-root
> account.  
>   
>   Done. With the provided
> helloworld.war deployed under the /app web context
> (https:///app)  Done.
> 
> With HTTPS enabled using a self-signed certificate that you
> generate  
> Done.
> 
> *  Ensure the web application is available to the Internet for both
> HTTP and HTTPS
> 
> *  HTTP requests should be redirected to HTTPS automatically
> 
> I need help with the last two tasks.
> 
> Do I need two redirecting connectors?
> 
> 'iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80  -j
> REDIRECT --to-port 8080' could be the first step.
> 
> Then . . .
> 
> 
> 
>  protocol="org.apache.coyote.http11.Http11Protocol" 
> enableLookups="false" redirectPort="8443" />
> 
> How do I tell Tomcat to use ssl on a specific port? I was able to 
> load the site in my browser without specifying a port which seemed 
> like a win but I need to see that good old self-signed cert
> warning in my browser before I can call it a day.


You have two connectors, but they are both HTTP (non-secure). Part of
"installing Tomcat as non-root" means that binding to port 443 isn't
going to work. You need to use a different port.

A few thoughts:

(1) There is no (stated) requirement that the non-secure web service
be listening on port 80. There is no (stated) requirement that the
secure web service be listening on port 443. Perhaps you could
simplify things by not worrying about traditional port numbers for
HTTP and HTTPS.

(2) Everything you need to know about configuring SSL is in Tomcat's
Users Guide[1] or Configuration Guide[2].

- -chris

[1] http://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html
[2] http://tomcat.apache.org/tomcat-8.0-doc/config/http.html
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAla8xMgACgkQ9CaO5/Lv0PCIOwCgrSddUZzULTPzL++vmYdQ6P5s
P2AAoLzk+fasGjjzHOxEilTmvzn6DaUV
=CuhC
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

ApacheCon NA 2016 - Important Dates!!!

[Melissa Warnkin]

 Hello everyone!
I hope this email finds you well.  I hope everyone is as excited about 
ApacheCon as I am!
I'd like to remind you all of a couple of important dates, as well as ask for 
your assistance in spreading the word! Please use your social media platform(s) 
to get the word out! The more visibility, the better ApacheCon will be for 
all!! :)
CFP Close: February 12, 2016CFP Notifications: February 29, 2016Schedule 
Announced: March 3, 2016
To submit a talk, please visit:  
http://events.linuxfoundation.org/events/apache-big-data-north-america/program/cfp

Link to the main site can be found here:  
http://events.linuxfoundation.org/events/apache-big-data-north-america

Apache: Big Data North America 2016 Registration Fees:
Attendee Registration Fee: US$599 through March 6, US$799 through April 10, 
US$999 thereafterCommitter Registration Fee: US$275 through April 10, US$375 
thereafterStudent Registration Fee: US$275 through April 10, $375 thereafter
Planning to attend ApacheCon North America 2016 May 11 - 13, 2016? There is an 
add-on option on the registration form to join the conference for a discounted 
fee of US$399, available only to Apache: Big Data North America attendees.
So, please tweet away!!
I look forward to seeing you in Vancouver! Have a groovy day!!
~Melissaon behalf of the ApacheCon Team

Re: ssl config questions

[msh]

On Thu, Feb 11, 2016 at 12:28:40PM -0500, Christopher Schultz wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Msh,
> 
> On 2/10/16 7:04 PM, m...@kimwana.com wrote:
> > I have the fillowing problem to solve for a job interview.

Fillowing. Heh! Thanks for the help.

> You have two connectors, but they are both HTTP (non-secure). Part of
> "installing Tomcat as non-root" means that binding to port 443 isn't
> going to work. You need to use a different port.

Yeah, I did realize this. ssl can work
> 
> A few thoughts:
> 
> (1) There is no (stated) requirement that the non-secure web service
> be listening on port 80. There is no (stated) requirement that the
> secure web service be listening on port 443. Perhaps you could
> simplify things by not worrying about traditional port numbers for
> HTTP and HTTPS.

Yeah. It took me a while to remember that http protocol can run on any 
practically any non-reserved port.
Of course browsers expect port 80 so I added a rule in my iptables config 

-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8443

which I think should work. I guess netcat will help me test that theory.


> 
> (2) Everything you need to know about configuring SSL is in Tomcat's
> Users Guide[1] or Configuration Guide[2].
> 
> - -chris
> 
> [1] http://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html
> [2] http://tomcat.apache.org/tomcat-8.0-doc/config/http.html
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> 
> iEYEARECAAYFAla8xMgACgkQ9CaO5/Lv0PCIOwCgrSddUZzULTPzL++vmYdQ6P5s
> P2AAoLzk+fasGjjzHOxEilTmvzn6DaUV
> =CuhC
> -END PGP SIGNATURE-
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org