Re: tomcat-embed 8.5.9 - runtime changes to SSLHostConfig objects
On Mon, Jan 9, 2017 at 1:53 PM Mark Thomas wrote: > On 09/01/2017 20:13, Jesse Schulman wrote: > > On Thu, Jan 5, 2017 at 9:48 PM Jesse Schulman > wrote: > > > >> On Thu, Jan 5, 2017 at 2:08 PM Mark Thomas wrote: > >> > >> On 05/01/2017 21:05, Jesse Schulman wrote: > >>> We are using tomcat-embed 8.5.9, java8 and running on Centos7. Given > >>> Tomcat's new support for SNI, we wish to support > adding/removing/updating > >>> certificates via our application at runtime without restarting tomcat > or > >>> binding/unbinding the port. > >>> > >>> Our configuration is very simple, we have a single servlet for all > >>> requests, so we have a single connector/endpoint to manage all > >>> SSLHostConfigs. > >>> > >>> It appears that by manipulating the list of SSLHostConfig objects in > the > >>> AbstractEndpoint we can achieve what we want, there however don't > appear > >> to > >>> be any public methods available that allow that kind of operation. > >> > >> It should be possible with the current API. What can't you do? > >> > >> > >> I don't think I can modify an existing/added SSLHostConfig (remove an > old > >> expiring certificate and add a new certificate). I also don't think I > can > >> remove the SSLHostConfig for a given SNI hostname once it has been > added. > >> > >>> I was able to extend a few tomcat classes (Connector, > >>> AbstractHttp11JsseProtocol, NioEndpoint) to expose what I need and > verify > >>> that I can change the SSLHostConfig at runtime, however I would prefer > to > >>> use APIs fully supported by tomcat. > >>> > >>> Is there any way to do what I want with the currently available APIs, > or > >>> are there any plans to expose this kind of functionality? > >> > >> It depends exactly what you want to do. > >> > >> AbstractEndpoint.addSslHostConfig() > >> AbstractEndpoint.findSslHostConfigs() > >> > >> should be enough. > >> > >> > >> It seems addSslHostConfig does a putIfAbsent, which means I can't > replace > >> an existing SSLHostConfig to update the certificate for an SNI hostname > (or > >> the default SSLHostConfig). I also can't remove an SSLHostConfig > entirely, > >> which is something we'd like to support in our application. For me it > >> would be simplest to create a new SSLHostConfig and replace the old one > >> when there is a need to update a certificate. > >> > >> > >> > >>> If not, are there any risks or issues with taking the approach > described > >>> above by extending classes to expose what I need? > >> > >> It depends what you want to do. Generally, there is a risk we'll change > >> an API you are depending on since a lot of those are treated as internal > >> APIs. Some sample code might help. > >> > >> > >> I would of course test when we upgrade tomcat, and leverage any new APIs > >> that would allow me to remove any of my custom code. > >> > >> I extended AbstractHttp11JsseProtocol just so I could control which > >> endpoint implementation was used and so I could get access to my > endpoint > >> implementation. My protocol is basically a copy of Http11NioProtocol > that > >> constructs my endpoint implementation and has a getter for the same. > >> > >> The endpoint is where I added functionality and looks like this: > >> > >> public class MyNioEndpoint extends NioEndpoint { > >> private static final MyLogger LOGGER = > >> MyLogger.getLogger(MyNioEndpoint.class.getName()); > >> > >> public void removeSSLHostConfig(String sniHostName) { > >> if (Strings.isNullOrEmpty(sniHostName)) { > >> LOGGER.error("Cannot remove host config for invalid > hostname: > >> " + sniHostName); > >> return; > >> } > >> > >> if (sniHostName.equals(getDefaultSSLHostConfigName())) { > >> LOGGER.error("Cannot remove default SSLHostConfig"); > >> return; > >> } > >> > >> SSLHostConfig removed = sslHostConfigs.remove(sniHostName); > >> if (removed != null) > >> releaseSSLContext(removed); > >> } > >> > >> public void addOrUpdateSSLHostConfig(SSLHostConfig config) { > >> if (config == null) { > >> LOGGER.error("null SSLHostConfig provided"); > >> return; > >> } > >> > >> String hostName = config.getHostName(); > >> if (Strings.isNullOrEmpty(hostName)) { > >> LOGGER.error("Invalid SSLHostConfig provided, cannot > >> add/update, hostname was empty"); > >> return; > >> } > >> > >> for (SSLHostConfig loadedConfig : findSslHostConfigs()) { > >> if (hostName.equals(loadedConfig.getHostName())) { > >> sslHostConfigs.remove(hostName); > >> releaseSSLContext(loadedConfig); > >> addSslHostConfig(loadedConfig); > >> return; > >> } > >> } > >> > >> addSslHostConfig(config); > >> } > >> > >> } > >> > >> Thanks for the reply, your help/suggestions are much appreciated! > >> Je
Re: TomcatCon @ ApacheCon
> > Embedded Tomcat and microservices? With and as an alternative to Spring > Boot? > > -Terence Bandoian > http://www.tmbsw.com/ > > +1. Something to do with using Tomcat within a microservices architecture, possibly with Docker and Kubernetes.
Re: JSP compilation fails with Java 9
2017-01-09 1:16 GMT-06:00 Patil, Shital : > We are assessing Java 9(early access) and JSP compilation is badly broken > with Java 9. Even basic java objects(java.lang.Object) are not accessible > while compilation. Appears to be because of jigsaw(modular) > > Any solution or alternative to this problem ? > > I tested Java 9 relatively recently, and normally JSP compilation is the last remaining issue. I can confirm what was said: JDT doesn't have modules support, and it doesn't have a planning for it from what I saw. There have been some significant updates to the modules lately, so it would be unfair to blame the JDT people at this point. Rémy
Re: tomcat-embed 8.5.9 - runtime changes to SSLHostConfig objects
On 09/01/2017 20:13, Jesse Schulman wrote: > On Thu, Jan 5, 2017 at 9:48 PM Jesse Schulman wrote: > >> On Thu, Jan 5, 2017 at 2:08 PM Mark Thomas wrote: >> >> On 05/01/2017 21:05, Jesse Schulman wrote: >>> We are using tomcat-embed 8.5.9, java8 and running on Centos7. Given >>> Tomcat's new support for SNI, we wish to support adding/removing/updating >>> certificates via our application at runtime without restarting tomcat or >>> binding/unbinding the port. >>> >>> Our configuration is very simple, we have a single servlet for all >>> requests, so we have a single connector/endpoint to manage all >>> SSLHostConfigs. >>> >>> It appears that by manipulating the list of SSLHostConfig objects in the >>> AbstractEndpoint we can achieve what we want, there however don't appear >> to >>> be any public methods available that allow that kind of operation. >> >> It should be possible with the current API. What can't you do? >> >> >> I don't think I can modify an existing/added SSLHostConfig (remove an old >> expiring certificate and add a new certificate). I also don't think I can >> remove the SSLHostConfig for a given SNI hostname once it has been added. >> >>> I was able to extend a few tomcat classes (Connector, >>> AbstractHttp11JsseProtocol, NioEndpoint) to expose what I need and verify >>> that I can change the SSLHostConfig at runtime, however I would prefer to >>> use APIs fully supported by tomcat. >>> >>> Is there any way to do what I want with the currently available APIs, or >>> are there any plans to expose this kind of functionality? >> >> It depends exactly what you want to do. >> >> AbstractEndpoint.addSslHostConfig() >> AbstractEndpoint.findSslHostConfigs() >> >> should be enough. >> >> >> It seems addSslHostConfig does a putIfAbsent, which means I can't replace >> an existing SSLHostConfig to update the certificate for an SNI hostname (or >> the default SSLHostConfig). I also can't remove an SSLHostConfig entirely, >> which is something we'd like to support in our application. For me it >> would be simplest to create a new SSLHostConfig and replace the old one >> when there is a need to update a certificate. >> >> >> >>> If not, are there any risks or issues with taking the approach described >>> above by extending classes to expose what I need? >> >> It depends what you want to do. Generally, there is a risk we'll change >> an API you are depending on since a lot of those are treated as internal >> APIs. Some sample code might help. >> >> >> I would of course test when we upgrade tomcat, and leverage any new APIs >> that would allow me to remove any of my custom code. >> >> I extended AbstractHttp11JsseProtocol just so I could control which >> endpoint implementation was used and so I could get access to my endpoint >> implementation. My protocol is basically a copy of Http11NioProtocol that >> constructs my endpoint implementation and has a getter for the same. >> >> The endpoint is where I added functionality and looks like this: >> >> public class MyNioEndpoint extends NioEndpoint { >> private static final MyLogger LOGGER = >> MyLogger.getLogger(MyNioEndpoint.class.getName()); >> >> public void removeSSLHostConfig(String sniHostName) { >> if (Strings.isNullOrEmpty(sniHostName)) { >> LOGGER.error("Cannot remove host config for invalid hostname: >> " + sniHostName); >> return; >> } >> >> if (sniHostName.equals(getDefaultSSLHostConfigName())) { >> LOGGER.error("Cannot remove default SSLHostConfig"); >> return; >> } >> >> SSLHostConfig removed = sslHostConfigs.remove(sniHostName); >> if (removed != null) >> releaseSSLContext(removed); >> } >> >> public void addOrUpdateSSLHostConfig(SSLHostConfig config) { >> if (config == null) { >> LOGGER.error("null SSLHostConfig provided"); >> return; >> } >> >> String hostName = config.getHostName(); >> if (Strings.isNullOrEmpty(hostName)) { >> LOGGER.error("Invalid SSLHostConfig provided, cannot >> add/update, hostname was empty"); >> return; >> } >> >> for (SSLHostConfig loadedConfig : findSslHostConfigs()) { >> if (hostName.equals(loadedConfig.getHostName())) { >> sslHostConfigs.remove(hostName); >> releaseSSLContext(loadedConfig); >> addSslHostConfig(loadedConfig); >> return; >> } >> } >> >> addSslHostConfig(config); >> } >> >> } >> >> Thanks for the reply, your help/suggestions are much appreciated! >> Jesse >> >> > I am bumping this, I think I made it sound as if I had all my questions > answered (since I didn't put any questions in my response). Here are my > remaining questions: > > Is there an existing/supported way to remove/replace an existing > SSLHostConfig in AbstractEndpoint that is exposed via the Connector simil
Re: Tomcat 8, 8.5 and 9 returning another apps environment with context.lookup() from a .parallelStream()
On 09/01/2017 19:57, Christopher Zinn wrote: > Thanks for the information. I was not expecting such a great response so > quickly. > > We are going to test the workaround that sets the java.util.concurrent. > ForkJoinPool.common.threadFactory property as that will be the easiest for > us to configure and deploy to our Tomcat instances. The correct value for that property is: java.util.concurrent.ForkJoinPool$ForkJoinTaskFactory As I dig into this further, I realise it isn't that simple. 1. There will still be a memory leak. 2. The threads will have the wrong thread context class loader and your JNDI lookups will fail. 3. ForEach is hard-coded to use the common ForkJoin pool. As far as I can see, you only option is to correctly set the thread context class before you do the JNDI lookup. Because of the way the ForkJoinPool is written that is going to prevent the code ever running under a SecurityManager (which may not be an issue for you) because InnocuousForkJoinWorkerThread is hard-coded to throw an Exception if you call setContextClassLoader(). It looks like ForkJoin was not designed with a multi-class loader environment in mind. We should be able to get most of this fixed but without adding significant complexity, the end result is going to be that ForkJoinWorkerThreads always use the system class loader. That means if you want to use JNDI, you are going to have to set the thread context class loader yourself. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat-embed 8.5.9 - runtime changes to SSLHostConfig objects
On Thu, Jan 5, 2017 at 9:48 PM Jesse Schulman wrote: > On Thu, Jan 5, 2017 at 2:08 PM Mark Thomas wrote: > > On 05/01/2017 21:05, Jesse Schulman wrote: > > We are using tomcat-embed 8.5.9, java8 and running on Centos7. Given > > Tomcat's new support for SNI, we wish to support adding/removing/updating > > certificates via our application at runtime without restarting tomcat or > > binding/unbinding the port. > > > > Our configuration is very simple, we have a single servlet for all > > requests, so we have a single connector/endpoint to manage all > > SSLHostConfigs. > > > > It appears that by manipulating the list of SSLHostConfig objects in the > > AbstractEndpoint we can achieve what we want, there however don't appear > to > > be any public methods available that allow that kind of operation. > > It should be possible with the current API. What can't you do? > > > I don't think I can modify an existing/added SSLHostConfig (remove an old > expiring certificate and add a new certificate). I also don't think I can > remove the SSLHostConfig for a given SNI hostname once it has been added. > > > I was able to extend a few tomcat classes (Connector, > > AbstractHttp11JsseProtocol, NioEndpoint) to expose what I need and verify > > that I can change the SSLHostConfig at runtime, however I would prefer to > > use APIs fully supported by tomcat. > > > > Is there any way to do what I want with the currently available APIs, or > > are there any plans to expose this kind of functionality? > > It depends exactly what you want to do. > > AbstractEndpoint.addSslHostConfig() > AbstractEndpoint.findSslHostConfigs() > > should be enough. > > > It seems addSslHostConfig does a putIfAbsent, which means I can't replace > an existing SSLHostConfig to update the certificate for an SNI hostname (or > the default SSLHostConfig). I also can't remove an SSLHostConfig entirely, > which is something we'd like to support in our application. For me it > would be simplest to create a new SSLHostConfig and replace the old one > when there is a need to update a certificate. > > > > > If not, are there any risks or issues with taking the approach described > > above by extending classes to expose what I need? > > It depends what you want to do. Generally, there is a risk we'll change > an API you are depending on since a lot of those are treated as internal > APIs. Some sample code might help. > > > I would of course test when we upgrade tomcat, and leverage any new APIs > that would allow me to remove any of my custom code. > > I extended AbstractHttp11JsseProtocol just so I could control which > endpoint implementation was used and so I could get access to my endpoint > implementation. My protocol is basically a copy of Http11NioProtocol that > constructs my endpoint implementation and has a getter for the same. > > The endpoint is where I added functionality and looks like this: > > public class MyNioEndpoint extends NioEndpoint { > private static final MyLogger LOGGER = > MyLogger.getLogger(MyNioEndpoint.class.getName()); > > public void removeSSLHostConfig(String sniHostName) { > if (Strings.isNullOrEmpty(sniHostName)) { > LOGGER.error("Cannot remove host config for invalid hostname: > " + sniHostName); > return; > } > > if (sniHostName.equals(getDefaultSSLHostConfigName())) { > LOGGER.error("Cannot remove default SSLHostConfig"); > return; > } > > SSLHostConfig removed = sslHostConfigs.remove(sniHostName); > if (removed != null) > releaseSSLContext(removed); > } > > public void addOrUpdateSSLHostConfig(SSLHostConfig config) { > if (config == null) { > LOGGER.error("null SSLHostConfig provided"); > return; > } > > String hostName = config.getHostName(); > if (Strings.isNullOrEmpty(hostName)) { > LOGGER.error("Invalid SSLHostConfig provided, cannot > add/update, hostname was empty"); > return; > } > > for (SSLHostConfig loadedConfig : findSslHostConfigs()) { > if (hostName.equals(loadedConfig.getHostName())) { > sslHostConfigs.remove(hostName); > releaseSSLContext(loadedConfig); > addSslHostConfig(loadedConfig); > return; > } > } > > addSslHostConfig(config); > } > > } > > Thanks for the reply, your help/suggestions are much appreciated! > Jesse > > I am bumping this, I think I made it sound as if I had all my questions answered (since I didn't put any questions in my response). Here are my remaining questions: Is there an existing/supported way to remove/replace an existing SSLHostConfig in AbstractEndpoint that is exposed via the Connector similar to how addSslHostConfig and findSslHostConfigs are exposed? Such that I don't need the MyEndpoint class I shared above? If the answer to the first quest
Re: TomcatCon @ ApacheCon
On Mon, Jan 9, 2017 at 2:14 PM, Terence M. Bandoian wrote: > On 1/9/2017 8:00 AM, jean-frederic clere wrote: >> >> On 01/09/2017 12:57 PM, Mark Thomas wrote: >>> >>> All, >>> >>> There is the opportunity (if we can pull it together as a community) to >>> run a dedicated Tomcat conference alongside ApacheCon NA 2017. The dates >>> are May 16 to 18. >>> >>> The call for papers closes on Feb 11 so we have around a month to get >>> organised. We'll also need to convince the conference organisers that a) >>> there is a demand for this and b) we have a plan. >>> >>> Getting the right content is going to be critical to success. I've been >>> thinking about this for a while and I think we can identify the right >>> content if as many folks as possible on this list answer the following >>> question: >>> >>> "What topic(s) need to be covered in a Tomcat conference to make it as >>> easy as possible to get your employer to pay for you to attend?" >>> >>> We have up to three days and potentially multiple tracks so even if you >>> think you have a niche requirement, please speak up. We typically have a >>> number of Tomcat committers speaking at ApacheCon so finding someone to >>> cover a particular topic shouldn't be too tricky. Equally, if you have a >>> topic you could present on that you think others would find useful, >>> speak up. >>> >>> Do feel free to add your +1 if someone else mentions a topic your are >>> interested first. Having an idea of how popular the topics are would >>> also be helpful. >>> >>> Also, we don't have to stick to the standard "Sit and listen to someone >>> present for 40 mins" format. Discussions, workshops, hackathons are all >>> possible. >>> >>> Some topic ideas to get the ball rolling. >>> >>> Hands-on workshop: Configuring TLS with Apache Tomcat >>> Reverse Proxying to Apache Tomcat >>> Load-balancing with Apache Tomcat >>> Clustering with Apache Tomcat >>> Tomcat Clinic (like the users list but with everyone in the same room) >>> >>> I look forward to hearing your topic ideas. >> >> The classical tomcat-next (presenting 8.5 and 9 + migration + openssl) >> easily fill a room and an afternoon of workshop. >> Proxy and Load-balancing are also often asked... >> >> What about tomcat in cloud? >> >> Cheers >> >> Jean-Frederic >> >>> Mark >>> > > > Embedded Tomcat and microservices? With and as an alternative to Spring > Boot? +1 I happened to implement a custom TomcatEmbeddedServletContainerFactory to support multiple wars deployment with spring-boot for some reasons (e.g, some requires multiple wars together anyway even in micro service env) before. It would be nice if we can discuss/share alternatives to create cloud-friendly single executable artifacts. Woonsan > > -Terence Bandoian > http://www.tmbsw.com/ > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 8, 8.5 and 9 returning another apps environment with context.lookup() from a .parallelStream()
Thanks for the information. I was not expecting such a great response so quickly. We are going to test the workaround that sets the java.util.concurrent. ForkJoinPool.common.threadFactory property as that will be the easiest for us to configure and deploy to our Tomcat instances. - Chris On Mon, Jan 9, 2017 at 11:57 AM, Mark Thomas wrote: > On 09/01/2017 14:29, Mark Thomas wrote: > > On 08/01/2017 22:04, Christopher Zinn wrote: > > > > >>We are running into an issue where we have multiple copies of the > same > >> WAR loaded on a Tomcat instance each with its own context.xml. > >> The initial problem I was trying to diagnose was A JNDI lookup to a > >> Connection Pool in one of the WARs was returning the connection pool of > one > >> of the others. > >> The problem only happens when the JNDI lookup is performed within a > >> parallelStream(). > >> > >>I was able to produce a very simple WAR with a single servlet and a > >> context XML to reproduce the problem I'm having (See below). > >> > >>If you run the servlet from the first application, it works > correctly. > >> You will see that it only ever looks up 'Test 1'. > >> When I run the servlet from the second application it will only return > Test > >> 1 in the first part (stream()) but a mix of 'Test 1' and 'Test 2' in the > >> parallelStream() part. > > > > > A quick look at the JRE source code suggests this is handled correctly > > but the code isn't the easiest to trace through. I'll set up the > > provided test case and take a closer look. That may take an hour or two. > > I can confirm that the root cause is a JRE bug. Unless you are running > under a SecurityManager the default ForkJoinWorkerThreadFactory does not > take any steps to ensure correct operation in a multi-class loader > environment. > > You have a couple of work-arounds available > - Run under a SecurityManager > - Set the java.util.concurrent.ForkJoinPool.common.threadFactory system > property to > java.util.concurrent.ForkJoinPool.InnocuousForkJoinWorkerThreadFactory > > Meanwhile, I'll be doing the following: > > - Updating Tomcat's JreMemoryLeakPreventionListener to include > protection for this memory leak. > - Adding this leak to https://github.com/markt-asf/memory-leaks > - Raising a JRE bug > - Pinging our friendly Oracle contact to get this fixed (we've been > pretty successful at getting this fixed recently) > > Cheers, > > Mark > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: TomcatCon @ ApacheCon
On 1/9/2017 8:00 AM, jean-frederic clere wrote: On 01/09/2017 12:57 PM, Mark Thomas wrote: All, There is the opportunity (if we can pull it together as a community) to run a dedicated Tomcat conference alongside ApacheCon NA 2017. The dates are May 16 to 18. The call for papers closes on Feb 11 so we have around a month to get organised. We'll also need to convince the conference organisers that a) there is a demand for this and b) we have a plan. Getting the right content is going to be critical to success. I've been thinking about this for a while and I think we can identify the right content if as many folks as possible on this list answer the following question: "What topic(s) need to be covered in a Tomcat conference to make it as easy as possible to get your employer to pay for you to attend?" We have up to three days and potentially multiple tracks so even if you think you have a niche requirement, please speak up. We typically have a number of Tomcat committers speaking at ApacheCon so finding someone to cover a particular topic shouldn't be too tricky. Equally, if you have a topic you could present on that you think others would find useful, speak up. Do feel free to add your +1 if someone else mentions a topic your are interested first. Having an idea of how popular the topics are would also be helpful. Also, we don't have to stick to the standard "Sit and listen to someone present for 40 mins" format. Discussions, workshops, hackathons are all possible. Some topic ideas to get the ball rolling. Hands-on workshop: Configuring TLS with Apache Tomcat Reverse Proxying to Apache Tomcat Load-balancing with Apache Tomcat Clustering with Apache Tomcat Tomcat Clinic (like the users list but with everyone in the same room) I look forward to hearing your topic ideas. The classical tomcat-next (presenting 8.5 and 9 + migration + openssl) easily fill a room and an afternoon of workshop. Proxy and Load-balancing are also often asked... What about tomcat in cloud? Cheers Jean-Frederic Mark Embedded Tomcat and microservices? With and as an alternative to Spring Boot? -Terence Bandoian http://www.tmbsw.com/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TomcatCon @ ApacheCon
Would anyone be interested (and is it within the guidelines) to talk about the differences in some tomcat distributions? Like the difference in the Red Hat linux and Debian tomcat distributions, for example. I know it isn't 100% ASF Tomcat, but I get a lot of inquiries about where to find stuff on freenode so it might be a helpful conversation for the community to have. On the other hand I don't want to blur the lines between where responsibilities lie, where people should ask questions, etc... On Mon, Jan 9, 2017 at 12:06 PM, Igal @ Lucee.org wrote: > On 1/9/2017 3:57 AM, Mark Thomas wrote: >> >> "What topic(s) need to be covered in a Tomcat conference to make it as >> easy as possible to get your employer to pay for you to attend?" > > > load balancing > performance > security > > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TomcatCon @ ApacheCon
On 1/9/2017 3:57 AM, Mark Thomas wrote: "What topic(s) need to be covered in a Tomcat conference to make it as easy as possible to get your employer to pay for you to attend?" load balancing performance security - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 8, 8.5 and 9 returning another apps environment with context.lookup() from a .parallelStream()
On 09/01/2017 14:29, Mark Thomas wrote: > On 08/01/2017 22:04, Christopher Zinn wrote: >>We are running into an issue where we have multiple copies of the same >> WAR loaded on a Tomcat instance each with its own context.xml. >> The initial problem I was trying to diagnose was A JNDI lookup to a >> Connection Pool in one of the WARs was returning the connection pool of one >> of the others. >> The problem only happens when the JNDI lookup is performed within a >> parallelStream(). >> >>I was able to produce a very simple WAR with a single servlet and a >> context XML to reproduce the problem I'm having (See below). >> >>If you run the servlet from the first application, it works correctly. >> You will see that it only ever looks up 'Test 1'. >> When I run the servlet from the second application it will only return Test >> 1 in the first part (stream()) but a mix of 'Test 1' and 'Test 2' in the >> parallelStream() part. > A quick look at the JRE source code suggests this is handled correctly > but the code isn't the easiest to trace through. I'll set up the > provided test case and take a closer look. That may take an hour or two. I can confirm that the root cause is a JRE bug. Unless you are running under a SecurityManager the default ForkJoinWorkerThreadFactory does not take any steps to ensure correct operation in a multi-class loader environment. You have a couple of work-arounds available - Run under a SecurityManager - Set the java.util.concurrent.ForkJoinPool.common.threadFactory system property to java.util.concurrent.ForkJoinPool.InnocuousForkJoinWorkerThreadFactory Meanwhile, I'll be doing the following: - Updating Tomcat's JreMemoryLeakPreventionListener to include protection for this memory leak. - Adding this leak to https://github.com/markt-asf/memory-leaks - Raising a JRE bug - Pinging our friendly Oracle contact to get this fixed (we've been pretty successful at getting this fixed recently) Cheers, Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Possible bug with Transfer-Encoding: chunked on Tomcat 8.5.9
Hi, I am upgrading from Tomcat 8.0.33 to 8.5.9. I have the following error during a POST made with Apache-HttpClient 4.3.6 I this this is the bad "POST" FINE Jan 09, 2017 3:45:15 PM org.apache.coyote.http11.Http11InputBuffer parseRequestLine BUONO: Received [POST /majordodo HTTP/1.1 Transfer-Encoding: chunked Content-Type: application/json;charset=utf-8 Host: sviluppo06-cs7.sviluppo.dna:11986 Connection: Keep-Alive User-Agent: Apache-HttpClient/4.3.6 (java 1.5) Accept-Encoding: gzip,deflate Authorization: Basic bWFnbmV3czptYWduZXdz 10b78 ] this is the stack trace of the error: java.io.IOException: Invalid end of line sequence (character other than CR or LF found) at org.apache.coyote.http11.filters.ChunkedInputFilter.throwIOException(ChunkedInputFilter.java:655) at org.apache.coyote.http11.filters.ChunkedInputFilter.parseCRLF(ChunkedInputFilter.java:475) at org.apache.coyote.http11.filters.ChunkedInputFilter.doRead(ChunkedInputFilter.java:262) at org.apache.coyote.http11.Http11InputBuffer.doRead(Http11InputBuffer.java:256) at org.apache.coyote.Request.doRead(Request.java:540) at org.apache.catalina.connector.InputBuffer.realReadBytes(InputBuffer.java:319) at org.apache.catalina.connector.InputBuffer.checkByteBufferEof(InputBuffer.java:627) at org.apache.catalina.connector.InputBuffer.read(InputBuffer.java:342) at org.apache.catalina.connector.CoyoteInputStream.read(CoyoteInputStream.java:183) Is it a client error on 'chunked' encoding format or is there some change on Tomcat code which processes his kind of encoding ? I think that the client is sending a broken request, but before the upgrade I did not get the error, is it possible ? I'm using Nio (not Nio2) http Connector, I'm going to to try Nio2 Thank you Enrico Olivelli .
Re: Tomcat 8.5 - APR 1.2.10 SSL CPU issue ?
Hi Mark, For reproducing, if you're making the requests locally to the server that might be why you're not seeing the issue occur. I had been testing between servers (client on server A, tomcat on server B); I tried this morning doing a wget locally to tomcat and do not see the issue occur (no WSAECONNABORTED status) while doing the wget remotely does get the aborted status. in sslnetwork.c:ssl_socket_recv adding the following debug statements; if (s == 0 && (SSL_get_shutdown(con->ssl) & SSL_RECEIVED_SHUTDOWN)) { con->shutdown_type = SSL_SHUTDOWN_TYPE_STANDARD; return APR_EOF; } printf("ssl_socket_recv:: Have value for i: %d\n", i); printf("ssl_socket_recv:: Have value for s: %d\n", s); printf("ssl_socket_recv:: Have value for rv: %d\n", rv); printf("ssl_socket_recv:: con->shutdown_type: %d\n", con->shutdown_type); fflush(stdout); switch (i) { case SSL_ERROR_WANT_READ: case SSL_ERROR_WANT_WRITE: Outputs: Local server (wget --no-check-certificate https://localhost:8443/examples ) ssl_socket_recv:: Have value for i: 5 ssl_socket_recv:: Have value for s: -1 ssl_socket_recv:: Have value for rv: 730054 ssl_socket_recv:: con->shutdown_type: 2 While on remote server performing the same request (wget --no-check-certificate https://serverB:8443/examples) ssl_socket_recv:: Have value for i: 5 ssl_socket_recv:: Have value for s: -1 ssl_socket_recv:: Have value for rv: 730053 ssl_socket_recv:: con->shutdown_type: 2 Thanks, On Fri, Jan 6, 2017 at 5:43 PM, David Oswell wrote: > Yep that would, Originally I had just turned the return 0 to throw an > IOException - which as it would fall through to the else would be the same > effect. > > I'll see if a java client would do the same, I'm using a golang > client/console app for testing. > I just tried with wget and see the WSAECONNABORTED status within APR. > It also seems a bit time dependent, might be a case of whether APR is > getting to the socket read before or after the FIN packet coming though ?? > > > > On Fri, Jan 6, 2017 at 5:11 PM, Mark Thomas wrote: > >> On 06/01/2017 21:50, David Oswell wrote: >> > I've somehow gotten the build for tcnative working here (more shocked I >> > finally got openssl to build!) >> > >> > There seems to be a slight difference in how the shutdown occurs. When >> the >> > APR_EGENERAL is returned its due to falling through the >> SSL_ERROR_SYSCALL >> > block in sslnetwork.c:ssl_socket_recv, >> > This seems to be due to a difference in the value returned by; >> > sslnetwork.c:324 :rv = >> > apr_get_netos_error(); >> > >> > on the bad case (quick socket close), rv is (730053) which >> > is WSAECONNABORTED - APR_STATUS_IS_ECONNABORTED >> > on a good disconnect case (slower socket close) rv is (730054) >> > = WSAECONNRESET - APR_STATUS_IS_ECONNRESET >> > >> > I suspect a check with APR_STATUS_IS_ECONNABORTED(rv) might be needed to >> > capture this scenario (WSAECONNABORTED), however I'm not sure how else >> this >> > status might occur, and if any of those cases should not flag it as >> closed >> > - although reading on WSAECONNABORTED it sounds like this is a close >> case. >> > Not sure if it's an exception case or just normal EOF though. >> >> Thanks. That is really useful information. >> >> I've been trying to re-create the original issue that led to this odd >> 'treat an error as eagain' code but without success. I have found a >> couple of other bugs (now fixed) so it wasn't a complete waste of time. >> >> When I added this hack I was fairly sure I was missing something and it >> is looking increasingly like this code was fixing a symptom rather than >> the root cause. Given that I can't re-create the original problem, I'm >> leaning towards removing the special handling for EGENERAL and letting >> it trigger a close. >> >> If you remove the >> else if (-result == Status.APR_EGENERAL && isSecure()) { >> ... >> } >> >> block, does that fix the problem you are seeing? >> >> Mark >> >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> >
Re: Tomcat 8, 8.5 and 9 returning another apps environment with context.lookup() from a .parallelStream()
On 08/01/2017 22:04, Christopher Zinn wrote: > Hello all, >This is my first time posting to a mailing list so hopefully I'm doing > this correctly. Welcome to the Apache Tomcat community. As problem reports go, this is pretty much perfect. And it includes a simple test case. Many, many thanks. >We are running into an issue where we have multiple copies of the same > WAR loaded on a Tomcat instance each with its own context.xml. > The initial problem I was trying to diagnose was A JNDI lookup to a > Connection Pool in one of the WARs was returning the connection pool of one > of the others. > The problem only happens when the JNDI lookup is performed within a > parallelStream(). > >I was able to produce a very simple WAR with a single servlet and a > context XML to reproduce the problem I'm having (See below). > >If you run the servlet from the first application, it works correctly. > You will see that it only ever looks up 'Test 1'. > When I run the servlet from the second application it will only return Test > 1 in the first part (stream()) but a mix of 'Test 1' and 'Test 2' in the > parallelStream() part. > >Thanks in advance for any advice or comments to our issue. My initial comments are that this is rather odd. The correct JNDI context is looked up via the thread context class loader. The class loader from one web application should not be visible to another. I wonder if when parallelStream() is first called some form of shared thread-pool is set up that retains a reference to the current thread context class loader? A quick look at the JRE source code suggests this is handled correctly but the code isn't the easiest to trace through. I'll set up the provided test case and take a closer look. That may take an hour or two. Mark > > --- > My Environment: (The problem happens to us on our CENTOS Linux > environments as well) > Server version: Apache Tomcat/8.5.9 > Server built: Dec 5 2016 20:18:12 UTC > Server number: 8.5.9.0 > OS Name:Windows 10 > OS Version: 10.0 > Architecture: amd64 > JVM Version:1.8.0_111-b14 > JVM Vendor: Oracle Corporation > > Runtime.getRuntime().availableProcessors() returns 12 on my machine. > CPU: Intel i7-5820K > > > My Test Servlet: > @WebServlet(urlPatterns = "/test") > public final class MyServlet extends HttpServlet > { > private static List someNumbers = generateNonsense(); > > @Override > protected void doGet(HttpServletRequest request, HttpServletResponse > response) throws ServletException, IOException > { > StringBuilder answerBuilder = new StringBuilder(); > > // This should be okay. > someNumbers.stream().forEach( number -> > { > answerBuilder.append(".stream() Looked up ") > .append(lookupEnvironmentValue()) > .append(""); > }); > > // This is most likely bad > someNumbers.parallelStream().forEach( number -> > { > synchronized (MyServlet.class) > { > answerBuilder.append(".parallelStream() Looked up ") > .append(lookupEnvironmentValue()) > .append(""); > } > }); > > response.setContentType("text/html"); > response.getWriter().write(answerBuilder.toString()); > } > > private String lookupEnvironmentValue() > { > try > { > Context context = new InitialContext(); > return (String) context.lookup("java:comp/env/testName"); > } > catch(NamingException e) > { > e.printStackTrace(); > return e.getMessage(); > } > } > > private static List generateNonsense() > { > List nonsense = new ArrayList<>(); > for(int n=0; n<1000; n++) > nonsense.add(n); > > return nonsense; > } > } > > > My test context.xml > > override="false"/> > > > > Preparing Tomcat: > Step 1: Download the core.zip of Tomcat 8, 8.5 or 9 > Step 2: create a apache-tomcat-8.5.9/conf/Catalina/localhost directory > Step 3: create two files in this directory with the contents of my > context.xml: test1.xml and test2.xml and change the value and path in the > second one to '2' > Step 4: Create a WAR with just the sample servlet I have here. and then > drop them in apache-tomcat-8.5.9/webapps directory / call them test1.war > and test2.war > Step 5: Go into apache-tomcat-8.5.9/bin and catalina start to start it up. > > The urls to test for me are: > http://localhost:8080/test1/test > http://localhost:8080/test2/test > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JSP compilation fails with Java 9
2017-01-09 10:16 GMT+03:00 Patil, Shital : > We are assessing Java 9(early access) and JSP compilation is badly broken > with Java 9. Even basic java objects(java.lang.Object) are not accessible > while compilation. Appears to be because of jigsaw(modular) > > Any solution or alternative to this problem ? 1. Tomcat full version number =? 2. ecj.jar version (in Tomcat's lib directory) =? 3. Does it work with a later version of ecj.jar? It is "JDT Core Batch Compiler" Downloadable from http://download.eclipse.org/eclipse/downloads/ http://download.eclipse.org/eclipse/downloads/drops4/R-4.6.2-201611241400/ (Tomcat 8.5 ships with 4.5.1, Tomcat 9 uses 4.6.1, latest release is 4.6.2, but there is also a milestone build of 4.7 available) Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Spurious "Internal Server Errors" accessing "jkmanager" after upgrading Apache, "mod_jk" and OpenSSL
Hi everyone, just in case the "final" solution is of interest: the problem was as usual in the configuration. We did not set the following directive for the LDAP connection pool: LDAPConnectionPoolTTL #seconds If the directive is missing, a value of "-1" is implied, meaning "keep connections open for ever". The LDAP server on the other side sets an "idle connection timeout" of 600 seconds. As a result a lookup would fail if it happened 600+ seconds after the first usage of the connection. 600 seconds is exactly the lifetime of the LDAP cache. Given the time of the year, usage of the test/integ/devel environment is minimal and there were no "new" lookups during the cache lifetime, leading to the repeated failures... Setting LDAPConnectionPoolTTL 60 solved the problem for good. Happy New Year !!! Martin On Fri, Dec 30, 2016 at 12:33 AM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Martin, > > On 12/29/16 3:47 AM, Martin Knoblauch wrote: > > that is an interesting pointer. We are of course securing the > > "jkmanager" app. And guess what we are using: LDAP. The funky thing > > is that it is working most of the time. It fails just after some > > time. Refreshing the URL cures it again - for some time. What did > > you do to fix your problem? > > I'm glad to see you are on your way to solving your problem. > > In my case, it was an expired TLS certificate being used for the > OpenLDAP process or something similar, so it wasn't anything to do > with httpd itself. I've also been experimenting with a fall-back for > LDAP that maybe wouldn't be 100% up-to-date with the LDAP database, > but at least it wouldn't cause 500 errors. > > Good luck, > - -chris > -BEGIN PGP SIGNATURE- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBCAAGBQJYZZ1PAAoJEBzwKT+lPKRYThcP/RT/zeHoLhgsUvjhteXT2crZ > mqSnIzvDKTfTuktDROxZhL+BnSo4dirt0HcHz8yQ6c+hAlS6d2JtGGtpPiNPeigX > 4+0H9H6Nq9pCwK586wPqUusPs4bh1cbXBquAsdv3mG1w/cge+mgnYI6h7DSVBOgD > ir84T+7dnEZ25ygiN1e8Hp7DLyxWD/oRd594LIcTRtGisD0hRGGOc5xujmHxdhtQ > 0X8lQIlViL67Mo13hrFJQh7DO461MYxXElP+Ui39bq/i2rxSxrU4Xz/PjYb8LUhK > rRxNR7E8b59u+HxtiGMzM6wuRHBPsw4i575DGnSbTWPEjzER5ekLnV2FGdJA7rm5 > u1qENAbq9YuJ5I7NPFxSIC4iVtAI8vYEs86vG/JOtyGwMpy3L1uTpX0oYpEB+6nh > vUvl3l9S6aBqrYpHI/fG/SH3Y9jZ746d6GjyeLnEGIdjVFTxjbtFFlZH+EiQLMPx > IIr7zloPAQ+pNl5LjHoBsTjoTHtx6vnIYYFMfsl+vLAuFfHqJPqNh0qUuHoj4Esm > Rnl5cywGGqLSWiTCSwCdAtt2U8CyA4g6L9slYGp2USkAzBFEI1OFSDuy5A+fol+y > owkMlAkoMFxg8IM0c0VJofzUz/5IYiVLLRyth5ZfoxH3YK0WKZ8wQ5489bMQbQrt > QcVRNw4hG9IEkOaWrRhB > =W4NN > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- -- Martin Knoblauch email: k n o b i AT knobisoft DOT de www: http://www.knobisoft.de
Re: TomcatCon @ ApacheCon
On 01/09/2017 12:57 PM, Mark Thomas wrote: > All, > > There is the opportunity (if we can pull it together as a community) to > run a dedicated Tomcat conference alongside ApacheCon NA 2017. The dates > are May 16 to 18. > > The call for papers closes on Feb 11 so we have around a month to get > organised. We'll also need to convince the conference organisers that a) > there is a demand for this and b) we have a plan. > > Getting the right content is going to be critical to success. I've been > thinking about this for a while and I think we can identify the right > content if as many folks as possible on this list answer the following > question: > > "What topic(s) need to be covered in a Tomcat conference to make it as > easy as possible to get your employer to pay for you to attend?" > > We have up to three days and potentially multiple tracks so even if you > think you have a niche requirement, please speak up. We typically have a > number of Tomcat committers speaking at ApacheCon so finding someone to > cover a particular topic shouldn't be too tricky. Equally, if you have a > topic you could present on that you think others would find useful, > speak up. > > Do feel free to add your +1 if someone else mentions a topic your are > interested first. Having an idea of how popular the topics are would > also be helpful. > > Also, we don't have to stick to the standard "Sit and listen to someone > present for 40 mins" format. Discussions, workshops, hackathons are all > possible. > > Some topic ideas to get the ball rolling. > > Hands-on workshop: Configuring TLS with Apache Tomcat > Reverse Proxying to Apache Tomcat > Load-balancing with Apache Tomcat > Clustering with Apache Tomcat > Tomcat Clinic (like the users list but with everyone in the same room) > > I look forward to hearing your topic ideas. The classical tomcat-next (presenting 8.5 and 9 + migration + openssl) easily fill a room and an afternoon of workshop. Proxy and Load-balancing are also often asked... What about tomcat in cloud? Cheers Jean-Frederic > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TomcatCon @ ApacheCon
I would like to understand garbage collections better. Such as what instances or situations experienced someone would make a change to a setting. Thank you, Joleen On Mon, Jan 9, 2017 at 6:57 AM, Mark Thomas wrote: > All, > > There is the opportunity (if we can pull it together as a community) to > run a dedicated Tomcat conference alongside ApacheCon NA 2017. The dates > are May 16 to 18. > > The call for papers closes on Feb 11 so we have around a month to get > organised. We'll also need to convince the conference organisers that a) > there is a demand for this and b) we have a plan. > > Getting the right content is going to be critical to success. I've been > thinking about this for a while and I think we can identify the right > content if as many folks as possible on this list answer the following > question: > > "What topic(s) need to be covered in a Tomcat conference to make it as > easy as possible to get your employer to pay for you to attend?" > > We have up to three days and potentially multiple tracks so even if you > think you have a niche requirement, please speak up. We typically have a > number of Tomcat committers speaking at ApacheCon so finding someone to > cover a particular topic shouldn't be too tricky. Equally, if you have a > topic you could present on that you think others would find useful, > speak up. > > Do feel free to add your +1 if someone else mentions a topic your are > interested first. Having an idea of how popular the topics are would > also be helpful. > > Also, we don't have to stick to the standard "Sit and listen to someone > present for 40 mins" format. Discussions, workshops, hackathons are all > possible. > > Some topic ideas to get the ball rolling. > > Hands-on workshop: Configuring TLS with Apache Tomcat > Reverse Proxying to Apache Tomcat > Load-balancing with Apache Tomcat > Clustering with Apache Tomcat > Tomcat Clinic (like the users list but with everyone in the same room) > > I look forward to hearing your topic ideas. > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: JSP compilation fails with Java 9
On 09/01/2017 07:16, Patil, Shital wrote: > We are assessing Java 9(early access) and JSP compilation is badly > broken with Java 9. Even basic java objects(java.lang.Object) are not > accessible while compilation. Appears to be because of > jigsaw(modular) > > Any solution or alternative to this problem ? As far as I am aware, the JDT compiler that Jasper uses by default does not yet support Java 9. You should be able to configure Jasper to use javac for Java 9. >From memory (I tested this some time ago), a basic JSP worked with Java 9. Whether more complex JSPs might hit some Jigsaw related issues is TBD. Worst case, you should be able to work-around them with command line options when starting Tomcat. I've looked at Java 9 support a couple of times but partly because it is still in a state of flux and partly because the JDT support was not there I haven't taken it very far. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
TomcatCon @ ApacheCon
All, There is the opportunity (if we can pull it together as a community) to run a dedicated Tomcat conference alongside ApacheCon NA 2017. The dates are May 16 to 18. The call for papers closes on Feb 11 so we have around a month to get organised. We'll also need to convince the conference organisers that a) there is a demand for this and b) we have a plan. Getting the right content is going to be critical to success. I've been thinking about this for a while and I think we can identify the right content if as many folks as possible on this list answer the following question: "What topic(s) need to be covered in a Tomcat conference to make it as easy as possible to get your employer to pay for you to attend?" We have up to three days and potentially multiple tracks so even if you think you have a niche requirement, please speak up. We typically have a number of Tomcat committers speaking at ApacheCon so finding someone to cover a particular topic shouldn't be too tricky. Equally, if you have a topic you could present on that you think others would find useful, speak up. Do feel free to add your +1 if someone else mentions a topic your are interested first. Having an idea of how popular the topics are would also be helpful. Also, we don't have to stick to the standard "Sit and listen to someone present for 40 mins" format. Discussions, workshops, hackathons are all possible. Some topic ideas to get the ball rolling. Hands-on workshop: Configuring TLS with Apache Tomcat Reverse Proxying to Apache Tomcat Load-balancing with Apache Tomcat Clustering with Apache Tomcat Tomcat Clinic (like the users list but with everyone in the same room) I look forward to hearing your topic ideas. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org