Do symlinks under aliased directories require any special handing/configuration (tomcat = 7.0.56)?

[Terence Lee]

Please forgive any misuse of terminology here.  I am a sysadmin involved in 
devops deployments of tomcat servers and applications, but I don't really know 
much about how tomcat actually works.  I am a unix guy!

We recently had a deployment of a third party application that resulted in 
tomcat throwing 404 errors on any content of a symlinked directory that was 
contained in/under an aliased path.  It seems to me that it is something in the 
app configuration gone awry, but the vendor claims not.  So I am casting about 
for some information here after not coming up with anything definitive in the 
docs or by act of google.

Example:

1) The context.xml for the root context has the following:

aliases="/static=/pnas/legacy/static"

2) /pnas/legacy/static/ has a symlinked directory that functions as expected at 
the o/s level:

[root@exampleserver]# ls -lad /pnas/legacy/static/Digital
lrwxrwxrwx. 1 appsrv apps 34 Jul 17 21:40 /pnas/legacy/static/Digital -> 
/pnas/editorial/Digital/

3) tomcat runs as the appsrv user and all files in /pnas/editorial/Digital/ are 
owned by appsrv:apps, so we would expect /static/Digital/* to be 
accessible without error

4) attempts to access files in /static/Digital result in a 404 error 
... but this was not the case before this last app deploy

5) reverting the build of the app is not possible as it was one part of a 
really big multiheaded deployment.  We can work around the issue but accrue 
signifcant technical debt as a result.

6) Versions of anything relevant other than the app itself have not changed:
 tomcat = 7.0.56
 java = 1.7.0_71
 o/s = Red Hat Enterprise Linux Server release 6.8 (Santiago) 
2.6.32-642.11.1.el6.x86_64

Question:

Does the use of symlinks under aliases require some like an "allowLinking" 
attribute or something else that could have misconfigured in the app?

The docs don't really address this case and I can only find reference to 
"allowLinking" affecting material symlinked directlly in or under the web 
context root.   Aliases appear to be suggested as an alternative and symlinks 
under an alias are not specifically addressed (that I have seen).

Any thoughts are appreciated and please do pardon any tomcat vocabulary that I 
may have injured in this effort to pose a question.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Storing JNDI binding password using encryption

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Alex,

On 7/19/17 3:53 PM, Alex O'Ree wrote:
> The jar file is in /tomcat/lib. The class is super simple
> 
> package org.redacted; public class JNDIRealmExt extends JNDIRealm{ 
> @Override public String getConnectionPassword(){ return
> Utility.decrypt(connectionPassword); } }
> 
> server.xml looks like this
> 
> 
> 
>  connectionName="ldapUser" 
> connectionPassword="encryptedPasswordHere" 
> connectionURL="ldap://localhost:389; userBase="..." 
> userSearch="..." roleBase="..." roleName=".." roleSubtree=".." 
> roleSearch=".." referrals="follow"
> 
> />
> 
> 
>  resourceName="UserDatabase"/> 
> 
> I'm attaching the debugger pretty close to tomcat's startup and
> the getConnectionPassword method never fires. I do see tons of logs
> in the console for ldap connection failures due to the password
> not functioning (pretty much immediately locks the account out at
> the ldap server). The stack trace does not included my extended
> JNDI class, only the tomcat provided JNDIRealm class.

What's the runtime data type of the realm?

If you override setConnectionPassword() does that get called by the
digester when reading your configuration?

- -chris

> On Wed, Jul 19, 2017 at 3:03 PM, Christopher Schultz 
>  wrote: Alex,
> 
> On 7/19/17 1:53 PM, Alex O'Ree wrote:
 On Wed, Jul 19, 2017 at 12:09 PM, Mark Thomas
  wrote:
> On 19/07/17 16:22, Alex O'Ree wrote:
>> Assuming I had access to a reversible encryption
>> mechanism and wanted to store the JNDI binding password
>> in an encrypted form by extending the JNDIRealm class,
>> which method should i override to encrypt the password
>> stored in server.xml on the fly?
> 
> You could do this via a custom PropertySource. I wouldn't 
> recommend it.
> 
> https://wiki.apache.org/tomcat/FAQ/Password
 
 I tried just extend the JDNI Realm class and overriding 
 getConnectionPassword but it doesn't appear that my code
 ever called, even those my fully qualified classname is
 listed in the realm xml element. Any ideas?
> 
> Please post your configuration (without secrets) and as much of
> your code as is relevant.
> 
> Also, where did you place your .class file for your JNDIRealm
> subclass?
> 
> -chris
>> 
>> -
>>
>> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>> 
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZb8SHAAoJEBzwKT+lPKRYoHIQAMAnCqAdmY9Bhi5FehVAdkQs
M+q7nWSFoxzb+sMnce+IjmQ1uGVq3cAae7Hlc//IPDBaHaCGSlcODSXR2936osZM
S8bQZltIxLs/lx+ydjIlrhT6Y/AQsm9e+IV6ZyQGcQAZxtDLWXvUy6KDxDt/+ivr
PcuHbrC9TZZRMb7Bjyp40YuNUtMEcc1F5/Iy/Hv81B2IpJjrUpPHVBdkXscCQfOK
cdO8jg8Cjk2zJjd5ko/7H/8F2G1QlTq4WhqccwjPfoCObZOgbHXzn9N+woha/b7g
AZYSECVClygq/ip2L736Mlx/X3uQR176m3uTxxjuuLuMiRsq+ByCEa+FApyzFCNN
FGzhWcOg3NS6wF5hUKvIlndr0lVXojXukV3LAjkbr1VKevWUotfRT51cPi9CvScX
Wz8kcelNr2oqlsRn8tfMpdRteqk26njvniRM6H0Dw155Atq1hvgP9kXw91IWuFXx
wYANvQtmJDF5kZylaKTPyWLULHxazRBsQyD6hI6mJyDKslK1yn7S1M3bjwPXmeAR
3h8J093qLIJoFmNA0tXoqGPOPWBV58PMeAgl++hNgBkEfjol9Ens8izsDD+mJMl1
voh5nhFMKY2Pue+Hs+xzfZ/lAw4xukr+VHBUNWsxzG1NprFBuFo9NlpMT72XTgKT
PK+lfz917/OgpoODhX86
=v0p6
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Maven Tomcat Plugin Specific Properties File

[Tony Chuinard]

Is there anyway to load a specific properties file for the Tomcat plugin? I
know about the  section of the plugin config, but I am
looking to point to a specific file when using tomcat7:run instead of
having to code these properties into the pom.

Re: Storing JNDI binding password using encryption

[Alex O'Ree]

The jar file is in /tomcat/lib. The class is super simple

package org.redacted;
public class JNDIRealmExt extends JNDIRealm{
@Override public String getConnectionPassword(){
 return Utility.decrypt(connectionPassword);
}
}

server.xml looks like this



ldap://localhost:389;
userBase="..."
userSearch="..."
roleBase="..."
roleName=".."
roleSubtree=".."
roleSearch=".."
referrals="follow"

/>





I'm attaching the debugger pretty close to tomcat's startup and the
getConnectionPassword method never fires. I do see tons of logs in the
console for ldap connection failures due to the password not
functioning (pretty much immediately locks the account out at the ldap
server). The stack trace does not included my extended JNDI class,
only the tomcat provided JNDIRealm class.

On Wed, Jul 19, 2017 at 3:03 PM, Christopher Schultz
 wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Alex,
>
> On 7/19/17 1:53 PM, Alex O'Ree wrote:
>> On Wed, Jul 19, 2017 at 12:09 PM, Mark Thomas 
>> wrote:
>>> On 19/07/17 16:22, Alex O'Ree wrote:
 Assuming I had access to a reversible encryption mechanism and
 wanted to store the JNDI binding password in an encrypted form
 by extending the JNDIRealm class, which method should i
 override to encrypt the password stored in server.xml on the
 fly?
>>>
>>> You could do this via a custom PropertySource. I wouldn't
>>> recommend it.
>>>
>>> https://wiki.apache.org/tomcat/FAQ/Password
>>
>> I tried just extend the JDNI Realm class and overriding
>> getConnectionPassword but it doesn't appear that my code ever
>> called, even those my fully qualified classname is listed in the
>> realm xml element. Any ideas?
>
> Please post your configuration (without secrets) and as much of your
> code as is relevant.
>
> Also, where did you place your .class file for your JNDIRealm subclass?
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJZb60bAAoJEBzwKT+lPKRYgGkP/25fnw6EVElSQCmXVgINsCBX
> rBb/77kSxNGnnBO1KBmGszjyUUXmW0aKDfwLM+fR+poGYyI3IOyzwZ7iZlXiQ2+2
> iqNfoqv8J/OjFezV9fRMKSk3Iws5CGJcuV13wUgmgAKgquUOvR21hKI8j3BbQvq8
> S0Z1hXxLdCNGLWesQiXJEg4wYzNSDjlruOHaAFH7sQ6pyfCYKKEpOs73no3QVeTd
> Rl/xIP70wu36IYIGPedUrufARij5bQOVd8mqi4VAyOxj8f3ENsbT/qFHA5xAb8Qi
> m8TofIkYYXOC11rBHsr17zobPawiZurh/ocUC4/8GN3O1FWYwd4jrAiJXlVPe8pQ
> SuLLTygXu2NTa5F6atjFbKeBDSasBFNSAuEE1OaW7qYIYW3oc+4vNRegcK3SAnRK
> R+2GonQLMUB51H5AHuU/pXcuZXZWbxxE1Fu1xMMULtVpI6iIxLLxKvw6y+MV2S2w
> AVcWJASMdAXmBq8NgiYVj/yjn/jlXdDMvJSs1mUzKE8egMHxZkGkbyEDcwjGjTod
> b3SgvDRD/DcjwubzsanNPFwDmsdFTRrvhOHmtbFkZ+Rod/QWlRkgDN0kC2SyltmY
> Dp5zcTlJW33RTQl9T9Hzg3rkH4OFOpchw4ObmhLwgrPPl25SPCq9sn8JHMvZrbii
> 4z8GSeBeaXCf9UVubrrR
> =9o3d
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Storing JNDI binding password using encryption

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Alex,

On 7/19/17 1:53 PM, Alex O'Ree wrote:
> On Wed, Jul 19, 2017 at 12:09 PM, Mark Thomas 
> wrote:
>> On 19/07/17 16:22, Alex O'Ree wrote:
>>> Assuming I had access to a reversible encryption mechanism and
>>> wanted to store the JNDI binding password in an encrypted form
>>> by extending the JNDIRealm class, which method should i
>>> override to encrypt the password stored in server.xml on the
>>> fly?
>> 
>> You could do this via a custom PropertySource. I wouldn't
>> recommend it.
>> 
>> https://wiki.apache.org/tomcat/FAQ/Password
> 
> I tried just extend the JDNI Realm class and overriding 
> getConnectionPassword but it doesn't appear that my code ever
> called, even those my fully qualified classname is listed in the
> realm xml element. Any ideas?

Please post your configuration (without secrets) and as much of your
code as is relevant.

Also, where did you place your .class file for your JNDIRealm subclass?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZb60bAAoJEBzwKT+lPKRYgGkP/25fnw6EVElSQCmXVgINsCBX
rBb/77kSxNGnnBO1KBmGszjyUUXmW0aKDfwLM+fR+poGYyI3IOyzwZ7iZlXiQ2+2
iqNfoqv8J/OjFezV9fRMKSk3Iws5CGJcuV13wUgmgAKgquUOvR21hKI8j3BbQvq8
S0Z1hXxLdCNGLWesQiXJEg4wYzNSDjlruOHaAFH7sQ6pyfCYKKEpOs73no3QVeTd
Rl/xIP70wu36IYIGPedUrufARij5bQOVd8mqi4VAyOxj8f3ENsbT/qFHA5xAb8Qi
m8TofIkYYXOC11rBHsr17zobPawiZurh/ocUC4/8GN3O1FWYwd4jrAiJXlVPe8pQ
SuLLTygXu2NTa5F6atjFbKeBDSasBFNSAuEE1OaW7qYIYW3oc+4vNRegcK3SAnRK
R+2GonQLMUB51H5AHuU/pXcuZXZWbxxE1Fu1xMMULtVpI6iIxLLxKvw6y+MV2S2w
AVcWJASMdAXmBq8NgiYVj/yjn/jlXdDMvJSs1mUzKE8egMHxZkGkbyEDcwjGjTod
b3SgvDRD/DcjwubzsanNPFwDmsdFTRrvhOHmtbFkZ+Rod/QWlRkgDN0kC2SyltmY
Dp5zcTlJW33RTQl9T9Hzg3rkH4OFOpchw4ObmhLwgrPPl25SPCq9sn8JHMvZrbii
4z8GSeBeaXCf9UVubrrR
=9o3d
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Storing JNDI binding password using encryption

[Alex O'Ree]

Thanks Mark

I tried just extend the JDNI Realm class and overriding
getConnectionPassword but it doesn't appear that my code ever called,
even those my fully qualified classname is listed in the realm xml
element. Any ideas?

On Wed, Jul 19, 2017 at 12:09 PM, Mark Thomas  wrote:
> On 19/07/17 16:22, Alex O'Ree wrote:
>> Assuming I had access to a reversible encryption mechanism and wanted
>> to store the JNDI binding password in an encrypted form by extending
>> the JNDIRealm class, which method should i override to encrypt the
>> password stored in server.xml on the fly?
>
> You could do this via a custom PropertySource. I wouldn't recommend it.
>
> https://wiki.apache.org/tomcat/FAQ/Password
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Storing JNDI binding password using encryption

[Mark Thomas]

On 19/07/17 16:22, Alex O'Ree wrote:
> Assuming I had access to a reversible encryption mechanism and wanted
> to store the JNDI binding password in an encrypted form by extending
> the JNDIRealm class, which method should i override to encrypt the
> password stored in server.xml on the fly?

You could do this via a custom PropertySource. I wouldn't recommend it.

https://wiki.apache.org/tomcat/FAQ/Password

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Storing JNDI binding password using encryption

[Alex O'Ree]

Assuming I had access to a reversible encryption mechanism and wanted
to store the JNDI binding password in an encrypted form by extending
the JNDIRealm class, which method should i override to encrypt the
password stored in server.xml on the fly?

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Getting user role membership without context

[Alex O'Ree]

Got it to work! Thanks Mark!

On Wed, Jul 19, 2017 at 10:40 AM, Mark Thomas  wrote:
> On 19/07/17 15:34, Alex O'Ree wrote:
>> Context.findChild and findChildren returns an instance of "Container".
>> It looks like StandardWrapper extends Container, so I should be able
>> to type cast it. The question is, is it always going to be an instance
>> of StandardWrapper?
>
> For a Context, it should always be an instance of Wrapper so as long as
> you cast to Wrapper, you should be fine.
>
> In a default Tomcat install it will always be StandardWrapper but better
> to use the interface here since it has the method you need.
>
> Mark
>
>
>>
>> On Tue, Jul 18, 2017 at 6:40 PM, Mark Thomas  wrote:
>>> On 18/07/17 23:21, Alex O'Ree wrote:
 Nice, any idea which method I need to call?
>>>
>>> You already have the Context so you want
>>>
>>> Context.findChildren()
>>>
>>> for a list of all the Wrappers (and it is the wrapper object you need) or
>>>
>>> Context.findChild(String)
>>>
>>> for a specific Wrapper if you know the name. The name should be the name
>>> used in web.xml to define the Servlet.
>>>
>>> Mark
>>>
>>>

 On Jul 18, 2017 3:54 PM, "Mark Thomas"  wrote:

> On 18/07/17 17:41, Alex O'Ree wrote:
>> Alright, quick update on this.
>>
>> At this point, I have servlet context and a username running off the
>> main tomcat http threads (quartz job)
>>
>>> StandardContext tomcat;load from reflection from ApplicationContext
> from ServletContext as ApplicationContextFacade
>>> Realm realm = tomcat.getRealm()
>>
>> At this point, realm is a LockoutRealm that contains two child realms,
>> the JNDI Realm and the standard UserDatabaseRealm
>>
>>> Principal user = realm.authenticate(username);
>>
>> At this point, the user object is populated and appears to have the
>> roles attached to it (they are listed in the to String method).
>>
>>> realm.hasRole(new StandardWrapper(), user, role);
>>
>> This part returns false, if and only if the ldap membership matches
>> exactly. Mapped roles via servlet/security-role-ref/role-link and
>> role-name do not appear to be effect.
>>
>> I think this may have something to do with the Principal object not
>> having a login context. Normally, this is available via a servlet, but
>> this it is not.
>>
>> I think the root cause might be this line.
>> https://github.com/apache/tomcat/blob/TOMCAT_7_0_42/
> java/org/apache/catalina/realm/RealmBase.java#L933
>>
>> Which probably does the translation from the LDAP defined group or
>> role into what the application is expecting. Am I on the right path
>> here?
>
> Yes. If you check auth outside of a Servlet, the role mappings for the
> Servlet won't apply. If you know which servlet to use for the role
> mappings you can get that from the Context (Wrappers represent Servlets
> and are children of the Context).
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

>>>
>>>
>>> -
>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Getting user role membership without context

[Mark Thomas]

On 19/07/17 15:34, Alex O'Ree wrote:
> Context.findChild and findChildren returns an instance of "Container".
> It looks like StandardWrapper extends Container, so I should be able
> to type cast it. The question is, is it always going to be an instance
> of StandardWrapper?

For a Context, it should always be an instance of Wrapper so as long as
you cast to Wrapper, you should be fine.

In a default Tomcat install it will always be StandardWrapper but better
to use the interface here since it has the method you need.

Mark


> 
> On Tue, Jul 18, 2017 at 6:40 PM, Mark Thomas  wrote:
>> On 18/07/17 23:21, Alex O'Ree wrote:
>>> Nice, any idea which method I need to call?
>>
>> You already have the Context so you want
>>
>> Context.findChildren()
>>
>> for a list of all the Wrappers (and it is the wrapper object you need) or
>>
>> Context.findChild(String)
>>
>> for a specific Wrapper if you know the name. The name should be the name
>> used in web.xml to define the Servlet.
>>
>> Mark
>>
>>
>>>
>>> On Jul 18, 2017 3:54 PM, "Mark Thomas"  wrote:
>>>
 On 18/07/17 17:41, Alex O'Ree wrote:
> Alright, quick update on this.
>
> At this point, I have servlet context and a username running off the
> main tomcat http threads (quartz job)
>
>> StandardContext tomcat;load from reflection from ApplicationContext
 from ServletContext as ApplicationContextFacade
>> Realm realm = tomcat.getRealm()
>
> At this point, realm is a LockoutRealm that contains two child realms,
> the JNDI Realm and the standard UserDatabaseRealm
>
>> Principal user = realm.authenticate(username);
>
> At this point, the user object is populated and appears to have the
> roles attached to it (they are listed in the to String method).
>
>> realm.hasRole(new StandardWrapper(), user, role);
>
> This part returns false, if and only if the ldap membership matches
> exactly. Mapped roles via servlet/security-role-ref/role-link and
> role-name do not appear to be effect.
>
> I think this may have something to do with the Principal object not
> having a login context. Normally, this is available via a servlet, but
> this it is not.
>
> I think the root cause might be this line.
> https://github.com/apache/tomcat/blob/TOMCAT_7_0_42/
 java/org/apache/catalina/realm/RealmBase.java#L933
>
> Which probably does the translation from the LDAP defined group or
> role into what the application is expecting. Am I on the right path
> here?

 Yes. If you check auth outside of a Servlet, the role mappings for the
 Servlet won't apply. If you know which servlet to use for the role
 mappings you can get that from the Context (Wrappers represent Servlets
 and are children of the Context).

 Mark

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org


>>>
>>
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: run thread from servlet

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Lance,

On 7/19/17 7:35 AM, Campbell, Lance wrote:
> Thanks for your information.  So when I have a process that I want
> to run as a thread I would assume I need to implement the
> interface ServletContextListener.   I would also assume that the
> servlet that creates the process will call the following method:
> 
> this.getServletContext().addListener(myProcess)
> 
> That way the Tomcat container can send a message to myProcess to
> tell it to end itself because Tomcat is trying to stop.
> 
> Did I understand that correctly?

I'm not entirely sure I understand what /you/ are saying above. I'll
explain.

During context ("webapp") startup, Tomcat will call init() on any
registered ServletContextListeners. You can register them either via
configuration in web.xml or via code annotations.

During context shutdown, Tomcat will call destroy() on those same
listeners.

Your servlets do not need to do anything to interact with those
listeners: no need to call addListener or anything like that.

You can do anything you want in those two methods.

Here's my recommendation:

1. Write a ServletContextListener that does the following:
  a. on init(), creates an ExecutorService with as many threads as you
want (you want one-at-a-time semantics, so that would be only a single
thread).

  b. places itself into the ServletContext ("application") under a
well-known attribute name (e.g. "MyJobRunnerService").

  c. on destroy(), shuts-down the ExecutorService, potentially
cancelling any in-progress operations it's performing (in order to
shut-down quickly)

2. In your servlet that accepts jobs, grab the JobRunnerService from
the ServletContext and call a method like "submit" on the job and
stop. The ExecutorService will handle things from there.

This should give you a solution that nicely-separates your work into
two operations: submitting jobs (the servlet) and actually running the
jobs (the JobRunnerService). The ExecutorService handles the
heavy-lifting of managing threads and actually running the jobs.

Makes sense?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZb28OAAoJEBzwKT+lPKRYc/8P/i3LnqPe/SNFPPqbhcK6o557
9ZmP4n2n8Ywt8hs4MOf2Oe+2E1Xxr46Pj73jxfpJgRkpXfCt7yRHLIRteCa5Vxt3
/aecIn7yxM3bfGJUHr8OnAnAipnN+80sUKLvjnov5lO2Mj0+GOomqtWKkSkoZGvr
itGIYuOYFBT8eYIhEaOoVgXCIBuK0s0qpNlTMxfyTnLZ6TWZSOsM8unDSWTpeHUs
G8ut9fJ8tp8Xi0seMAu4crMLEg7d3FiALhtGFrDIS8UzB9xYCWuY797D2+s8673u
u9bIWtIXwjrEzmAuIWRZm7MEO7R0IY8a5iMK+qvNMPNEVIAglMZPI2//YllmNwq+
tQDrvsS6zKzgMgSS1GCa45OoKphOl2ea7bR7Y7rmf1zT1UviKqIJ9EBFXUliE9dQ
zub87m7aRdQNovgU2h/ZGUYoTjFPW2WJzyAA7/hGFlsXSzMPAs3OeVNOL11EY1Pb
g97/+fkG2uY5eVTORdSvEgPulOZ0TOBc79i80hn9Kz7fG1svbSwC4F/z41Yi/rsP
K4yx2c6T+0+7DWwhxVy8Pn4vSbBAof0Vhj51jdpYYfJGExcNrmxSKsgxKftrrPOt
pjZymykGnpKzt6lNXMUseX9UOLpn1vAXzRSXIXWgno7AXNbpWfhwfuICy0f4eeq+
TrFpAV4NJdTklAZtImBm
=QyVQ
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Getting user role membership without context

[Alex O'Ree]

Context.findChild and findChildren returns an instance of "Container".
It looks like StandardWrapper extends Container, so I should be able
to type cast it. The question is, is it always going to be an instance
of StandardWrapper?

On Tue, Jul 18, 2017 at 6:40 PM, Mark Thomas  wrote:
> On 18/07/17 23:21, Alex O'Ree wrote:
>> Nice, any idea which method I need to call?
>
> You already have the Context so you want
>
> Context.findChildren()
>
> for a list of all the Wrappers (and it is the wrapper object you need) or
>
> Context.findChild(String)
>
> for a specific Wrapper if you know the name. The name should be the name
> used in web.xml to define the Servlet.
>
> Mark
>
>
>>
>> On Jul 18, 2017 3:54 PM, "Mark Thomas"  wrote:
>>
>>> On 18/07/17 17:41, Alex O'Ree wrote:
 Alright, quick update on this.

 At this point, I have servlet context and a username running off the
 main tomcat http threads (quartz job)

> StandardContext tomcat;load from reflection from ApplicationContext
>>> from ServletContext as ApplicationContextFacade
> Realm realm = tomcat.getRealm()

 At this point, realm is a LockoutRealm that contains two child realms,
 the JNDI Realm and the standard UserDatabaseRealm

> Principal user = realm.authenticate(username);

 At this point, the user object is populated and appears to have the
 roles attached to it (they are listed in the to String method).

> realm.hasRole(new StandardWrapper(), user, role);

 This part returns false, if and only if the ldap membership matches
 exactly. Mapped roles via servlet/security-role-ref/role-link and
 role-name do not appear to be effect.

 I think this may have something to do with the Principal object not
 having a login context. Normally, this is available via a servlet, but
 this it is not.

 I think the root cause might be this line.
 https://github.com/apache/tomcat/blob/TOMCAT_7_0_42/
>>> java/org/apache/catalina/realm/RealmBase.java#L933

 Which probably does the translation from the LDAP defined group or
 role into what the application is expecting. Am I on the right path
 here?
>>>
>>> Yes. If you check auth outside of a Servlet, the role mappings for the
>>> Servlet won't apply. If you know which servlet to use for the role
>>> mappings you can get that from the Context (Wrappers represent Servlets
>>> and are children of the Context).
>>>
>>> Mark
>>>
>>> -
>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>
>>>
>>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: run thread from servlet

[Campbell, Lance]

Chris,
Thanks for your information.  So when I have a process that I want to run as a 
thread I would assume I need to implement the interface ServletContextListener. 
  I would also assume that the servlet that creates the process will call the 
following method:

this.getServletContext().addListener(myProcess)

That way the Tomcat container can send a message to myProcess to tell it to end 
itself because Tomcat is trying to stop.

Did I understand that correctly?

Thanks,

Lance

-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net] 
Sent: Tuesday, July 18, 2017 4:30 PM
To: users@tomcat.apache.org
Subject: Re: run thread from servlet

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Lance,

On 7/18/17 9:56 AM, Campbell, Lance wrote:
> Tomcat 8.0.x Question: I am wanting to know the proper way to start a 
> thread from a servlet.
> 
> Use Case: A batch process will call a URL that is a servlet.  The 
> servlet will call a processes that will trigger a thread to run to do 
> a particular job.  The thread will run for a while.  The servlet will 
> not wait on the thread to finish running.  Also the thread that is 
> started is running a processes that requires there to only be one of 
> these processes running at any given time.
> 
> What I have done: I created a class I call EmailProcess.  I have a 
> static Boolean flag in the class called isWorking that indicates if 
> the process is running.  The class extends Runnable.  The class also 
> has a static method to start the thread if isWorking flag is false.  I 
> have a servlet that will call the static method in EmailProcess to 
> start the thread if possible.
> 
> Note: If the Tomcat container decides to clean up the servlet that is 
> called that triggers the thread I don't want it to mess with the 
> thread.  I want it to keep on running.

You want an ExecutorService (provided by the Java standard library), and you 
can limit the number of simultaneous jobs to 1. Submit the jobs to the service 
as they arrive, and then make sure you call
service.shutdown() when the servlet (or better yet, context) is being taken out 
of service. You might want to provide a way to cancel in-process jobs, 
otherwise you may stall container shutdown which might be inconvenient for you.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZbn3uAAoJEBzwKT+lPKRYCTUP/1Ho+5z49FntCBrEevVxnYiO
He331XbbPN7x6XLzO8nqf82pZcjnH1DGPtZXhPdZ2DKOjqPKmSeoI3az1+s1gu6X
Igff6xoHpARdyWdVElIxHYO93QOJdIa0DtuaSgaO4HXwpZYgwxs/QwbuN9VWLK5f
4afXp0gE5VaUxZoLHb9TTVIV8t0IABXdq+m9tuKZtrihfVwyc79w0HTwDCzqHlYH
39p70KQEagzhj/ZNqUHZENvFZ+2vMHD8zGcnWtAoVzOaseNth0FtZY5aqO+2WThl
k1VpcCGIK6hsytcBXuYAtfp/H6o2ircpwa66+O1nbNuP3OLT9x4IHqe5I0KoG/zG
hPOA/ydauaTps4xoYVLPjIVfVLx4D3+Rcrsti2tlo80hRK4Mv3SEeZu5eH1Zxz/N
W1MSLrVa5QOdWQ1rLMUbfWyNFXbm3xT8DrlQ3WvsAlMsRCrHkBIPqihnN7cPdRKp
m7QsQGYk/QNJ4U45ZeF/n5e/P62Dw34dHEbsefXNozvAOzykRSmwSG+6guCVXiiL
tfxC72zOiPxHUFMO8+mfXUrbsODNUjAUQA8O5dphwHGkTIni9xAL3/38dxkyaVy3
1jU2CFGaou5rdvjeL/Ixwqs4LzsY4Li0DrA5MwJVjEJG62MGK9x65NcpQ/3AtvZ4
T6lRQ5ZjJH99h9b2/ijL
=SVOd
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 8 Connection Pooling

[Riccardo Cohen]

You'll find here :

http://www.5flow.com/tmp/tomcatjndidb.zip

a very small sample that works on my computer (with IntelliJ project). 
Just change the context.xml with your database. Viewing the home page 
will create a database, insert records, then display them.


The data source is of type javax.sql.datasource and this is the database 
connection pool. In mysql console, do : show processlist;


when reloading the home page of the sample you can see that the 
connection has always the same id. But if you restart tomcat the id 
changes. This means that tomcat keeps the connection to the db in a pool 
instead of creating a new connection at each ds.getConnection();



On 19/07/2017 06:03, Avinash Krishnan wrote:

Hello Riccardo,

When I try using the pool properties(Without JNDI ) it gives me URL Cannot
Be null error. What I have understood is that, when we make the data source
as a static variable or a member variable of another class and try to use
it another class's function it throws error. If I instantiate and use Data
Souce on same function it is working.

I am wondering how to use the JNDI based Tomcat JDBC Connection Pool.
If I use Context variable and instantiate DataSouce object,the object
should be of type javax.sql.datasource and we don't get the
latest  org.apache.tomcat.jdbc.pool.DataSource;.

Any idea find the exact way to implement JNDI usage of
new  org.apache.tomcat.jdbc.pool.DataSource; ?

On Tue, Jul 18, 2017 at 9:02 PM, Riccardo Cohen 
wrote:


Can you see any info in the log : login incorrect, database not found etc.
?
(There are many logs in tomcat : localhost log, catalina log, manager log,
host manager log, localhost access log)


On 18/07/2017 13:55, Avinash Krishnan wrote:


Hello Riccardo ,

Thanks for the response. This didn't work for me. Connections are not
getting initated and I am seeing java.lang.NullPointerException on
accessing getConnection.

I  am refering to http://tomcat.apache.org/tomcat-8.0-doc/jdbc-pool.html

The pool properties is also not working.

On Tue, Jul 18, 2017 at 4:18 PM, Riccardo Cohen <
riccardo.co...@e5group.fr>
wrote:

Hello Avinash


I'm not expert but this is rather simple :
in web/META-INF/context.xml write something like :


  


in web/WEB-INF/web.xml add in  tag :
  

  jdbc/tomcattest


  javax.sql.DataSource

  

and in a java class add this :

public class T3Servlet extends HttpServlet
{
  @Resource(name="jdbc/tomcattest")
  public DataSource ds;


You will normally have a data source in your class, by injection, using
tomcat database pool.


On 18/07/2017 12:26, Avinash Krishnan wrote:

I am trying to implement Apache Tomcat 8.5.15  "Tomcat JDBC Connection

Pool" using the steps mentioned in the guide.

Can some one help me to understand how this connection pooling has to be
done.

Is the Plain Java Method,by implementing Pool Properties is an
alternative
to the JNDI lookup based pooling ? When I implement using Pool
Properties,
there isn't any provision to set up the Factory to
org.apache.tomcat.jdbc.pool.DataSourceFactory"
and I always get invalid arguments in call.

On a different note, I tried by adding to context.xml . And implementing
JNDI lookup from context. But that time,I get
"org.apache.tomcat.dbcp.dbcp2.BasicDataSource cannot be cast to
org.apache.tomcat.jdbc.pool.DataSource" even after setting factory to
DataSourceFactory.


--

Riccardo Cohen
+33 6 09 83 64 49
E5Group
http://www.5flow.com


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org







--
Riccardo Cohen
+33 6 09 83 64 49
E5Group
http://www.5flow.com


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org







--
Riccardo Cohen
+33 6 09 83 64 49
E5Group
http://www.5flow.com



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org