Re: Need help setting up SSL on Tomcat 8

[Ognjen Blagojevic]

On 7.7.2016 23:17, Daniel Savard wrote:

Certificate Error
There are issues with the site's certificate chain
(net::ERR_CERT_COMMON_NAME_INVALID).

Looks like adding the keyAlias to the connector did not fix anything
unfortunately.






Did you examined the received certificate in the browser. Usually this help
to identify why it failed. In this case, the chain of certification seems
to be the problem.


+1

What is your certification path / certificate hierarchy?

In Firefox: click on padlock icon, click on arrow, More information, 
View Certificate, Details, Certificate Hierarchy


In Chrome: click on padlock icon, Details, View Certificate, 
Certification path.


-Ognjen



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Long running process and parallel deployment

[Chris Gamache]

I need some help:

My web application has an upload file function. These files can be huge.
While the file is uploading, the upload class spawns a new thread to send
status updates to the client's progress bar. This works fine even for the
most giant files except when we want to make a parallel deployment while
uploads are happening.

08-Jul-2016 10:41:41.852 WARNING
[ContainerBackgroundProcessor[StandardEngine[Catalina]]]
org.apache.catalina.loader.WebappClassLoaderBase.clearReferencesThreads The
web application [WebApps##001012] is still processing a request that has
yet to finish. This is very likely to create a memory leak. You can control
the time allowed for requests to finish by using the unloadDelay attribute
of the standard Context implementation. Stack trace of request processing
thread:
...

and the stack trace shows it is right in the middle of a file upload.

On top of that, the threads that update the upload progress bar are firing
and are being beat down by tomcat:

8-Jul-2016 10:41:42.233 INFO [http-nio-8080-exec-7]
org.apache.catalina.loader.WebappClassLoaderBase.checkStateForResourceLoading
Illegal access: this web application instance has been stopped already.
Could not load [META-INF/services/javax.xml.parsers.SAXParserFactory]. The
following stack trace is thrown for debugging purposes as well as to
attempt to terminate the thread which caused the illegal access.
 java.lang.IllegalStateException: Illegal access: this web application
instance has been stopped already. Could not load
[META-INF/services/javax.xml.parsers.SAXParserFactory]. The following stack
trace is thrown for debugging purposes as well as to attempt to terminate
the thread which caused the illegal access.
...

And that's one of the upload progress threads.

The first message mentions setting unloadDelay as a possible solution. The
docs are light on the consequences of setting that value abnormally high to
accommodate the largest of file uploads. What would setting it to an hour
(360 ms) or more do? Will the next version of the webapp deploy and run
for new sessions while the old one waits to idle out? What about those
threads? Will they be allowed to fire while it is waiting on shutdown?

I'm in the process of setting up a sandbox but if y'all have advice for me
that would save me the trouble of setting the scenario up on a set of test
servers, I would REALLY appreciate it.

Dynamically determine which credentials to use for a Tomcat JDBC Connection Pool [Tomcat 8.0.36]

[Philip Hachey]

Hi.  I'm looking for a way to dynamically determine which username and 
password to use for a Tomcat JDBC Connection Pool 
[https://tomcat.apache.org/tomcat-8.0-doc/jdbc-pool.html] based on the 
database URL to which it is connecting.  I imagine this as an external 
key=value lookup where (database URL)={username, password}.


However, I've not been able to set the user credentials programatically 
as I'd hoped via dataSource.getConnection(username, password) despite 
setting alternateUsernameAllowed="true" in the context.xml Resource 
element and leaving the username and password attributes blank.  I also 
tried setting the auth attribute to "Application" instead of 
"Container", but that didn't make any difference.  What would be the 
correct way of doing this?  I'm also open to other suggestions.


Thank you,
Philip

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Encoding issues with Tomcat 7.0.69+ and 8.0.33+

[Vincent Massol]

Hi guys,

I work on the XWiki project (http://xwiki.org) and we’ve had several reports of 
users telling us that XWiki is not working anymore with versions of Tomcat > 
7.0.69 and > 8.0.33. It works perfectly well with those versions and lower.

The issue is described in more detail at 
http://jira.xwiki.org/browse/XWIKI-13556

In short, I’ve tracked down one of the issues and here’s the problem we have:

* We use context.getRequest().getRequestDispatcher(path).forward(…).
* We are url-encoding the path. For example:path =  
/bin/view/Main/test%20with%20space
* With Tomcat > 7.0.69 and > 8.0.33 (I’m testing with versions 8.0.36 and 
7.0.59 to be precise) this generates an incoming URL of 
.../bin/view/Main/test%2520with%2520space in our code
* With Tomcat <= 7.0.69 and <= 8.0.33 it was generating an incoming URL of 
.../bin/view/Main/test%20with%20space in our code

Also note that with Jetty 9.2.13.v20150730 if we don’t url-encode the path 
passed to getRequestDispatcher(path) then Jetty generates an incoming URL of 
.../bin/view/Main/test with space in our code, which is of course invalid and 
fails.

So I wanted to ask you two questions:
* Would someone know the change in Tomcat that brought this difference from 
previous versions?
* Who’s right? :)

Thanks for any help

-Vincent
XWiki Committer
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Weird problem with WebSockets

[Edwin Quijada]

Hi!
I have developed an app using websocket. I am using servers to upload my app in 
DigitalOcean but here the websockets doesnt work but using another server 
server4U everuthing is fine. I am using Tomcat 8.5.3 somebody has any cluee, 
any, about this behavour , the only thing that I think is DigitalOcean myabe 
has any proxy in front of their servers , Tomcat is so weird with this, and 
server4U dont.


I tested my app with WildFly in DigitalOcean and it works fine. I know maybe 
this is not a problem or who knows but I want just a cluee.


Thks In Advance

Re: WebSockets

[Martin Funk]

Coming from the TomEE, I see there, that while the server starts up it logs
all kind of information of web-apps and services it found in its
deployment. For example REST Endpoints with the Path they are served under
are logged.

I found that quit nice for a freshmen to know which services are served.

At poking around with the WebSockets I had a hard time to figure out if the
HTML was wrong or if the server just didn't serve the Endpoint.

So basically for debugging reasons.

mf

2016-07-03 18:57 GMT+02:00 Mark Thomas :

> On 03/07/2016 11:04, Martin Funk wrote:
> > Hi,
> >
> > I'm into my first steps of using the WebSocket API.
> > Things are quite nice so far, WebSockets, used the right way, might open
> up
> > a complete new type of WebApplications.
> >
> > I've got a question though, is there a way to configure Tomcat to
> announce
> > the annotated ServerEndpoints, it comes across while starting the server,
> > in the catalina log?
>
> No. That does not appear to be logged at any level.
>
> What are you trying to achieve?
>
> Mark
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Share data between applications

[Nathan Quirynen]

On 07/07/16 19:59, André Warnier (tomcat) wrote:

On 07.07.2016 17:48, Nathan Quirynen wrote:
We have several applications deployed in Tomcat and want to add 1 
application to handle

authentication for all of the other applications.

All applications are defined as different host elements in Tomcat 
configuration

(server.xml) like following example:




...

How I see it theoretically working:
When a user goes to an url that points to webapp1, a request filter 
in the application
sees that the user has not been authenticated yet and redirects to 
the "loginapp" where
authentication happens and redirects back to webapp1 where the user 
now has been

authenticated for (only for this specific application).

Is it possible to share data between these applications in any way or 
somehow access and

make changes in the http session for webapp1 to make this flow work?

I hope my question is clear, else I'd like to hear your questions.



Hi.
Your question is clear.
I believe however that what you want to achieve, given your 
configuration (multiple Hosts) is not possible in Tomcat alone (nor 
maybe in any Servlet Engine respectful of the Servlet Specification).
However, there is one way in which I can imagine a solution, provided 
you have (or are willing to add) a front-end Apache httpd along with a 
Apache-Tomcat "mod_jk" connector.

Have a look here, first of all :
http://tomcat.apache.org/tomcat-8.0-doc/config/ajp.html#Standard_Implementations 


-> tomcatAuthentication
-> tomcatAuthorization
In other words, you could use a httpd front-end proxy to all your 
Tomcat Hosts, do the authentication at the httpd level (using any of 
the numerous methods available to do so), and then transmit this 
authenticated user-id to Tomcat, at the moment the requests get 
proxied to Tomcat for execution.
Because for Tomcat then, all incoming requests (no matter for which 
Host) would already be authenticated, and Tomcat would "believe" this 
authentication and not bother to do its own anymore, even for 
protected areas within Tomcat Hosts.




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Hey thanks for your answer.
I'll look into your suggestion to see if that's a possibility for us.

What I have also found in my further research is JNDI resources. I have 
never used this so my knowledge is pretty zero on this, but would this 
be something I can use to share data (some java beans with needed data 
for the authentication) across my applications in my current setup?


Nathan

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

How to Disable TLSv1.0 in Tomcat 7

[varun gulati]

 Greetings Experts,

Since past few days i have been struggling with disabling TLSv1.0 in my Tomcat 
configuration. Here is the content of my server.xml file. I was able to disable 
SSLv3, and things were working fine but somehow not able to disable TLSv1.0. 
Really appreciate your suggestions on how to resolve this vulnerability 
Disabled SSLv3 with below 
config:



To disable TLSv1.0 i adopted to below config, fortunately it cleared the scans 
but my site broke on Https:
Reffered Link: 
http://tomcat.10.x6.nabble.com/How-to-allow-only-TLS-1-1-connections-to-Tomcat-6-0-server-with-https-td4995362.html
==

Please help me identify if i am missing on anything.


Thanks and Regards,Varun Gulati  +91-9665121901

Disable SSLv3 & TLSv1.0 in Tomcat 7

[varun gulati]

Hello Team,
Since past few days i have been struggling with disabling TLSv1.0 in my Tomcat 
configuration. Here is the content of my server.xml file. I was able to disable 
SSLv3, and things were working fine but somehow not able to disable TLSv1.0. 
Really appreciate your suggestions on how to resolve this vulnerability 
Disabled SSLv3 with below 
config:



To disable TLSv1.0 i adopted to below config, fortunately it cleared the scans 
but my site broke on Https:
Reffered Link: 
http://tomcat.10.x6.nabble.com/How-to-allow-only-TLS-1-1-connections-to-Tomcat-6-0-server-with-https-td4995362.html
==

Please help me identify if i am missing on anything.

Thanks and Regards,Varun Gulati