Re: user and certificate info is not passed to tomcat
On 08.10.2019 00:50, Magosányi Árpád wrote: On 10/7/19 11:29 PM, André Warnier (tomcat) wrote: DirectoryIndex off RewriteEngine Off AuthType openid-connect AllowOverride None AuthzDBDQuery "a correct database query" Require dbd-group allrepo LogLevel debug Nice. It have solved the problem, thank you very much. By adding the ssl related directives here I could pass the ssl info as well. So basically we have put the JkMount in a Location, and the other directives in another similar directive, as a kind of workaround? Think of it as follows : When httpd gets a request, - step 1 : it first looks only at the request URL, and it applies any directives that it finds in or sections which match that URL. - step 2 : then it tries to match the URL, with the filesystem on disk, and IF it finds a file that corresponds to that URL - step 3 : then it applies any or that apply to that file - step 4 : httpd serves the file back to the browser If you have JkMount directives that match the URL, then step 2, 3 and 4 above never happen, because the request will be passed to tomcat anyway, so it will never map to a file on the httpd filesystem. And if you have JkUnmount directives, that also match the URL, then they partially negate the matching JkMount, and they /force/ step 2, 3 and 4. The combination of JkMount/JkUnmount directives, with the httpd and sections, is sometimes a bit unclear, specially when they overlap. There is another syntax applicable to the proxying via mod_jk, which I prefer because I find that it makes the httpd URL mapping clearer, in a httpd configuration logic sense. You can find it here : http://tomcat.apache.org/connectors-doc/reference/apache.html section : Using SetHandler and Environment Variables Using that form, you do NOT use any "JkMount/JkUnmount" directives, you use only blocks, like : SetHandler jakarta-servlet SetEnv JK_WORKER_NAME worker1 DirectoryIndex off RewriteEngine Off AuthType openid-connect AllowOverride None AuthzDBDQuery "a correct database query" Require dbd-group allrepo LogLevel debug The combination of the , SetHandler and SetEnv, does the same as a separate "JkMount /servlet* worker1" and (in my view) it makes it clearer in the Apache httpd configuration file, to know which URLs get proxied to tomcat and which do not get proxied. Look at the example "" to see how you can have some static documents served by the httpd front-end directly (= not proxied to tomcat), and the real calls to tomcat servlets being proxied to tomcat. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [POLL] Who is using CGIServlet, and why?
On Mon, Oct 7, 2019 at 10:22 AM Christopher Schultz < ch...@christopherschultz.net> wrote: I'm interested in what the community is doing with the CGIServlet, if > anything. Please do NOT reply if you don't use the CGIServlet. Please > DO reply if you fit into any of these categories: > > 1. Using Tomcat as a primary web server without reverse proxy (e.g. > httpd/nginx/etc), and using CGIServlet to run e.g. Perl, PHP, > Python... really any common scripting language on the back-end. > The above is our use case, mostly for prototyping, usually in Python. - Chuck
Re: user and certificate info is not passed to tomcat
On 10/7/19 11:29 PM, André Warnier (tomcat) wrote: > > DirectoryIndex off > RewriteEngine Off > AuthType openid-connect > AllowOverride None > AuthzDBDQuery "a correct database query" > Require dbd-group allrepo > LogLevel debug > Nice. It have solved the problem, thank you very much. By adding the ssl related directives here I could pass the ssl info as well. So basically we have put the JkMount in a Location, and the other directives in another similar directive, as a kind of workaround? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: user and certificate info is not passed to tomcat
Adding to my own previous post : A posteriori, I saw a question here : https://stackoverflow.com/questions/58240796/pass-username-and-client-certificate-from-apache-to-tomcat-using-mod-jk that may be related to your question on this list. Examining the above, you problem may be in the httpd configuration : As I interpret it, the section that you mention, will not be taken into account for the URLs that you are proxying to tomcat. That is because sections only apply if the URL ultimately maps to a local file for httpd. In this case, it does not, because you are proxying this request to tomcat. For such URLs, you should use a or in httpd, not a . For example, *add* this to your httpd configuration : DirectoryIndex off RewriteEngine Off AuthType openid-connect AllowOverride None AuthzDBDQuery "a correct database query" Require dbd-group allrepo LogLevel debug Note: the above is very rough, and you may need to tune the regex a bit better. On 08.10.2019 00:11, André Warnier (tomcat) wrote: On 07.10.2019 23:24, Magosányi Árpád wrote: On 10/7/19 8:20 PM, André Warnier (tomcat) wrote: Forgot the atribute 'tomcatAuthentication="false"' in the Connector ? Yes, I did, however adding it back did not improve the situation. Ok. I just mentioned that, because it is one piece of the puzzle, and you might have forgotten it. What this piece really does is : - IF the front-end Apache httpd authenticates the HTTP request which it later passes on to tomcat - IF the protocol used between Apache httpd and tomcat is AJP - IF the AJP Connector in tomcat has the attribute set as above - THEN tomcat will retrieve the user-id of the httpd-authenticated user, and save it internally as the tomcat-authenticated user-id for this request So now you have the two last IF's answered positively. What about the first IF ? Info : in the default format of the Apache httpd access log, it will show the authenticated user (if any) for each request, for example like this : 127.0.0.1 - THEUSER [07/Oct/2019:21:18:20 +0200] "GET /starwebtt-internal/esearch... (where "THEUSER" is the httpd-authenticated user) while if the request is not authenticated by httpd, it will show a "-" instead of the user-id, like this : 127.0.0.1 - - [07/Oct/2019:21:18:20 +0200] "GET /starwebtt-internal/esearch... (and, of course, if httpd has not authenticated the request which it later passes on to tomcat via AJP, then it cannot pass a user-id to tomcat, and thus tomcat cannot retrieve this user-id, and thus the request, at the tomcat level, is not authenticated). Next comes the question of how the tomcat application retrieves this user-id, from tomcat itself. I suppose that this would be a question for the developers of the "com.kodekonveyor.realm.KKAuthorizationFilter" filter mentioned in your configuration below. (if the KKAuthorizationFilter does not use request.getRemoteuser(), but uses some other method, then you are out of luck for this front-end/back-end combination)(or you may need to do something additional at the front-end httpd level). My server.xml now: and my web.xml until mime mappings: http://xmlns.jcp.org/xml/ns/javaee"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"; version="4.0"> default org.apache.catalina.servlets.DefaultServlet debug 0 listings false 1 jsp org.apache.jasper.servlet.JspServlet fork false xpoweredBy false 3 default / jsp *.jsp *.jspx KKAuthorizationFilter com.kodekonveyor.realm.KKAuthorizationFilter KKAuthorizationFilter /* REQUEST 30 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: user and certificate info is not passed to tomcat
On 07.10.2019 23:24, Magosányi Árpád wrote: On 10/7/19 8:20 PM, André Warnier (tomcat) wrote: Forgot the atribute 'tomcatAuthentication="false"' in the Connector ? Yes, I did, however adding it back did not improve the situation. Ok. I just mentioned that, because it is one piece of the puzzle, and you might have forgotten it. What this piece really does is : - IF the front-end Apache httpd authenticates the HTTP request which it later passes on to tomcat - IF the protocol used between Apache httpd and tomcat is AJP - IF the AJP Connector in tomcat has the attribute set as above - THEN tomcat will retrieve the user-id of the httpd-authenticated user, and save it internally as the tomcat-authenticated user-id for this request So now you have the two last IF's answered positively. What about the first IF ? Info : in the default format of the Apache httpd access log, it will show the authenticated user (if any) for each request, for example like this : 127.0.0.1 - THEUSER [07/Oct/2019:21:18:20 +0200] "GET /starwebtt-internal/esearch... (where "THEUSER" is the httpd-authenticated user) while if the request is not authenticated by httpd, it will show a "-" instead of the user-id, like this : 127.0.0.1 - - [07/Oct/2019:21:18:20 +0200] "GET /starwebtt-internal/esearch... (and, of course, if httpd has not authenticated the request which it later passes on to tomcat via AJP, then it cannot pass a user-id to tomcat, and thus tomcat cannot retrieve this user-id, and thus the request, at the tomcat level, is not authenticated). Next comes the question of how the tomcat application retrieves this user-id, from tomcat itself. I suppose that this would be a question for the developers of the "com.kodekonveyor.realm.KKAuthorizationFilter" filter mentioned in your configuration below. (if the KKAuthorizationFilter does not use request.getRemoteuser(), but uses some other method, then you are out of luck for this front-end/back-end combination)(or you may need to do something additional at the front-end httpd level). My server.xml now: and my web.xml until mime mappings: http://xmlns.jcp.org/xml/ns/javaee"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"; version="4.0"> default org.apache.catalina.servlets.DefaultServlet debug 0 listings false 1 jsp org.apache.jasper.servlet.JspServlet fork false xpoweredBy false 3 default / jsp *.jsp *.jspx KKAuthorizationFilter com.kodekonveyor.realm.KKAuthorizationFilter KKAuthorizationFilter /* REQUEST 30 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: user and certificate info is not passed to tomcat
On 10/7/19 8:20 PM, André Warnier (tomcat) wrote: > > Forgot the atribute 'tomcatAuthentication="false"' in the Connector ? > Yes, I did, however adding it back did not improve the situation. My server.xml now: and my web.xml until mime mappings: http://xmlns.jcp.org/xml/ns/javaee"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"; version="4.0"> default org.apache.catalina.servlets.DefaultServlet debug 0 listings false 1 jsp org.apache.jasper.servlet.JspServlet fork false xpoweredBy false 3 default / jsp *.jsp *.jspx KKAuthorizationFilter com.kodekonveyor.realm.KKAuthorizationFilter KKAuthorizationFilter /* REQUEST 30 > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Acessing static content - Tomcat 7 vs. Tomcat9
Hi. see at end. On 07.10.2019 16:26, Martin Knoblauch wrote: On Mon, Oct 7, 2019 at 3:31 PM Konstantin Kolinko wrote: пн, 7 окт. 2019 г. в 15:44, Martin Knoblauch : Hi Konstantin, On Mon, Oct 7, 2019 at 2:36 PM Konstantin Kolinko < knst.koli...@gmail.com> wrote: 2. For Tomcat to issue a redirect, the "docs" directory must be present in your web application. It can be empty, but it must be present. (If there is none, Tomcat does not know that the requested resource is a directory). OK. The "docs" directory is actually a symbolic link to a directory elsewhere. Symbolic links by default are not allowed inside a web application. The option to allow them differs between Tomcat 7 and 8.0, due to a different underlying implementation of Web Application resources. http://tomcat.apache.org/migration-8.html#Web_application_resources (As a reminders: symbolic links must never be enabled on a case-insensitive filesystem such as used by Windows, as it disables the necessary security checks.) http://tomcat.apache.org/tomcat-9.0-doc/security-howto.html Best regards, Konstantin Kolinko OK, this is interesting. We still had the TC7 style "allowLiniking" in the Context tag. Now moved to Resources. I also added the two mapper directives to Context: .. .. .. What I now get is weird in another way. But maybe it gives a hint: [07/Oct/2019:16:10:10 +0200] [0 ms] #160.46.219.110# - "POST /cb2/docs HTTP/1.1" s:302 l:219 S:TLSv1.2 C:ECDHE-RSA-AES256-GCM-SHA384 #"Mozilla/5.0 (X11; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0" [07/Oct/2019:16:10:10 +0200] [0 ms] #160.46.219.110# - "GET /cb2/docs HTTP/1.1" s:302 l:219 S:TLSv1.2 C:ECDHE-RSA-AES256-GCM-SHA384 #"Mozilla/5.0 (X11; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0" [07/Oct/2019:16:10:10 +0200] [0 ms] #160.46.219.110# - "GET /cb2/docs HTTP/1.1" s:302 l:219 S:TLSv1.2 C:ECDHE-RSA-AES256-GCM-SHA384 #"Mozilla/5.0 (X11; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0" [07/Oct/2019:16:10:10 +0200] [0 ms] #160.46.219.110# - "GET /cb2/docs HTTP/1.1" s:302 l:219 S:TLSv1.2 C:ECDHE-RSA-AES256-GCM-SHA384 #"Mozilla/5.0 (X11; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0" [07/Oct/2019:16:10:10 +0200] [0 ms] #160.46.219.110# - "GET /cb2/docs HTTP/1.1" s:302 l:219 S:TLSv1.2 C:ECDHE-RSA-AES256-GCM-SHA384 #"Mozilla/5.0 (X11; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0" [07/Oct/2019:16:10:10 +0200] [0 ms] #160.46.219.110# - "GET /cb2/docs HTTP/1.1" s:302 l:219 S:TLSv1.2 C:ECDHE-RSA-AES256-GCM-SHA384 #"Mozilla/5.0 (X11; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0" [07/Oct/2019:16:10:10 +0200] [0 ms] #160.46.219.110# - "GET /cb2/docs HTTP/1.1" s:302 l:219 S:TLSv1.2 C:ECDHE-RSA-AES256-GCM-SHA384 #"Mozilla/5.0 (X11; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0" [07/Oct/2019:16:10:10 +0200] [0 ms] #160.46.219.110# - "GET /cb2/docs HTTP/1.1" s:302 l:219 S:TLSv1.2 C:ECDHE-RSA-AES256-GCM-SHA384 #"Mozilla/5.0 (X11; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0" [07/Oct/2019:16:10:10 +0200] [0 ms] #160.46.219.110# - "GET /cb2/docs HTTP/1.1" s:302 l:219 S:TLSv1.2 C:ECDHE-RSA-AES256-GCM-SHA384 #"Mozilla/5.0 (X11; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0" [07/Oct/2019:16:10:10 +0200] [0 ms] #160.46.219.110# - "GET /cb2/docs HTTP/1.1" s:302 l:219 S:TLSv1.2 C:ECDHE-RSA-AES256-GCM-SHA384 #"Mozilla/5.0 (X11; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0" [07/Oct/2019:16:10:11 +0200] [0 ms] #160.46.219.110# - "GET /cb2/docs HTTP/1.1" s:302 l:219 S:TLSv1.2 C:ECDHE-RSA-AES256-GCM-SHA384 #"Mozilla/5.0 (X11; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0" [07/Oct/2019:16:10:11 +0200] [0 ms] #160.46.219.110# - "GET /cb2/docs HTTP/1.1" s:302 l:219 S:TLSv1.2 C:ECDHE-RSA-AES256-GCM-SHA384 #"Mozilla/5.0 (X11; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0" [07/Oct/2019:16:10:11 +0200] [0 ms] #160.46.219.110# - "GET /cb2/docs HTTP/1.1" s:302 l:219 S:TLSv1.2 C:ECDHE-RSA-AES256-GCM-SHA384 #"Mozilla/5.0 (X11; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0" [07/Oct/2019:16:10:11 +0200] [0 ms] #160.46.219.110# - "GET /cb2/docs HTTP/1.1" s:302 l:219 S:TLSv1.2 C:ECDHE-RSA-AES256-GCM-SHA384 #"Mozilla/5.0 (X11; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0" [07/Oct/2019:16:10:11 +0200] [0 ms] #160.46.219.110# - "GET /cb2/docs HTTP/1.1" s:302 l:219 S:TLSv1.2 C:ECDHE-RSA-AES256-GCM-SHA384 #"Mozilla/5.0 (X11; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0" [07/Oct/2019:16:10:11 +0200] [0 ms] #160.46.219.110# - "GET /cb2/docs HTTP/1.1" s:302 l:219 S:TLSv1.2 C:ECDHE-RSA-AES256-GCM-SHA384 #"Mozilla/5.0 (X11; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0" [07/Oct/2019:16:10:11 +0200] [0 ms] #160.46.219.110# - "GET /cb2/docs HTTP/1.1" s:302 l:219 S:TLSv1.2 C:ECDHE-RSA-AES256-GCM-SHA384 #"Mozilla/5.0 (X11; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0" [07/Oct/2019:16:10:11 +0200] [0 ms] #160.46.219.110# - "GET /cb2/docs HTTP/1.1" s:302 l:219 S:TLSv1.2 C:ECDHE-RSA-AES256-GCM-SHA384 #"Mozilla/5.0 (X11; Linux
Re: user and certificate info is not passed to tomcat
On 07.10.2019 17:36, Magosányi Árpád wrote: Magosányi, How are you getting the attributes from the request? This is the filter code: String user = httpRequest.getRemoteUser(); Object cert = httpRequest.getAttribute("javax.servlet.request.X509Certificate"); this.context.log("user:"+user); This won't show any username unless the user has logged-in using HTTP Basic/Digest authentication. Are you using those? I am using openid right now in the apache side, but also tested with basic auth to make sure that it is not an interaction with mod_openidc. The user information does not get passed along either in the remoteUser attribute or anywhere, in either of those cases, in spite that the documentation states that the authenticated user name should be retrievable using httpRequest.getRemoteUser(), and the CGI clearly shows that we indeed have a REMOTE_USER in the apache side. To get the certificate chain, I think you also need this in your httpd configuration: JkOptions +ForwardSSLCertChain I have added this now, though as I understand this is only needed if I want to get the full chain. Unfortunately this did not improve the situation in any way. Forgot the atribute 'tomcatAuthentication="false"' in the Connector ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Acessing static content - Tomcat 7 vs. Tomcat9
On Mon, Oct 7, 2019 at 5:10 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Martin, > > On 10/7/19 07:22, Martin Knoblauch wrote: > > The mod_jk configuration basically looks like: > > > > LoadModule jk_module modules/mod_jk.so > > > > JkWorkersFile "conf/cb2/workers.properties" JkShmFile > > "logs/jk-runtime-status" JkLogFile "logs/mod_jk.log" JkLogLevel > > info JkWatchdogInterval 60 > > So, you only configure mod_jk if it's NOT available? You have a "!" in > your which looks like it's going to never ever work. > > For a second you worried me. As far as I understand the documentation the section above means that I configure mod_jk if it is not yet loaded. And years of operations indicate my understanding is right :-) Cheers Martin -- -- Martin Knoblauch email: k n o b i AT knobisoft DOT de www: http://www.knobisoft.de
Re: user and certificate info is not passed to tomcat
> Magosányi, > > >> How are you getting the attributes from the request? > > > This is the filter code: > > > > String user = httpRequest.getRemoteUser(); Object cert = > > httpRequest.getAttribute("javax.servlet.request.X509Certificate"); > > this.context.log("user:"+user); > > This won't show any username unless the user has logged-in using HTTP > Basic/Digest authentication. Are you using those? I am using openid right now in the apache side, but also tested with basic auth to make sure that it is not an interaction with mod_openidc. The user information does not get passed along either in the remoteUser attribute or anywhere, in either of those cases, in spite that the documentation states that the authenticated user name should be retrievable using httpRequest.getRemoteUser(), and the CGI clearly shows that we indeed have a REMOTE_USER in the apache side. > > To get the certificate chain, I think you also need this in your httpd > configuration: > > JkOptions +ForwardSSLCertChain > I have added this now, though as I understand this is only needed if I want to get the full chain. Unfortunately this did not improve the situation in any way. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: user and certificate info is not passed to tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Magosányi, On 10/7/19 11:16, Magosányi Árpád wrote: >> Magosányi, >> >> On 10/7/19 10:37, Magosányi Árpád wrote: >>> I intend to use the user and certificate info in a Filter. >> >>> I think I have configured everything to do that, but the >>> information does not get passed along. Based on various >>> documentations and howtos, SSLVerifyClient require, SSLOptions >>> +StdEnvVars and SSLOptions +ExportCertData and JkExtractSSL On >>> should be enough to pass certificate data, and Require >>> valid-user should be enough to pass the authenticated >>> username. >> >>> I see the following debug output (also contains the various >>> info logged by the filter), which clearly lacks the information >>> needed. >> How are you getting the attributes from the request? > > This is the filter code: > > > String user = httpRequest.getRemoteUser(); Object cert = > httpRequest.getAttribute("javax.servlet.request.X509Certificate"); > this.context.log("user:"+user); This won't show any username unless the user has logged-in using HTTP Basic/Digest authentication. Are you using those? To get the certificate chain, I think you also need this in your httpd configuration: JkOptions +ForwardSSLCertChain >> Is the CGI being executed by Tomcat or is it being executed by >> httpd? > > Executed by Apache httpd. Okay. - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl2bWSkACgkQHPApP6U8 pFgkdQ/+O3c3y8QZaBSyQk0do9nCyVl1os/GBGnBTmPYio7C3L/DHQ78LaERjJwl DHvElopUxA5T7Jcbrg8mAN41lv3oLkoZqBv1htXxL/6JliRGG5DkH8ZCXbIBIH36 a2kVIJ2B4fbPryZ0kjZ+dmiHfJUYRr41NNZ0Ejrs93VEsV4+A8JZna74z4Wh0nRN AwctTF/PTZuPrgEAVx7s9zxGFAasHWv5h3UIHXUmHKCmFQxY8bP8GUWXyAZ0pdtg PiDJf3xAZeG2joB7n2M44VohGyFhG0i+x4fKYn212n8zq7bs++TbWiknrUAUQqMS LFc6qXw85CxeKoJva4Q1F228HmtXJXLYw/6esjQHWdKqChU2IPUutrTFwxeb2hlf ZBWHby77FyDQtErakxyVlv9Qi4bwmPeH4bR86ovarxhFYQ7bEcEyEAxdsY6HPnpj we/pvHXWhb1Rs6MAthZyXzyhmGHu4nZyHbedQnsgX9hBAXerSqs0u8AQaAkmQLtd dYDNQZ2jL5scN8jB951BMTlgskpxuWGyxG6xbBPM6/YdGTN9Qfgem7TRPzhDImO8 C53AheJwAK/RQGAoNaXIHK66p1bTR33IH3ycvmzsDhBxdtQcCRSpABL6Xm8LGxzS PU2zKywcD5dqKu9Btd1+PECVy1MIPUkvl++Qv9TwTdqxwGoas3s= =PCeu -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[POLL] Who is using CGIServlet, and why?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 All, I'm interested in what the community is doing with the CGIServlet, if anything. Please do NOT reply if you don't use the CGIServlet. Please DO reply if you fit into any of these categories: 1. Using Tomcat as a primary web server without reverse proxy (e.g. httpd/nginx/etc), and using CGIServlet to run e.g. Perl, PHP, Python... really any common scripting language on the back-end. 2. Using Tomcat for mostly Java code, but you use the heck out of something very specific (e.g. ImageMagick) via CGI 3. Using Tomcat with mostly Java code, except you've got that one script that was written back in 1997 by the guy who never talks and nobody knows how it works, only that your business depends upon it, so the CGIServlet lets you continue to do that. If you can fit yourself into one of the buckets above, please do so. If you can't, please provide a short explanation of why you (a) still need the CGIServlet and (b) don't fit into one of the above buckets. Basically, I'm trying to limit the discussion to what people actually NEED and avoid devolving into endless group-discussions of why some company operates the way that it does. - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl2bWA8ACgkQHPApP6U8 pFhaaQ//bUQnlJXM+thuLM3kyGPHLurmOis5mZ5DnvL+G4ij/TNxI5ECcLjtEQmi kRCGij0xiWiG8Iz9I3s87PN9FBiADXbythjPKP7A5GkaC7/sg+O2eH55ut8Y4/A6 0ju+tAvm4adhMFYvl2sA71TPeXfUR/aamgP57W/KGM4jXcP7pN4Qz4giC/zUcwkD SpActx3PSWc9hFLskxnq50H0Mq0LNYij5iWsuUjSwCCNeKL5XlTvLrb4JIRH7efk hdeeDFnpZ/kaEZrlTVwRptGJj4cUV+bccke4T4xdEgZOM7F8Ujx90B2HotnDcWZW OvoDBOMB2+TzWnWTDrU9b/u0MAb8tervPiHL9QcMeIvZCJX5h8hFP81i8yyBViD+ vTyfnwPP0CvQ8bIYNPTE4MVd5mirTJbDICnADmxbQvKFACZU0ZsAYZgzyGcUjhg3 vzYoXn4/DMZKdcwy25cjoHan8GdYOVXGChioppUqA8Kiek/VV6xJ+omm8oV7TvLd PDE9OZ9xbrSGtA/Yg7s9L+4prOTIkZppiYg9HXyV2R6IeaWtLqnHJ8EXoB7h3hNA GRqXFLeeqXECeleUgCdrTxDSex0Yq5GIXJozRW5LiNmU37rfQxIF34NFDFX8/UvM IIxJhRjy25lsk4wvMuYY5XvPZEttI+wLCBQrtnBHxTXkICou0Pw= =hzhH -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: user and certificate info is not passed to tomcat
> Magosányi, > > On 10/7/19 10:37, Magosányi Árpád wrote: > > I intend to use the user and certificate info in a Filter. > > > I think I have configured everything to do that, but the > > information does not get passed along. Based on various > > documentations and howtos, SSLVerifyClient require, SSLOptions > > +StdEnvVars and SSLOptions +ExportCertData and JkExtractSSL On > > should be enough to pass certificate data, and Require valid-user > > should be enough to pass the authenticated username. > > > I see the following debug output (also contains the various info > > logged by the filter), which clearly lacks the information needed. > How are you getting the attributes from the request? This is the filter code: package com.kodekonveyor.realm; import java.io.IOException; import java.util.Collections; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletContext; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpSession; public class KKAuthorizationFilter implements Filter { private ServletContext context; @Override public void init(FilterConfig fConfig) throws ServletException { this.context = fConfig.getServletContext(); this.context.log("KKAuthorizationFilter initialized"); } @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest httpRequest = (HttpServletRequest) request; String user = httpRequest.getRemoteUser(); String authType = httpRequest.getAuthType(); for ( String attributeName: Collections.list(httpRequest.getAttributeNames())) { this.context.log("attr "+attributeName+"="+httpRequest.getAttribute(attributeName)); } for ( String name: Collections.list(httpRequest.getParameterNames())) { this.context.log("param "+name+"="+httpRequest.getParameterValues(name)); } for ( String headerName: Collections.list(httpRequest.getHeaderNames())) { for (String value: Collections.list(httpRequest.getHeaders(headerName))) this.context.log("header "+headerName+":"+value); } HttpSession session = httpRequest.getSession(); this.context.log("session:"+session); if(null != session) for (String sessionAttName: Collections.list(session.getAttributeNames())) { this.context.log("session attribute "+sessionAttName+":"+session.getAttribute(sessionAttName)); } for ( String attributeName: Collections.list(context.getAttributeNames())) { this.context.log("context attr "+attributeName+"="+context.getAttribute(attributeName)); } Object cert = httpRequest.getAttribute("javax.servlet.request.X509Certificate"); this.context.log("user:"+user); this.context.log("cert:"+cert); this.context.log("authType:"+authType); this.context.log("getContextPath:"+httpRequest.getContextPath()); this.context.log("getProtocol:"+httpRequest.getProtocol()); this.context.log("getRemoteHost:"+httpRequest.getRemoteHost()); this.context.log("getServerInfo:"+context.getServerInfo()); this.context.log("getServletContextName:"+context.getServletContextName()); this.context.log("getRemoteHost:"+httpRequest.getRequestURI()); chain.doFilter(request, response); } } > > > I have a cgi in the cgi-bin directory, which prints out the > > environment, and I see both REMOTE_USER and all relevant > > certificate related information there. > Is the CGI being executed by Tomcat or is it being executed by httpd? Executed by Apache httpd. As you can see in the logs, mod_jk does not pass any of that information through to tomcat, which is exactly my problem. For reference, here is the code of the CGI (not my code, copied from the internet): #!/usr/bin/perl print "Content-type: text/html\n\n"; print "\n"; foreach $key (sort keys(%ENV)) { print "$key = $ENV{$key}"; } print "\n"; and relevant parts of the output: REMOTE_USER = github|756...@kode-konveyor.eu.auth0.com/ SSL_CLIENT_S_DN = emailAddress=m...@kodekonveyor.com,CN=mag > > -chris > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >
Re: Acessing static content - Tomcat 7 vs. Tomcat9
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Martin, On 10/7/19 07:22, Martin Knoblauch wrote: > The mod_jk configuration basically looks like: > > LoadModule jk_module modules/mod_jk.so > > JkWorkersFile "conf/cb2/workers.properties" JkShmFile > "logs/jk-runtime-status" JkLogFile "logs/mod_jk.log" JkLogLevel > info JkWatchdogInterval 60 So, you only configure mod_jk if it's NOT available? You have a "!" in your which looks like it's going to never ever work. - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl2bVVIACgkQHPApP6U8 pFgbxg//TrWenaqfME8ekEnucExZXaKTcF8w2PhWVOhtrc1sUiDemmjudBjJUth/ LJ61XdgTDd5hOYVUOfHukwIgkEwD92RvD+NXRuSppubzRS9u5vPMjwnLbqL4d6/8 0yksGLeol3Ub4mwvNW7LRSfjev3FrpiVa9YpWrr+HgHHt5dVYOlIRQy3Ur8W9JIV j11HSX8S4rqlsPCeyB4CLFBtuMdTCSto1MbhmhxWofJZpekz6MzzFebWDiYPS5h9 JGP51Gu8yo4pIwg0EVC/nP/ANilB+TsRN870Ds0wppSY/bcttNt+mBlFEeahwndi xHrdxcx08ep7iKWLJrCU2GkxWuWaJS6vMjUE3LztR5r/L6bvisYpe8itCWTlPXNO mtewywyyS4ne9UeviaMn0tyIfa7kFQQcUI0dL2xV1Fl1g9GyYFdUeOKTR3NqoHeq 3KK9XRLd7OCF25NJ71ITLZwV7nUka7VtIP11iJD6K+aOj92F90pwdF9CLlfPaAwW HZlbZ8DuIClzEVNiPO9p9aHQTWu6QeMB+iM7l/DwbVHQmLlEWOMgvXN6jc781t6M 2NGjxYAG5w2p/QtS0czCKGdPeMY0dKtfj8KeGjwzgCSuw4aDUjXIBxN31PJ5E0wd 7xWeEsp7/ykkggjPSXweSOrXohY/UkglInU7OGAQoJlAn+kUOe0= =x9Jm -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: user and certificate info is not passed to tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Magosányi, On 10/7/19 10:37, Magosányi Árpád wrote: > I intend to use the user and certificate info in a Filter. > > I think I have configured everything to do that, but the > information does not get passed along. Based on various > documentations and howtos, SSLVerifyClient require, SSLOptions > +StdEnvVars and SSLOptions +ExportCertData and JkExtractSSL On > should be enough to pass certificate data, and Require valid-user > should be enough to pass the authenticated username. > > I see the following debug output (also contains the various info > logged by the filter), which clearly lacks the information needed. How are you getting the attributes from the request? > I have a cgi in the cgi-bin directory, which prints out the > environment, and I see both REMOTE_USER and all relevant > certificate related information there. Is the CGI being executed by Tomcat or is it being executed by httpd? - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl2bVNYACgkQHPApP6U8 pFj/EBAAxOTOVnx/BoxXCtzkCTk4VH5WUrGi1iwwJODJ6h8d4jEz6Jm241gdNA4Q m6+x1vFHxjnvgdmVxo7RxrIjx0StLECRGk/dNbiRTKbx6uA4PpR+4DWB1X9HJ+pE NIkURRM33h/ywcwLEw0I3ar2qGJQuXPBktaYxyjdRQUgZHzKRdcZP9wLRCIkRskN qMkLGia7v4lIpmBN4EVTISJmFzFRwmgkxruFh8XG/1vecFbxuKr8N8U3fuW8ATnf 9zHWXbrjrqzWDBZGkNgFRNql0s6TS08CWivO6yeSk4BaiIqVvAuozrQzgKXPvDrS MeYa8X6G1L7XPxTKM563dFza6ohoaWDNZ7ylFYuGGlB3CYCZDPns22sXedfYWjrg FHbRuz+qdh5/+aWOtRKOniBT5HctOU14LTNBehX6TBwHimicLQ+nLd0wR1YMbO4Q W8C7XglralnGRzissW9/u+qAanXGW2jEILlLiubgTxNYWvSg4AJ5Dy4xeiUuYva/ WHGBWxTLoGc3gPYOKXbpk9m3d4kRejEiNrHtaYux3zOnjpjvSBjEalavhyN57J28 Wvs7JfCgOlzbEQXj6xaBUpoOxdZiiK3+jSByETXWd8n445xab59uC7RRcjD2g3L7 bVFlrQnxo4dUbM2Wf2+2Wrgm80+5wxgB/+YsfTXoHIZmLTX/tBY= =ejIn -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
user and certificate info is not passed to tomcat
I intend to use the user and certificate info in a Filter. I think I have configured everything to do that, but the information does not get passed along. Based on various documentations and howtos, SSLVerifyClient require, SSLOptions +StdEnvVars and SSLOptions +ExportCertData and JkExtractSSL On should be enough to pass certificate data, and Require valid-user should be enough to pass the authenticated username. I see the following debug output (also contains the various info logged by the filter), which clearly lacks the information needed. I have a cgi in the cgi-bin directory, which prints out the environment, and I see both REMOTE_USER and all relevant certificate related information there. debug log: Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.554 2019] [7885:139750518257408] [debug] map_uri_to_worker_ext::jk_uri_worker_map.c (1185): Attempting to map URI '/servlet/servlet' from 1 maps Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.555 2019] [7885:139750518257408] [debug] find_match::jk_uri_worker_map.c (980): Attempting to map context URI '/servlet*=worker1' source 'JkMount' Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.555 2019] [7885:139750518257408] [debug] find_match::jk_uri_worker_map.c (993): Found a wildchar match '/servlet*=worker1' Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.556 2019] [7885:139750518257408] [debug] jk_handler::mod_jk.c (2823): Into handler jakarta-servlet worker=worker1 r->proxyreq=0 Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.556 2019] [7885:139750518257408] [debug] wc_get_worker_for_name::jk_worker.c (120): found a worker worker1 Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.557 2019] [7885:139750518257408] [debug] wc_get_name_for_type::jk_worker.c (304): Found worker type 'ajp13' Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.557 2019] [7885:139750518257408] [debug] init_ws_service::mod_jk.c (1196): Service protocol=HTTP/1.1 method=GET ssl=true host=(null) addr=94.62.142.229 name=repository.kodekonveyor.com port=443 auth=(null) user=(null) laddr=217.61.105.99 raddr=94.62.142.229 uaddr=94.62.142.229 uri=/servlet/servlet Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.558 2019] [7885:139750518257408] [debug] ajp_get_endpoint::jk_ajp_common.c (3356): (worker1) acquired connection pool slot=0 after 0 retries Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.559 2019] [7885:139750518257408] [debug] ajp_marshal_into_msgb::jk_ajp_common.c (684): (worker1) ajp marshaling done Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.559 2019] [7885:139750518257408] [debug] ajp_service::jk_ajp_common.c (2591): processing worker1 with 2 retries Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.560 2019] [7885:139750518257408] [debug] ajp_send_request::jk_ajp_common.c (1722): (worker1) no usable connection found, will create a new one. Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.561 2019] [7885:139750518257408] [debug] jk_open_socket::jk_connect.c (675): socket TCP_NODELAY set to On Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.561 2019] [7885:139750518257408] [debug] jk_open_socket::jk_connect.c (799): trying to connect socket 24 to ::1:8009 Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.565 2019] [7885:139750518257408] [debug] jk_open_socket::jk_connect.c (825): socket 24 [:::51520 -> ::a00:c940:0:0:8009] connected Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.566 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): sending to ajp13 pos=4 len=620 max=8192 Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.566 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 12 34 02 68 02 02 00 08 48 54 54 50 2F 31 2E 31 - .4.hHTTP/1.1 Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.567 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 001000 00 10 2F 73 65 72 76 6C 65 74 2F 73 65 72 76 - .../servlet/serv Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.567 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 00206C 65 74 00 00 0D 39 34 2E 36 32 2E 31 34 32 2E - let...94.62.142. Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.567 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 003032 32 39 00 FF FF 00 1B 72 65 70 6F 73 69 74 6F - 229.reposito Oct 5 19:46:13 s_src@repo apache-jk[7881]: [Sat Oct 05 19:46:13.567 2019] [7885:139750518257408] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (1267): 004072 79 2E 6B 6F 64 65 6B 6F 6E 76 65 79 6F 72 2E - ry.kodekonvey
Re: Acessing static content - Tomcat 7 vs. Tomcat9
On Mon, Oct 7, 2019 at 3:31 PM Konstantin Kolinko wrote: > пн, 7 окт. 2019 г. в 15:44, Martin Knoblauch : > > > > Hi Konstantin, > > > > On Mon, Oct 7, 2019 at 2:36 PM Konstantin Kolinko < > knst.koli...@gmail.com> > > wrote: > > > > > > 2. For Tomcat to issue a redirect, the "docs" directory must be > > > present in your web application. It can be empty, but it must be > > > present. (If there is none, Tomcat does not know that the requested > > > resource is a directory). > > > > > > > > OK. The "docs" directory is actually a symbolic link to a directory > > elsewhere. > > Symbolic links by default are not allowed inside a web application. > The option to allow them differs between Tomcat 7 and 8.0, due to a > different underlying implementation of Web Application resources. > > http://tomcat.apache.org/migration-8.html#Web_application_resources > > (As a reminders: symbolic links must never be enabled on a > case-insensitive filesystem such as used by Windows, as it disables > the necessary security checks.) > > http://tomcat.apache.org/tomcat-9.0-doc/security-howto.html > > Best regards, > Konstantin Kolinko > > OK, this is interesting. We still had the TC7 style "allowLiniking" in the Context tag. Now moved to Resources. I also added the two mapper directives to Context: . . . What I now get is weird in another way. But maybe it gives a hint: [07/Oct/2019:16:10:10 +0200] [0 ms] #160.46.219.110# - "POST /cb2/docs HTTP/1.1" s:302 l:219 S:TLSv1.2 C:ECDHE-RSA-AES256-GCM-SHA384 #"Mozilla/5.0 (X11; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0" [07/Oct/2019:16:10:10 +0200] [0 ms] #160.46.219.110# - "GET /cb2/docs HTTP/1.1" s:302 l:219 S:TLSv1.2 C:ECDHE-RSA-AES256-GCM-SHA384 #"Mozilla/5.0 (X11; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0" [07/Oct/2019:16:10:10 +0200] [0 ms] #160.46.219.110# - "GET /cb2/docs HTTP/1.1" s:302 l:219 S:TLSv1.2 C:ECDHE-RSA-AES256-GCM-SHA384 #"Mozilla/5.0 (X11; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0" [07/Oct/2019:16:10:10 +0200] [0 ms] #160.46.219.110# - "GET /cb2/docs HTTP/1.1" s:302 l:219 S:TLSv1.2 C:ECDHE-RSA-AES256-GCM-SHA384 #"Mozilla/5.0 (X11; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0" [07/Oct/2019:16:10:10 +0200] [0 ms] #160.46.219.110# - "GET /cb2/docs HTTP/1.1" s:302 l:219 S:TLSv1.2 C:ECDHE-RSA-AES256-GCM-SHA384 #"Mozilla/5.0 (X11; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0" [07/Oct/2019:16:10:10 +0200] [0 ms] #160.46.219.110# - "GET /cb2/docs HTTP/1.1" s:302 l:219 S:TLSv1.2 C:ECDHE-RSA-AES256-GCM-SHA384 #"Mozilla/5.0 (X11; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0" [07/Oct/2019:16:10:10 +0200] [0 ms] #160.46.219.110# - "GET /cb2/docs HTTP/1.1" s:302 l:219 S:TLSv1.2 C:ECDHE-RSA-AES256-GCM-SHA384 #"Mozilla/5.0 (X11; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0" [07/Oct/2019:16:10:10 +0200] [0 ms] #160.46.219.110# - "GET /cb2/docs HTTP/1.1" s:302 l:219 S:TLSv1.2 C:ECDHE-RSA-AES256-GCM-SHA384 #"Mozilla/5.0 (X11; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0" [07/Oct/2019:16:10:10 +0200] [0 ms] #160.46.219.110# - "GET /cb2/docs HTTP/1.1" s:302 l:219 S:TLSv1.2 C:ECDHE-RSA-AES256-GCM-SHA384 #"Mozilla/5.0 (X11; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0" [07/Oct/2019:16:10:10 +0200] [0 ms] #160.46.219.110# - "GET /cb2/docs HTTP/1.1" s:302 l:219 S:TLSv1.2 C:ECDHE-RSA-AES256-GCM-SHA384 #"Mozilla/5.0 (X11; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0" [07/Oct/2019:16:10:11 +0200] [0 ms] #160.46.219.110# - "GET /cb2/docs HTTP/1.1" s:302 l:219 S:TLSv1.2 C:ECDHE-RSA-AES256-GCM-SHA384 #"Mozilla/5.0 (X11; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0" [07/Oct/2019:16:10:11 +0200] [0 ms] #160.46.219.110# - "GET /cb2/docs HTTP/1.1" s:302 l:219 S:TLSv1.2 C:ECDHE-RSA-AES256-GCM-SHA384 #"Mozilla/5.0 (X11; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0" [07/Oct/2019:16:10:11 +0200] [0 ms] #160.46.219.110# - "GET /cb2/docs HTTP/1.1" s:302 l:219 S:TLSv1.2 C:ECDHE-RSA-AES256-GCM-SHA384 #"Mozilla/5.0 (X11; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0" [07/Oct/2019:16:10:11 +0200] [0 ms] #160.46.219.110# - "GET /cb2/docs HTTP/1.1" s:302 l:219 S:TLSv1.2 C:ECDHE-RSA-AES256-GCM-SHA384 #"Mozilla/5.0 (X11; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0" [07/Oct/2019:16:10:11 +0200] [0 ms] #160.46.219.110# - "GET /cb2/docs HTTP/1.1" s:302 l:219 S:TLSv1.2 C:ECDHE-RSA-AES256-GCM-SHA384 #"Mozilla/5.0 (X11; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0" [07/Oct/2019:16:10:11 +0200] [0 ms] #160.46.219.110# - "GET /cb2/docs HTTP/1.1" s:302 l:219 S:TLSv1.2 C:ECDHE-RSA-AES256-GCM-SHA384 #"Mozilla/5.0 (X11; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0" [07/Oct/2019:16:10:11 +0200] [0 ms] #160.46.219.110# - "GET /cb2/docs HTTP/1.1" s:302 l:219 S:TLSv1.2 C:ECDHE-RSA-AES256-GCM-SHA384 #"Mozilla/5.0 (X11; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0" [07/Oct/2019:16:10:11 +0200] [0 ms] #160.46.219.110# - "GET /cb2/docs HTTP/1.1" s:302 l:219 S:TLSv1.2 C:ECDHE-RSA-AES256-GCM-SHA384 #"Mozil
Re: Acessing static content - Tomcat 7 vs. Tomcat9
On Mon, Oct 7, 2019 at 2:37 PM André Warnier (tomcat) wrote: > On 07.10.2019 13:45, Mark Thomas wrote: > > On 07/10/2019 12:22, Martin Knoblauch wrote: > >> Dear fellow Tomcat users, > >> > >> recently we migrated our application from Tomcat7 to Tomcat9. Most > things > >> work great so far, but we observed on issue. Basically serving static > pages > >> has stopped for us. > >> > >> Our setup is Tomcat (7.0.62 or 9.0.12) behind Apache HTTPD (2.4.41 > using > >> mod_jk 1.2.46). Yes, 9.0.12 is not recent, but we are forced to that > >> version. > >> > >> The mod_jk configuration basically looks like: > >> > >> > >>LoadModule jk_module modules/mod_jk.so > >> > >>JkWorkersFile "conf/cb2/workers.properties" > >>JkShmFile "logs/jk-runtime-status" > >>JkLogFile "logs/mod_jk.log" > >>JkLogLevel info > >>JkWatchdogInterval 60 > >> > >> > >> And then later inside a virtual host: > >> > >> # > >> # CB2 - Portal > >> # > >> # Mount the "/cb2" application to worker "cb2" > >> # > >> JkMount /cb2/* cb2 > >> # > >> # Unmount "/cb2/docs" from worker "cb2" to allow static content > >> # beeing served by apache. Same for "/cb2/cgi-bin" > >> # > >> JkUnMount /cb2/docs/* cb2 > >> > >> So we JkUnMount the "/cb2/docs" directory from the application base in > >> order to server the content directly from Apache. "docs" itself is a > >> symbolic link pointing outside the application base. > >> > >> With TC7, we observe the following in the apache access_log: > >> > >> [07/Oct/2019:12:30:47 +0200] [2 ms] 160.46.219.110 - "POST /cb2/docs > >> HTTP/1.1" s:302 l:- S:TLSv1.2 C:ECDHE-RSA-AES256-GCM-SHA384 > >> [07/Oct/2019:12:30:47 +0200] [20 ms] 160.46.219.110 - "GET /cb2/docs/ > >> HTTP/1.1" s:200 l:6367 S:TLSv1.2 C:ECDHE-RSA-AES256-GCM-SHA384 > >> > >> So the POST from the application is redirected to the static content, > which > >> is served OK. > >> > >> With TC9 we see: > >> > >> [05/Oct/2019:02:58:13 +0200] [0 ms] #160.46.219.110# - "GET /docs > HTTP/1.1" > >> s:404 l:196 S:TLSv1.2 C:ECDHE-RSA-AES256-GCM-SHA384 > > > > Where and how is the redirect generated? > > > >> As said, the major difference between the setups is TC7 vs. TC9. Any > ideas > >> for me to follow? I did not find anything in the migration 7->8 or 8->9 > >> guides. > > > > I can't think of anything and a review of the migration guides doesn't > > bring anything to mind. I'd be looking more at configuration differences > > between the old and new systems at this point. > > > > Mark > > > > The URLs appear different : > > - the first case shows a URL of "/cb2/docs" (with some kind of redirect > from POST to a > GET). According to the mod_jk configuration, this is NOT being proxied to > Tomcat. Assuming > thus that the httpd DOCUMENT_ROOT is set to (e.g.) /var/www/docs, it would > mean that the > file being served is some directory list (or index document) located below > /var/www/docs/cb2/docs/ (on the httpd host). > > Dear Andre, unfortunately this was cut/paste foul-up on my side :-( Martin > - the second example shows a URL of "/docs", which according to the mod_jk > configuration > above is also NOT being proxied to Tomcat; thus Apache httpd attempts to > serve it locally. > But that URL does not match any Apache-httpd-local file (because > /var/www/docs/docs does > not exist), and thus results in a 404 status "not found". > > To verify this is quite simple : > In the URL bar of a browser, enter the URL "http://yourservername/cb2/docs"; > directly, > replacing "yourservername" alernatively with the one for tomcat 7 and the > one for tomcat9. > The result should be the same, because this URL is not being proxied to > Tomcat, and is > served locally by httpd. > > (On the other hand, the URL "/docs" should give "404 not found" in both > cases too) > > What I suspect is : > > The above URL "/cb2/docs" is not being entered in the browser URL bar. > Instead, the link > to that URL occurs in a html page previously returned by Tomcat, and the > user just clicks > on the link. > Then maybe it is that previous page returned by Tomcat, that is different > between Tomcat 7 > and Tomcat 9. > (That could be consistent with "the major difference between the setups is > TC7 vs. TC9."). > > Further speculation under incomplete information (I love this) : could it > be that under > Tomcat 7, your application is deployed under ../webapps/cb2, while under > tomcat 9, you > have relocated it to ../webapps/ROOT ? > > Nope. Application is at ".../webapps/cb2" Thanks Martin -- -- Martin Knoblauch email: k n o b i AT knobisoft DOT de www: http://www.knobisoft.de
Re: Acessing static content - Tomcat 7 vs. Tomcat9
пн, 7 окт. 2019 г. в 15:44, Martin Knoblauch : > > Hi Konstantin, > > On Mon, Oct 7, 2019 at 2:36 PM Konstantin Kolinko > wrote: > > > 2. For Tomcat to issue a redirect, the "docs" directory must be > > present in your web application. It can be empty, but it must be > > present. (If there is none, Tomcat does not know that the requested > > resource is a directory). > > > > > OK. The "docs" directory is actually a symbolic link to a directory > elsewhere. Symbolic links by default are not allowed inside a web application. The option to allow them differs between Tomcat 7 and 8.0, due to a different underlying implementation of Web Application resources. http://tomcat.apache.org/migration-8.html#Web_application_resources (As a reminders: symbolic links must never be enabled on a case-insensitive filesystem such as used by Windows, as it disables the necessary security checks.) http://tomcat.apache.org/tomcat-9.0-doc/security-howto.html Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Acessing static content - Tomcat 7 vs. Tomcat9
Hi Konstantin, On Mon, Oct 7, 2019 at 2:36 PM Konstantin Kolinko wrote: > пн, 7 окт. 2019 г. в 14:23, Martin Knoblauch : > > > > Dear fellow Tomcat users, > > > > recently we migrated our application from Tomcat7 to Tomcat9. Most > things > > work great so far, but we observed on issue. Basically serving static > pages > > has stopped for us. > > > > Our setup is Tomcat (7.0.62 or 9.0.12) behind Apache HTTPD (2.4.41 using > > mod_jk 1.2.46). Yes, 9.0.12 is not recent, but we are forced to that > > version. > > > > The mod_jk configuration basically looks like: > > > > > > LoadModule jk_module modules/mod_jk.so > > > > JkWorkersFile "conf/cb2/workers.properties" > > JkShmFile "logs/jk-runtime-status" > > JkLogFile "logs/mod_jk.log" > > JkLogLevel info > > JkWatchdogInterval 60 > > > > > > And then later inside a virtual host: > > > > # > > # CB2 - Portal > > # > > # Mount the "/cb2" application to worker "cb2" > > # > > JkMount /cb2/* cb2 > > # > > # Unmount "/cb2/docs" from worker "cb2" to allow static content > > # beeing served by apache. Same for "/cb2/cgi-bin" > > # > > JkUnMount /cb2/docs/* cb2 > > > > So we JkUnMount the "/cb2/docs" directory from the application base in > > order to server the content directly from Apache. "docs" itself is a > > symbolic link pointing outside the application base. > > > > With TC7, we observe the following in the apache access_log: > > > > [07/Oct/2019:12:30:47 +0200] [2 ms] 160.46.219.110 - "POST /cb2/docs > > HTTP/1.1" s:302 l:- S:TLSv1.2 C:ECDHE-RSA-AES256-GCM-SHA384 > > [07/Oct/2019:12:30:47 +0200] [20 ms] 160.46.219.110 - "GET /cb2/docs/ > > HTTP/1.1" s:200 l:6367 S:TLSv1.2 C:ECDHE-RSA-AES256-GCM-SHA384 > > > > So the POST from the application is redirected to the static content, > which > > is served OK. > > A web server will happily server a static content in response to a > POST request. The redirect happens because you are requesting a > directory and your request URI does not end with a '/'. > > OK. Thanks for the explanation. > With TC9 we see: > > > > [05/Oct/2019:02:58:13 +0200] [0 ms] #160.46.219.110# - "GET /docs > HTTP/1.1" > > s:404 l:196 S:TLSv1.2 C:ECDHE-RSA-AES256-GCM-SHA384 > > > > As said, the major difference between the setups is TC7 vs. TC9. Any > ideas > > for me to follow? I did not find anything in the migration 7->8 or 8->9 > > guides. > > 1. In your access log here I see "GET /docs" instead of "/cb2/docs". > Is it intentional? > > No, just to many windows to cut and past from. And not enough caffeine... 2. For Tomcat to issue a redirect, the "docs" directory must be > present in your web application. It can be empty, but it must be > present. (If there is none, Tomcat does not know that the requested > resource is a directory). > > OK. The "docs" directory is actually a symbolic link to a directory elsewhere. 3. Starting with some version (January 2016) the default place where > the redirect is issued by Tomcat was moved from Mapper (in earlier > stages of request processing) to the DefaultServlet. This behaviour is > controlled by configuration attributes on a Context (in the file > META-INF/context.xml of your web application). See CVE-2015-5345 > > http://tomcat.apache.org/security-9.html > > Sounds interesting. Need to look at it. Thanks Martin > Best regards, > Konstantin Kolinko > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: Acessing static content - Tomcat 7 vs. Tomcat9
On 07.10.2019 13:45, Mark Thomas wrote: On 07/10/2019 12:22, Martin Knoblauch wrote: Dear fellow Tomcat users, recently we migrated our application from Tomcat7 to Tomcat9. Most things work great so far, but we observed on issue. Basically serving static pages has stopped for us. Our setup is Tomcat (7.0.62 or 9.0.12) behind Apache HTTPD (2.4.41 using mod_jk 1.2.46). Yes, 9.0.12 is not recent, but we are forced to that version. The mod_jk configuration basically looks like: LoadModule jk_module modules/mod_jk.so JkWorkersFile "conf/cb2/workers.properties" JkShmFile "logs/jk-runtime-status" JkLogFile "logs/mod_jk.log" JkLogLevel info JkWatchdogInterval 60 And then later inside a virtual host: # # CB2 - Portal # # Mount the "/cb2" application to worker "cb2" # JkMount /cb2/* cb2 # # Unmount "/cb2/docs" from worker "cb2" to allow static content # beeing served by apache. Same for "/cb2/cgi-bin" # JkUnMount /cb2/docs/* cb2 So we JkUnMount the "/cb2/docs" directory from the application base in order to server the content directly from Apache. "docs" itself is a symbolic link pointing outside the application base. With TC7, we observe the following in the apache access_log: [07/Oct/2019:12:30:47 +0200] [2 ms] 160.46.219.110 - "POST /cb2/docs HTTP/1.1" s:302 l:- S:TLSv1.2 C:ECDHE-RSA-AES256-GCM-SHA384 [07/Oct/2019:12:30:47 +0200] [20 ms] 160.46.219.110 - "GET /cb2/docs/ HTTP/1.1" s:200 l:6367 S:TLSv1.2 C:ECDHE-RSA-AES256-GCM-SHA384 So the POST from the application is redirected to the static content, which is served OK. With TC9 we see: [05/Oct/2019:02:58:13 +0200] [0 ms] #160.46.219.110# - "GET /docs HTTP/1.1" s:404 l:196 S:TLSv1.2 C:ECDHE-RSA-AES256-GCM-SHA384 Where and how is the redirect generated? As said, the major difference between the setups is TC7 vs. TC9. Any ideas for me to follow? I did not find anything in the migration 7->8 or 8->9 guides. I can't think of anything and a review of the migration guides doesn't bring anything to mind. I'd be looking more at configuration differences between the old and new systems at this point. Mark The URLs appear different : - the first case shows a URL of "/cb2/docs" (with some kind of redirect from POST to a GET). According to the mod_jk configuration, this is NOT being proxied to Tomcat. Assuming thus that the httpd DOCUMENT_ROOT is set to (e.g.) /var/www/docs, it would mean that the file being served is some directory list (or index document) located below /var/www/docs/cb2/docs/ (on the httpd host). - the second example shows a URL of "/docs", which according to the mod_jk configuration above is also NOT being proxied to Tomcat; thus Apache httpd attempts to serve it locally. But that URL does not match any Apache-httpd-local file (because /var/www/docs/docs does not exist), and thus results in a 404 status "not found". To verify this is quite simple : In the URL bar of a browser, enter the URL "http://yourservername/cb2/docs"; directly, replacing "yourservername" alernatively with the one for tomcat 7 and the one for tomcat9. The result should be the same, because this URL is not being proxied to Tomcat, and is served locally by httpd. (On the other hand, the URL "/docs" should give "404 not found" in both cases too) What I suspect is : The above URL "/cb2/docs" is not being entered in the browser URL bar. Instead, the link to that URL occurs in a html page previously returned by Tomcat, and the user just clicks on the link. Then maybe it is that previous page returned by Tomcat, that is different between Tomcat 7 and Tomcat 9. (That could be consistent with "the major difference between the setups is TC7 vs. TC9."). Further speculation under incomplete information (I love this) : could it be that under Tomcat 7, your application is deployed under ../webapps/cb2, while under tomcat 9, you have relocated it to ../webapps/ROOT ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Acessing static content - Tomcat 7 vs. Tomcat9
пн, 7 окт. 2019 г. в 14:23, Martin Knoblauch : > > Dear fellow Tomcat users, > > recently we migrated our application from Tomcat7 to Tomcat9. Most things > work great so far, but we observed on issue. Basically serving static pages > has stopped for us. > > Our setup is Tomcat (7.0.62 or 9.0.12) behind Apache HTTPD (2.4.41 using > mod_jk 1.2.46). Yes, 9.0.12 is not recent, but we are forced to that > version. > > The mod_jk configuration basically looks like: > > > LoadModule jk_module modules/mod_jk.so > > JkWorkersFile "conf/cb2/workers.properties" > JkShmFile "logs/jk-runtime-status" > JkLogFile "logs/mod_jk.log" > JkLogLevel info > JkWatchdogInterval 60 > > > And then later inside a virtual host: > > # > # CB2 - Portal > # > # Mount the "/cb2" application to worker "cb2" > # > JkMount /cb2/* cb2 > # > # Unmount "/cb2/docs" from worker "cb2" to allow static content > # beeing served by apache. Same for "/cb2/cgi-bin" > # > JkUnMount /cb2/docs/* cb2 > > So we JkUnMount the "/cb2/docs" directory from the application base in > order to server the content directly from Apache. "docs" itself is a > symbolic link pointing outside the application base. > > With TC7, we observe the following in the apache access_log: > > [07/Oct/2019:12:30:47 +0200] [2 ms] 160.46.219.110 - "POST /cb2/docs > HTTP/1.1" s:302 l:- S:TLSv1.2 C:ECDHE-RSA-AES256-GCM-SHA384 > [07/Oct/2019:12:30:47 +0200] [20 ms] 160.46.219.110 - "GET /cb2/docs/ > HTTP/1.1" s:200 l:6367 S:TLSv1.2 C:ECDHE-RSA-AES256-GCM-SHA384 > > So the POST from the application is redirected to the static content, which > is served OK. A web server will happily server a static content in response to a POST request. The redirect happens because you are requesting a directory and your request URI does not end with a '/'. > With TC9 we see: > > [05/Oct/2019:02:58:13 +0200] [0 ms] #160.46.219.110# - "GET /docs HTTP/1.1" > s:404 l:196 S:TLSv1.2 C:ECDHE-RSA-AES256-GCM-SHA384 > > As said, the major difference between the setups is TC7 vs. TC9. Any ideas > for me to follow? I did not find anything in the migration 7->8 or 8->9 > guides. 1. In your access log here I see "GET /docs" instead of "/cb2/docs". Is it intentional? 2. For Tomcat to issue a redirect, the "docs" directory must be present in your web application. It can be empty, but it must be present. (If there is none, Tomcat does not know that the requested resource is a directory). 3. Starting with some version (January 2016) the default place where the redirect is issued by Tomcat was moved from Mapper (in earlier stages of request processing) to the DefaultServlet. This behaviour is controlled by configuration attributes on a Context (in the file META-INF/context.xml of your web application). See CVE-2015-5345 http://tomcat.apache.org/security-9.html Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Acessing static content - Tomcat 7 vs. Tomcat9
On 07/10/2019 12:22, Martin Knoblauch wrote: > Dear fellow Tomcat users, > > recently we migrated our application from Tomcat7 to Tomcat9. Most things > work great so far, but we observed on issue. Basically serving static pages > has stopped for us. > > Our setup is Tomcat (7.0.62 or 9.0.12) behind Apache HTTPD (2.4.41 using > mod_jk 1.2.46). Yes, 9.0.12 is not recent, but we are forced to that > version. > > The mod_jk configuration basically looks like: > > > LoadModule jk_module modules/mod_jk.so > > JkWorkersFile "conf/cb2/workers.properties" > JkShmFile "logs/jk-runtime-status" > JkLogFile "logs/mod_jk.log" > JkLogLevel info > JkWatchdogInterval 60 > > > And then later inside a virtual host: > > # > # CB2 - Portal > # > # Mount the "/cb2" application to worker "cb2" > # > JkMount /cb2/* cb2 > # > # Unmount "/cb2/docs" from worker "cb2" to allow static content > # beeing served by apache. Same for "/cb2/cgi-bin" > # > JkUnMount /cb2/docs/* cb2 > > So we JkUnMount the "/cb2/docs" directory from the application base in > order to server the content directly from Apache. "docs" itself is a > symbolic link pointing outside the application base. > > With TC7, we observe the following in the apache access_log: > > [07/Oct/2019:12:30:47 +0200] [2 ms] 160.46.219.110 - "POST /cb2/docs > HTTP/1.1" s:302 l:- S:TLSv1.2 C:ECDHE-RSA-AES256-GCM-SHA384 > [07/Oct/2019:12:30:47 +0200] [20 ms] 160.46.219.110 - "GET /cb2/docs/ > HTTP/1.1" s:200 l:6367 S:TLSv1.2 C:ECDHE-RSA-AES256-GCM-SHA384 > > So the POST from the application is redirected to the static content, which > is served OK. > > With TC9 we see: > > [05/Oct/2019:02:58:13 +0200] [0 ms] #160.46.219.110# - "GET /docs HTTP/1.1" > s:404 l:196 S:TLSv1.2 C:ECDHE-RSA-AES256-GCM-SHA384 Where and how is the redirect generated? > As said, the major difference between the setups is TC7 vs. TC9. Any ideas > for me to follow? I did not find anything in the migration 7->8 or 8->9 > guides. I can't think of anything and a review of the migration guides doesn't bring anything to mind. I'd be looking more at configuration differences between the old and new systems at this point. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Acessing static content - Tomcat 7 vs. Tomcat9
Dear fellow Tomcat users, recently we migrated our application from Tomcat7 to Tomcat9. Most things work great so far, but we observed on issue. Basically serving static pages has stopped for us. Our setup is Tomcat (7.0.62 or 9.0.12) behind Apache HTTPD (2.4.41 using mod_jk 1.2.46). Yes, 9.0.12 is not recent, but we are forced to that version. The mod_jk configuration basically looks like: LoadModule jk_module modules/mod_jk.so JkWorkersFile "conf/cb2/workers.properties" JkShmFile "logs/jk-runtime-status" JkLogFile "logs/mod_jk.log" JkLogLevel info JkWatchdogInterval 60 And then later inside a virtual host: # # CB2 - Portal # # Mount the "/cb2" application to worker "cb2" # JkMount /cb2/* cb2 # # Unmount "/cb2/docs" from worker "cb2" to allow static content # beeing served by apache. Same for "/cb2/cgi-bin" # JkUnMount /cb2/docs/* cb2 So we JkUnMount the "/cb2/docs" directory from the application base in order to server the content directly from Apache. "docs" itself is a symbolic link pointing outside the application base. With TC7, we observe the following in the apache access_log: [07/Oct/2019:12:30:47 +0200] [2 ms] 160.46.219.110 - "POST /cb2/docs HTTP/1.1" s:302 l:- S:TLSv1.2 C:ECDHE-RSA-AES256-GCM-SHA384 [07/Oct/2019:12:30:47 +0200] [20 ms] 160.46.219.110 - "GET /cb2/docs/ HTTP/1.1" s:200 l:6367 S:TLSv1.2 C:ECDHE-RSA-AES256-GCM-SHA384 So the POST from the application is redirected to the static content, which is served OK. With TC9 we see: [05/Oct/2019:02:58:13 +0200] [0 ms] #160.46.219.110# - "GET /docs HTTP/1.1" s:404 l:196 S:TLSv1.2 C:ECDHE-RSA-AES256-GCM-SHA384 As said, the major difference between the setups is TC7 vs. TC9. Any ideas for me to follow? I did not find anything in the migration 7->8 or 8->9 guides. Kind regards Martin -- -- Martin Knoblauch email: k n o b i AT knobisoft DOT de www: http://www.knobisoft.de
Re: Tomcat 8 epoll spinning issue (100% CPU)
On Mon, Oct 7, 2019 at 11:15 AM Emmanuel Lecharny wrote: > > > On 2019/10/05 11:12:46, Rémy Maucherat wrote: > > On Fri, Oct 4, 2019 at 10:38 PM Emmanuel Lecharny > > wrote: > > > > > Hi remy, > > > > > > On 2019/10/04 15:37:36, Rémy Maucherat wrote: > > > > On Fri, Oct 4, 2019 at 3:40 PM Emmanuel Lecharny < > elecha...@apache.org> > > > > wrote: > > > > > > > > > Hi ! > > > > > > > > > > I filled a ticket yesterday about a pb we face with many NIO > framework, > > > > > which I think could hit Tomcat too (see > > > > > https://bz.apache.org/bugzilla/show_bug.cgi?id=63802). Actually, I > > > think > > > > > I'm facing this problem on a project I'm working on atm. > > > > > > > > > > Remy suggested we discuss it on this mailing list. > > > > > > > > > > Bottom line, what happens is that under some circumstances not well > > > > > defined, the call to select() might end to an infinite loop eating > all > > > the > > > > > CPU (select() returns 0, so select is immediately called again, > and we > > > > > loop). > > > > > > > > > > In various NIO framworks - and being a MINA committer, I have > > > implemented > > > > > the discussed workaround -, we are controlling this situation by > > > breaking > > > > > this infinite loop this way : > > > > > - if the select() call returns 0 > > > > > - then if we have called select() more than N times in less than M > ms > > > > > (N=10, M=100 in MINA) > > > > > - then we create a new Selector, register all the selectionKey that > > > were > > > > > registered on the broken selector, and ditch the old selector. > > > > > > > > > > This workaround does not cost a lot when the selector works as > > > designed, > > > > > as a select() call should never return 0. > > > > > > > > > > > > > There's actually a very similar hack for APR that has been placed by > > > myself > > > > a long time ago [ > > > > > > > > https://github.com/apache/tomcat/blob/master/java/org/apache/tomcat/util/net/AprEndpoint.java#L1410 > > > > ], I don't even know if it's actually useful and it's certainly not > > > > testable. Overall what it does is pretty terrible :( > > > > > > > > Personally I would like to know more about this "long lived bug > either in > > > > the JDK or even in Linux epoll implementation" like actual platform > > > details > > > > and JVM versions used since I've never heard about it in the first > place. > > > > > > for the record, I had a discussion yesterday with one of my close > friend > > > and co-worker back in the 90's. He remember clearly, while working on > the > > > SUN TCP stack, that such a problem occorded back then. Yes, 25 years > > > ago... Ok, that was just for the fun, it's likely be perfectly > unrelated ;-) > > > > > > At MINA, we were hit by this bug in 2009 (see > > > https://issues.apache.org/jira/browse/DIRMINA-678), and it was linked > to > > > a bug reported on Jetty ( > > > > http://jetty.4.x6.nabble.com/jira-Created-JETTY-937-SelectChannelConnector-100-CPU-usage-on-Linux-td36385.html > ), > > > itself related to some JDK bugs, supposedly fixed since then. > > > > > > I had a long conversation with Jean-François Arcand somewhere around > this > > > date, and he suggested we adopt the same workaround he applied to > Grizzly. > > > We also had a convo with Alan Bateman during a Java One in SF, but > nothing > > > specific resulted from this convo, except that AFAICR, he aknowledge > there > > > is an issue. > > > > > > So this problem started with JDK 6, but I can't guarantee it wasn't > > > already present in JDK 5 or 4, on linux, and not on any other OS like > > > windows or Mac OSX. It's not exactly fresh in my mind, because it was > > > already 10 years ago. > > > > > > > NIO support was added in Tomcat 6.0, supporting Java 5+, it wasn't very > > good then. It's only with Java 6 that NIO started getting epoll support > ant > > I'm pretty sure the original issue did not actually survive. Despite the > > popularity of the NIO connector this was not reported for Tomcat, if we > got > > the report at the same time as the others it would be more logical so > > something is different here. > > https://github.com/netty/netty/issues/327 has details but I'm still not > > very convinced. You should give details on your platform and everything > > else since it's obvious at this point this is far less common with > Tomcat. > > There is not much I can tell about this issue, beside what I already said. > I can just stress out that for a few users of MINA, this was a real burden, > and the very same for Netty, Grizzly and Jetty. I would be *very* surprised > that those four different projects, all based on NIO, are facing such an > issue, but that Tomcat is immune to it. > One person on the Netty issue I linked reported it on Tomcat, that's the only one I could fine so it's far less common. It could still be useful to give info on the platform (was Java 11 and a recent Linux like RHEL8/Fedora tested ?) and use pattern. If the issue still happens, I think
Re: Tomcat 8 epoll spinning issue (100% CPU)
On 2019/10/05 11:12:46, Rémy Maucherat wrote: > On Fri, Oct 4, 2019 at 10:38 PM Emmanuel Lecharny > wrote: > > > Hi remy, > > > > On 2019/10/04 15:37:36, Rémy Maucherat wrote: > > > On Fri, Oct 4, 2019 at 3:40 PM Emmanuel Lecharny > > > wrote: > > > > > > > Hi ! > > > > > > > > I filled a ticket yesterday about a pb we face with many NIO framework, > > > > which I think could hit Tomcat too (see > > > > https://bz.apache.org/bugzilla/show_bug.cgi?id=63802). Actually, I > > think > > > > I'm facing this problem on a project I'm working on atm. > > > > > > > > Remy suggested we discuss it on this mailing list. > > > > > > > > Bottom line, what happens is that under some circumstances not well > > > > defined, the call to select() might end to an infinite loop eating all > > the > > > > CPU (select() returns 0, so select is immediately called again, and we > > > > loop). > > > > > > > > In various NIO framworks - and being a MINA committer, I have > > implemented > > > > the discussed workaround -, we are controlling this situation by > > breaking > > > > this infinite loop this way : > > > > - if the select() call returns 0 > > > > - then if we have called select() more than N times in less than M ms > > > > (N=10, M=100 in MINA) > > > > - then we create a new Selector, register all the selectionKey that > > were > > > > registered on the broken selector, and ditch the old selector. > > > > > > > > This workaround does not cost a lot when the selector works as > > designed, > > > > as a select() call should never return 0. > > > > > > > > > > There's actually a very similar hack for APR that has been placed by > > myself > > > a long time ago [ > > > > > https://github.com/apache/tomcat/blob/master/java/org/apache/tomcat/util/net/AprEndpoint.java#L1410 > > > ], I don't even know if it's actually useful and it's certainly not > > > testable. Overall what it does is pretty terrible :( > > > > > > Personally I would like to know more about this "long lived bug either in > > > the JDK or even in Linux epoll implementation" like actual platform > > details > > > and JVM versions used since I've never heard about it in the first place. > > > > for the record, I had a discussion yesterday with one of my close friend > > and co-worker back in the 90's. He remember clearly, while working on the > > SUN TCP stack, that such a problem occorded back then. Yes, 25 years > > ago... Ok, that was just for the fun, it's likely be perfectly unrelated ;-) > > > > At MINA, we were hit by this bug in 2009 (see > > https://issues.apache.org/jira/browse/DIRMINA-678), and it was linked to > > a bug reported on Jetty ( > > http://jetty.4.x6.nabble.com/jira-Created-JETTY-937-SelectChannelConnector-100-CPU-usage-on-Linux-td36385.html), > > itself related to some JDK bugs, supposedly fixed since then. > > > > I had a long conversation with Jean-François Arcand somewhere around this > > date, and he suggested we adopt the same workaround he applied to Grizzly. > > We also had a convo with Alan Bateman during a Java One in SF, but nothing > > specific resulted from this convo, except that AFAICR, he aknowledge there > > is an issue. > > > > So this problem started with JDK 6, but I can't guarantee it wasn't > > already present in JDK 5 or 4, on linux, and not on any other OS like > > windows or Mac OSX. It's not exactly fresh in my mind, because it was > > already 10 years ago. > > > > NIO support was added in Tomcat 6.0, supporting Java 5+, it wasn't very > good then. It's only with Java 6 that NIO started getting epoll support ant > I'm pretty sure the original issue did not actually survive. Despite the > popularity of the NIO connector this was not reported for Tomcat, if we got > the report at the same time as the others it would be more logical so > something is different here. > https://github.com/netty/netty/issues/327 has details but I'm still not > very convinced. You should give details on your platform and everything > else since it's obvious at this point this is far less common with Tomcat. There is not much I can tell about this issue, beside what I already said. I can just stress out that for a few users of MINA, this was a real burden, and the very same for Netty, Grizzly and Jetty. I would be *very* surprised that those four different projects, all based on NIO, are facing such an issue, but that Tomcat is immune to it. > You should try the NIO2 connector first. I'll do that right away. if it fixes the 100% CPU usage I see from time to time, then I would consider the issue resolved (there is no mean to workaround something in the NIO code if NIO2 solves it...) Thanks ! - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: user self registration/account creation
On 06/10/2019 20:31, Alex O'Ree wrote: > i have a password protected web app and would like to provide users with > the ability to self register for a new account. looks like the easiest way > to do this with tomcat is with a jdbc realm to protect the web app and > anonymous access to the self registration app. > > a few questions on this. > > is there a pre made app that could be used for the user account creation > app? i'll probably need something for admins to revoke accounts, disable > accounts, edit role memberships etc. ugh, and then there is user password > resets and complexity requirements... some kind of captcha thing to prevent > bots. i also need to track and report to the user when a password expires, > last login ip address and user agent field. quite a bit of stuff to write. > if there is something available that is asf license compatible, i'd love to > hear about it. CAS: https://www.apereo.org/projects/cas I think CAS does everything you asked for. Spring Security is the other option that comes to mind but my understanding is that you'd need to build some of the management UIs yourself. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org