RE: performance issue with Tomcat 8.5.35 in org.apache.tomcat.util.net.NioBlockingSelector.write API
Can someone please help me to find out the root cause for below issue. Thanks and Regards, Rajendra Rathore 9922701491 -Original Message- From: Rathore, Rajendra Sent: Tuesday, January 7, 2020 4:16 PM To: Tomcat Users List Subject: RE: performance issue with Tomcat 8.5.35 in org.apache.tomcat.util.net.NioBlockingSelector.write API Hi Remy, Thanks for the reply, As you mention below points "There's a problem only if things are blocked improperly, for example if the client is correctly reading the data and/or there's no network backlog. Also the timeout configured on the connector must be respected by the operation." 1. how can we check the network backlog or data read/write not working properly, if any tool pls let us know 2. how can we set connector timeout. Thanks and Regards, Rajendra Rathore 9922701491 -Original Message- From: Rémy Maucherat Sent: Tuesday, January 7, 2020 4:11 PM To: Tomcat Users List Subject: Re: performance issue with Tomcat 8.5.35 in org.apache.tomcat.util.net.NioBlockingSelector.write API External email from: users-return-269207-rarathore=ptc@tomcat.apache.org On Tue, Jan 7, 2020 at 6:33 AM Rathore, Rajendra wrote: > Hi Rémy/ Christopher, > > It will stuck there for 10-15 minutes, so it will take time to load > simple Web UI, there is no WebSocket call. I am giving you one of the > sample where it will take 90% time in write operation, sometime it will reach > to 100%. > > > || > > O-org.apache.coyote.ajp.AjpProcessor.writeData(AjpProcessor.java:1331) > count=1669(%92.877) > || > > O-org.apache.tomcat.util.net.SocketWrapperBase.write(SocketWrapperBase > .java:385) > count=1669(%92.877) > || > > O-org.apache.tomcat.util.net.SocketWrapperBase.writeBlocking(SocketWra > pperBase.java:462) > count=1669(%92.877) > || > > O-org.apache.tomcat.util.net.SocketWrapperBase.doWrite(SocketWrapperBa > se.java:726) > count=1669(%92.877) > || > > O-org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper.doWrite(NioE > ndpoint.java:1316) > count=1669(%92.877) > || > > O-org.apache.tomcat.util.net.NioSelectorPool.write(NioSelectorPool.jav > a:157) > count=1669(%92.877) > || > > O-org.apache.tomcat.util.net.NioBlockingSelector.write(NioBlockingSele > ctor.java:114) > count=1667(%92.766) > || > | > O-org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper.awaitWriteLa > tch(NioEndpoint.java:1160) > count=1667(%92.766) > || > | > O-org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper.awaitLatch(NioEndpoint.java:1157) > count=1667(%92.766) > || > | > O-java.util.concurrent.CountDownLatch.await(CountDownLatch.java:277) > count=1667(%92.766) > > It's a normal blocking write, and the await does not consume CPU (it sits there however and a profiler will count that but it doesn't matter). There's a problem only if things are blocked improperly, for example if the client is correctly reading the data and/or there's no network backlog. Also the timeout configured on the connector must be respected by the operation. Rémy
Re: [OT] Re: Maven Warning. Ubuntu Users
>A version of what? MAVEN MAVEN MAVEN In light of this video https://youtu.be/idViw4anA6E Of http. You and your let's encrypt must be the longest troll on this line. Take your wares and peddle them somewhere else carpet beggar. On Wed, 8 Jan 2020, 01:12 Christopher Schultz, wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Zahid, > > On 1/6/20 3:13 PM, Zahid Rahman wrote: > > That must be the reason why Apache Netbeans is using a version from > > 2015 > > A version of what? > > > and Apache Struts is recommending to use jdk 8. > Apache Struts 2.5.x supports Java 7 and later. I see no official > documentation recommending a specific Java version over any others. > > > Because there is somebody like you keeps telling people it is off > > topic and Giant IT companies are not releasing jdk further than JDK > > 8. > > Maybe just not for free. > > https://www.oracle.com/technetwork/java/javase/downloads/jdk13-downloads > - -5672538.html > https://www.azul.com/category/java13/ > > Admittedly, Oracle's JDK/JRE is based upon > https://openjdk.java.net/projects/jdk/13/ so maybe that doesn't count > as a separate release. > > But no, IBM doesn't appear to have a new version beyond Java 11. > > > The issue is a miserable and disgraceful failure in coordination by > > Apache Foundation. > > So you found a problem with a package provided by Ubuntu/Debian, and > your solution was to install the official Maven package from the > Apache Software Foundation. And your conclusion is that the ASF is the > miserable and disgraceful party, here? > > I'm so confused. > > It's worth pointing-out that there is no enforced coordination between > ASF projects. Some of them work together in almost lock-step, like APR > and httpd. Others are completely de-coupled. Some ignore each other > (e.g. Apache Maven and Apache Tomcat). It's up to the individual > projects to determine if/how they will work together. > > You may wish to read a little more about the ASF before you make > blanket statements about it. > https://community.apache.org/projectIndependence.html > > If you are dissatisfied with the ASF communities (or maybe just a few > in particular), may I suggest that you take one of these two courses > of action: > > 1. Volunteer to improve the situation. Usually in the form of > patches/PRs to that project. > > 2. Take your complaints elsewhere. > > - -chris > > > On Mon, 6 Jan 2020, 19:45 Mark Thomas, wrote: > > > >> On 06/01/2020 18:37, Zahid Rahman wrote: > >>> To all ubuntu Maven users. > >> > >> This is off-topic for this mailing list. > >> > >> Please keep posts on this list on topic. > >> > >> Thanks, > >> > >> Mark > >> > >> > >>> > >>> Do NOT install maven using sudo apt install maven > >>> > >>> Install by direct download only from > >>> https://maven.apache.org/download.cgi > >>> > >>> BECAUSE: > >>> > >>> "I seem to remember they [ubuntu] have their own build of Maven > >>> which differs from the Apache source. > >>> > >>> ( https://bugs.launchpad.net/ubuntu/+source/maven/+bug/1754602 > >>> suggests it's a known bug in their packaging/build? ) > >>> > >>> If you download Maven from http://maven.apache.org/download.cgi > >>> and > >> follow > >>> the instructions in http://maven.apache.org/install.html then > >>> you > >> shouldn't > >>> see those warnings. " ‐--- > >>> > >>> The Java 11 warning mentions that > >>> "/usr/share/maven/lib/guice.jar" has a class named > >>> "com.google.inject.internal.cglib.core.$ReflectUtils$1" > >>> > >>> This looks suspect because the official Maven distribution uses > >>> the "no-AOP" version of Guice which doesn't contain any CGLIB > >>> classes. It suggests that whoever provided that copy of Maven > >>> has replaced the > >> "no-AOP" > >>> version with the "AOP" version, and this will cause warnings on > >>> Java 11. (The "AOP" version uses CGLIB which currently relies > >>> on certain > >> reflective > >>> access that Java 11 warns about - whereas the "no-AOP" version > >>> doesn't.) > >>> > >> > >> > >> - > >> > >> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > >> > > > -BEGIN PGP SIGNATURE- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4VLGgACgkQHPApP6U8 > pFjmuw//cXWmOfcRCt/2FqHwWZwuB23fIXrzEdOJ3RPdJEfwDUxtVcz/rXGI9TB6 > ae64Vr1+8Znh8xX+wGvoScITo3L/qUPWDkWf5W3rAhhQNWCqsvJvCM4Sw7YE4ytE > pv9gT9seDOx+wiGq+FQ5gdy1T7adgTwgYAVLCeuG/bvk4niz9vtYxXBXdfeTIb5e > fjYY7sRzyhC9TQy8wq35JGXtlabxgXOPYqtlSRaZGX4m3wiLjOCyN5O+zXtmYfFk > pnQ9exU5fez4RHgMt2ys9WFXYH8ZHVqIEkCwaFMrufOKGI+P6PVhtuj3c1mnHa0H > RjSXHnd+hnUhwO3TWN7ClDH50KOHJCoT6kfXPh/RYxBC6yoY71DsFtP+l27xkVaV > xh5nGkMcbBBLEpifhGBFd2tmjpRCMZqDU2433ROJJx7bqpNrLuAzRYcb8DISclSE > ylqWL+s46ws251dp9RNBXJ1IYCI4fSxw/jiQUtjk7JCM1d8K6EyXK3NYC8IMLl9P > Vw9OJdOhPvWHYISe
Re: Dates on Linux vs. Windows - Resolved
First of all, a big thank you to everyone who responded to this one. I doubt I'd have figured it out for days without your guidance and help. And the winner is the JVM timezone. But the problem was NOT that the JVM wasn't set to US Central time. The problem was that it WAS set to US Central, apparently inherited from the Linux OS TZ. There was no parameter on the tomcat java command that set the timezone. So I added one and set it to America/Chicago. No change. But since it appeared we were already double-dipping and converting from GMT to central twice (i.e. subtracting an additional 6 hours), I figured ok tell the JVM to stay in GMT and not do any conversions. So now, the database returns Central time dates and times, but JVM no longer thinks it needs to convert again to 'more central'. This is about as convoluted and ugly as it gets. And I don't make any claims of thinking I can give a rational explanation for why it works this way. But it's on to fight a battle on another hill now. Just to summarize for anybody who comes along with a similar problem I original set the timezone of mySQL RDS instance to Central time when I created it months back (unchangable after it's set). I set my Linux timezone to Central as well in order to make my log files have entries with the correct timestamps. But as I described earlier, changing the OS timezone made the JVM also go to Central as well. But the JVM apparently assumed the database was in GMT so it subtracted 6 more hours off the already-central time from the db. I guess the real error was not initially leaving the MySQL RDS in GMT. But since that's not changeable without recreating a whole new RDS instance, the next option is what I did with the jvm. Makes total sense, right??? :-) Thanks again. Jerry - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Breakthrough, Re: Let's Encrypt with Tomcat?
On 1/7/20 4:54 PM, Christopher Schultz wrote: I have further confused you, because TCP packets+connections also have state, and I misspoke. Think nothing of it: at my age, I'm easily confused. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Dates on Linux vs. Windows
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jerry, On 1/7/20 7:42 PM, Jerry Malcolm wrote: > Summarizing what I know now... when I use the command line on the > linux instance and do a mysql query, I get the correct date (i.e. > the date that I set, the date I wanted, the date that mySQL exports > to SQL file, and the date that appears in Windows tomcat). So this > pretty much rules out the problem being in the mySQL server. I > would think this also rules out the problem being in some timezone > setting in the base Linux system hosting tomcat since I get the > right date in the command line. That only leaves the JVM; JDBC > package, and MySQL connector. The JDBC package and the MySQL connector are the same thing. They will convert correctly from the server's time zone into the JVM's time zone. > MySQL RDS instance is set to US Central timezone. So it's going to > return dates in central time, right? Sort of? See my other reply for ... details. > It appears that jdbc and/or the connector is assuming the db is gmt > and knocking off another 6 hours. Is there some place in the > datasource to tell tomcat the timezone of the database so it knows > not to convert TZ when it doesn't need to? I can't find anything > like that in the datasource documentation. Your JVM is probably in GMT/UTC. The conversion is not the problem. It's just the output that is causing you pain. - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4VMeoACgkQHPApP6U8 pFjzWRAAlSOt1Yu3jGYUzM0zxfuaSNJ88Tu0QS2Ibt3AtuJEqwvU6LWmjS+B1DpR THxpP/RYEUbEoe9BMxm6aN4qT0DpmP5sWqbceqcOmLH1ACAGalvtX/mLh9auSXk/ +paOkUB6aZ6CNTXwth8O0c89KuKIdydw0jAcJesU32leuKzOsgPlY5Ey5QG/G6Gv YvqY61730vQ573fTzAFX84w10v+Q7+vTGxzS5RgtQcjCK6vH6jXPinzmkTOKSa3E 7gC2yHGJ0yQvRUVNYWqUS8yiBX5GmrO7bXPGxIT5jbfzdlCOUgciElLaoO1WmxTX 1tU6wX5zh3Mm3ACNN6+JRPJXUkJNO5bcfkvVRUkNoyyFyEFMHqg9edDQLMDA3IlU +KTzFLJqEsTvxiZ3t5T5b/POo8uNxleMO23AEzZZYVCTtl9pfPi9d/EtLsbwUhO2 USpLiKhEmiBe0EXFdnXJEBIkaMh7TllVZqeueTgfyMdWq42XIxb6xtfbZhRBjhYT i8tBwOXlTdI6NltW7RA9ucPcCh6esNYRwPcozXlwVBr8yJPNAWtL3y0OCO5/kGTw 73BPCiNcFmm5bR9Qh+2CRrjIzYaEmoLDEccsScfSrLIvne4mrKgyi7FkFbH7tlKk 0IPxvJrwNBjtHLPppZdnqDYaXAQX+j+mAcSbJVU9dFhjv3tBWzM= =3pbq -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Curl problem with reloadSslHostConfigs, Re: Let's Encrypt with Tomcat?
On 1/7/20 4:19 PM, Christopher Schultz wrote: You probably "spelled" something incorrectly. It might be a quoting/escaping issue. It might be a literal misspelling/typo. The JMXProxyServlet shouldn't NPE like that, though. I'll take a look and see if we can give you a better error message than that when it happens. Well given that (1) there's no production data at stake, (2) you don't know where this server is, (3) the test user will be removed permanently and replaced with something else once this problem is resolved, and (4) the test user will never be active if I'm not running actual tests, there's no reason to censor the curl call. curl -k -u test:test https://localhost:8443/manager/jmxproxy?invoke=Catalina%3Atype%3DProtocolHandler%2Cport%3D8443%2Caddress%3D%22127.0.0.1%22&op=reloadSslHostConfigs I tried it with or without quote marks around the URL; I tried it both with the user in a "-u" clause, as above, or with the user prefixing the domain. In all four cases, I get what appears to be the exact same stacktrace as before. I can't tell any difference, other than the user, and specifying a port, between that and the "hard-coded" curl call on slide 35 of the presentation. And if I leave out the port number, I get "connection refused." FYI, the relevant lines in tomcat-users.xml (with the actual admin user definition redacted) are: [line redacted] -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Re: Maven Warning. Ubuntu Users
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Zahid, On 1/6/20 3:13 PM, Zahid Rahman wrote: > That must be the reason why Apache Netbeans is using a version from > 2015 A version of what? > and Apache Struts is recommending to use jdk 8. Apache Struts 2.5.x supports Java 7 and later. I see no official documentation recommending a specific Java version over any others. > Because there is somebody like you keeps telling people it is off > topic and Giant IT companies are not releasing jdk further than JDK > 8. Maybe just not for free. https://www.oracle.com/technetwork/java/javase/downloads/jdk13-downloads - -5672538.html https://www.azul.com/category/java13/ Admittedly, Oracle's JDK/JRE is based upon https://openjdk.java.net/projects/jdk/13/ so maybe that doesn't count as a separate release. But no, IBM doesn't appear to have a new version beyond Java 11. > The issue is a miserable and disgraceful failure in coordination by > Apache Foundation. So you found a problem with a package provided by Ubuntu/Debian, and your solution was to install the official Maven package from the Apache Software Foundation. And your conclusion is that the ASF is the miserable and disgraceful party, here? I'm so confused. It's worth pointing-out that there is no enforced coordination between ASF projects. Some of them work together in almost lock-step, like APR and httpd. Others are completely de-coupled. Some ignore each other (e.g. Apache Maven and Apache Tomcat). It's up to the individual projects to determine if/how they will work together. You may wish to read a little more about the ASF before you make blanket statements about it. https://community.apache.org/projectIndependence.html If you are dissatisfied with the ASF communities (or maybe just a few in particular), may I suggest that you take one of these two courses of action: 1. Volunteer to improve the situation. Usually in the form of patches/PRs to that project. 2. Take your complaints elsewhere. - -chris > On Mon, 6 Jan 2020, 19:45 Mark Thomas, wrote: > >> On 06/01/2020 18:37, Zahid Rahman wrote: >>> To all ubuntu Maven users. >> >> This is off-topic for this mailing list. >> >> Please keep posts on this list on topic. >> >> Thanks, >> >> Mark >> >> >>> >>> Do NOT install maven using sudo apt install maven >>> >>> Install by direct download only from >>> https://maven.apache.org/download.cgi >>> >>> BECAUSE: >>> >>> "I seem to remember they [ubuntu] have their own build of Maven >>> which differs from the Apache source. >>> >>> ( https://bugs.launchpad.net/ubuntu/+source/maven/+bug/1754602 >>> suggests it's a known bug in their packaging/build? ) >>> >>> If you download Maven from http://maven.apache.org/download.cgi >>> and >> follow >>> the instructions in http://maven.apache.org/install.html then >>> you >> shouldn't >>> see those warnings. " ‐--- >>> >>> The Java 11 warning mentions that >>> "/usr/share/maven/lib/guice.jar" has a class named >>> "com.google.inject.internal.cglib.core.$ReflectUtils$1" >>> >>> This looks suspect because the official Maven distribution uses >>> the "no-AOP" version of Guice which doesn't contain any CGLIB >>> classes. It suggests that whoever provided that copy of Maven >>> has replaced the >> "no-AOP" >>> version with the "AOP" version, and this will cause warnings on >>> Java 11. (The "AOP" version uses CGLIB which currently relies >>> on certain >> reflective >>> access that Java 11 warns about - whereas the "no-AOP" version >>> doesn't.) >>> >> >> >> - >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> >> > -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4VLGgACgkQHPApP6U8 pFjmuw//cXWmOfcRCt/2FqHwWZwuB23fIXrzEdOJ3RPdJEfwDUxtVcz/rXGI9TB6 ae64Vr1+8Znh8xX+wGvoScITo3L/qUPWDkWf5W3rAhhQNWCqsvJvCM4Sw7YE4ytE pv9gT9seDOx+wiGq+FQ5gdy1T7adgTwgYAVLCeuG/bvk4niz9vtYxXBXdfeTIb5e fjYY7sRzyhC9TQy8wq35JGXtlabxgXOPYqtlSRaZGX4m3wiLjOCyN5O+zXtmYfFk pnQ9exU5fez4RHgMt2ys9WFXYH8ZHVqIEkCwaFMrufOKGI+P6PVhtuj3c1mnHa0H RjSXHnd+hnUhwO3TWN7ClDH50KOHJCoT6kfXPh/RYxBC6yoY71DsFtP+l27xkVaV xh5nGkMcbBBLEpifhGBFd2tmjpRCMZqDU2433ROJJx7bqpNrLuAzRYcb8DISclSE ylqWL+s46ws251dp9RNBXJ1IYCI4fSxw/jiQUtjk7JCM1d8K6EyXK3NYC8IMLl9P Vw9OJdOhPvWHYISeym19GKKzFSWE/Qa/N8/jbzMf46jJMvJbrPwTAn3+IkTbSUoB aK7gfzjkReAUDmE//28CvTVdeF0tfHwM5lTnsJVWqFq+YsWH1hT9H5l4twkBvvsD WoyAfdtd/6F0WOWrjbkvB+WfT1QQ2rDgOUrYCJxAk4dSGsm95Ro= =ltKd -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Dates on Linux vs. Windows
On 1/7/2020 1:13 PM, Jerry Malcolm wrote:
> On 1/7/2020 3:09 PM, Michael Osipov wrote:
>> Am 2020-01-07 um 21:58 schrieb Jerry Malcolm:
>>> This may be more of a Java question than Tomcat. But I'm not sure.
>>> I have the same code, talking to the same MySql Linux (AWS)
>>> database. I read a date column value in a Tomcat app. After calling
>>> resultSet.getDate(...) I printed the date instance and the getTime()
>>> value:
>>>
>>> On windows: 2019-02-01 154900080
>>>
>>> On linux: 2019-01-31 154897920
>>>
>>> Again this is the SAME line of code in java reading the SAME field in
>>> the SAME database. Only thing different is Linux/Windows OS. The
>>> date is supposed to be 2/1/2019 and shows that in phpMyAdmin.
>>>
>>> I've been running on Linux for a few months. But I don't have an
>>> extensive background in the specifics of Linux. I'm sure there must
>>> be something that is configured differently. I'm at a loss. But this
>>> is not a trivial problem. I do monthly billing. My dates need to be
>>> accurate.
>>
>> Have you verified that you aren't tricked by any timezone issues?
> Probably so. But how would I know? I was under the impression that
> java.sql.Date was timezone independent. Shouldn't it simply convert a
> month/day/year value to the number of milliseconds since the epoch? How
> would timezone issues affect that? And if I am 'tricked' how do I
> 'untrick'. What do I set/change?
According to the AWS documentation, there are two places that you have
to set manually in order to get the timezone changed universally.
1. /etc/sysconfig/clock
This you've already changed correctly.
2. /etc/localtime
According to the documentation, you'll need to link /etc/localtime to
the appropriate /usr/share/zoneinfo/America timezone file - most likely
Chicago.
sudo ln -sf /usr/share/zoneinfo/America/Chicago /etc/localtime
Also, do you have chrony installed and running on your Linux instance?
This is an NTP replacement that the AWS documentation recommends, and
will sync your time with AWS time servers.
Once you do all of this, you'll have to reboot.
Here's a link to the documentation:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-time.html
For what it's worth, the following quick and dirty code (note, no
packages, ma) prints out the correct timezone (Pacific Standard Time)
before I made the link and rebooted the machine.
Here's the code (no package, bad programming practice).
tz.java:
import java.util.TimeZone;
public class tz {
public static void main(String[] args) {
System.out.println(TimeZone.getDefault().getDisplayName());
}
}
$ javac tz.java
$ java -cp . tz
Pacific Standard Time
$
As an aside, on my CentOS 6 system, there are notes in the
/etc/sysconfig/clock file:
# The time zone of the system is defined by the contents of /etc/localtime.
# This file is only for evaluation by system-config-date, do not rely on its
# contents elsewhere.
So I suspect that part of your system thinks it's UTC and part CST/CDT?
. . . just my two cents.
/mde/
signature.asc
Description: OpenPGP digital signature
Re: Breakthrough, Re: Let's Encrypt with Tomcat?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 James, On 1/7/20 7:22 PM, James H. H. Lampert wrote: > On 1/7/20 4:17 PM, Christopher Schultz wrote: >> iptables doesn't work on pipes, it works on packets. So you have >> to redirect both incoming AND outgoing packets. That's why you >> have the "output redirect" as well as the (more obvious) "input >> redirect". > > Well, that just leaves me more puzzled than ever: why would our > webapp (and Manager, for that matter) "work just fine" even though > there's no sign of an output redirect in the iptables-save output > (which I posted in its entirety)? I have further confused you, because TCP packets+connections also have state, and I misspoke. For UDP, you'd need the output redirect. The TCP stack knows where the packets from a particular connection came from, so responses along the same connection will go back the way they came (this is NAT). I'm not sure under what circumstances you need an OUTPUT redirect. I seem to remember in my testing that I did indeed require the OUTPUT redirect for things to work properly, but I may be making that up. The slides mention that you "may need" those, and so I went ahead and put the commands into the slides to show how to do it, if necessary. Actually, it's not INPUT and OUTPUT, it's PREROUTING and POSTROUTING. But those are basically the same concept for NAT as INPUT/OUTPUT are for the "filter" tables. - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4VKC8ACgkQHPApP6U8 pFjqSRAAtKLif+WBswtmW8jOswhHn2SNRX2jUPm/RYOf7YqEFMYgeunA6GqewcT0 E2AVcBangWNGLuMWaaDhmFb5S4KcgW2c5HlbafBVtdggESkfjzozJnBw+sg6ShbZ SxRQ4Lty/WwczAwduHkOaG7pFIeQlTKLSA1wL5zCJ02hQllYa1CYGIxMRAbwqu/m 1oC0jgiJs1zGXQN7XlgZdTD6uyHuUEhSLzh0it8+QtWEoLtki+LcvRy+Bmv+nEtw ssqHpCX+TD4PnhcLpgFqWzy3DrUJYPUdV6dExnBujrFe2tzBAYtZfDy+Gshb6efo LtGdLwaHgd6BLA71wEUEGMr85o9Opeuu1l3niENP/WaOuELidre3+umAVWr5Ypdq zSGhO6clt6V9JCpXqM1EWh18hjDomKLb6Q1V9hpeTbBodmr8yFGo6D9pv9lddRyD ArXxmqvL3aUSWXb80zrsUuPYXTO+SIbIXJRSJGPVRWM7eCrO8o1VpeTcD1bsXnPz 3l32YDEd6hbWjwLMWKzWu4oIuoZlHiCgsx4Tm2T0KtdBRn2/kStTLIoXOF5s129Y ewZ0ygViiPqnTL1QD1jwnKG7EuAplx9ppKXCRM1MSbbB/+VSjdwDFvQCAnVykLhg IB0AniJsaYP6BnPIGHcihPU3mj7Qp9uGcm/3QeAIwX0ULf1iEKs= =tP73 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Dates on Linux vs. Windows
>> If your systems always use the same time zone to read and write the data, it isn't a problem. Terrance, thanks for the info. In my case I do only have one timezone (or at least I want to...). Using the string for dates is a good idea. But this is a massive application that's been in production for years with tons of date and timestamp fields spread everywhere across the code and the db. So converting to strings is not a possibility now. It still comes down to the fact that the mysql command line on my linux box gets the date right, but it's converted incorrectly by JDBC and only on the linux box (and works on WIndows) When I first set up the box an installed Tomcat, the default Linux time was gmt. I didn't change the Linux time to central until later. Any chance that tomcat stored the timezone in effect when it was installed and still is using that even though I changed the linux timezone? (Just grasping at straws here). - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Dates on Linux vs. Windows
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Zahid, On 1/7/20 4:19 PM, Zahid Rahman wrote: > If you wish to find out if the database connection API is buggy. > > Is the result when you use select query from each of the operating > system same. > > Select column_name from table; > > > If select on both return values are same then likely the database > API is buggy. You have choice of two database connection APIs. > > One API is tomcat specific. The other is vendor neutral. The API that matters is the JDBC API, and the driver you are using. Most people use Connector/J for both MySQL and MariaDB. It is a correct implementation and is reliable. - -chris > On Tue, 7 Jan 2020, 21:09 Michael Osipov, > wrote: > >> Am 2020-01-07 um 21:58 schrieb Jerry Malcolm: >>> This may be more of a Java question than Tomcat. But I'm not >>> sure. I have the same code, talking to the same MySql Linux >>> (AWS) database. I read a date column value in a Tomcat app. >>> After calling resultSet.getDate(...) I printed the date >>> instance and the getTime() >> value: >>> >>> On windows: 2019-02-01 154900080 >>> >>> On linux: 2019-01-31 154897920 >>> >>> Again this is the SAME line of code in java reading the SAME >>> field in the SAME database. Only thing different is >>> Linux/Windows OS. The date is supposed to be 2/1/2019 and >>> shows that in phpMyAdmin. >>> >>> I've been running on Linux for a few months. But I don't have >>> an extensive background in the specifics of Linux. I'm sure >>> there must be something that is configured differently. I'm at >>> a loss. But this is not a trivial problem. I do monthly >>> billing. My dates need to be >> accurate. >> >> Have you verified that you aren't tricked by any timezone >> issues? >> >> >> - >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4VJwgACgkQHPApP6U8 pFj0whAAh5BtS70kaQq/G/CdHIttfjCnkkrSsEqudyKhMuzuSL+TX8OFYYpHEL8g sVsK7KWzoOCWKJa6v0St52vubU0yUh3xvgNv7VpkFkoEVL8+DuXeJrv+rKIcqI4m HxcMwZJIQQhLbTHX0pYDMWN88WaG5tdJIKjQBNXy17JSr4WMTThT4Oiei34QCD7O 9G+Cji2C6gf83AJTlMdihNEh71M/Xh2BUuz10m6CN+M2DN7UikUhU+u6St6AQp/f JTApL7cYS9d9weapGZiTHGwg6nyxj4morHRfT2BCMJq+tyK2u8X+Tim2cPzIyTdj YdtJOJQ3RtZRufS0DYlTVk5+1kHWI7l8KVBo2yo4QuRwoxesigODPNLAVsZBsFgc A1M2UyN4CKRAbTkVxoKq3ORVHXlDY6hPuCD8UATIzIfd/q0fdexue6Q8wMwOyQvp 6GuRc6WNCAXXaDdcUZzZFgteALiYG+GInLiisxP0THdb4vKQMn5XqV+PDFURAWmY SY9MZ7bUQcT/MXXxeEbF+Wj34dBDolwtkOcZ9FfCBgmXRyhUCKcYg/UAwMeg6qkN qGbtAGBRe4JzUqcKhJRLWu5Z6uoKhIcFdi8+cm3eM9cqZLcJIDAtxlbbVQDdUjZ1 X25QFzlgzMDu+b3reHus4TTWZ61GZ+ujzkgSAL0xrur5UvHpZLU= =ruIX -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Dates on Linux vs. Windows
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Terence, On 1/7/20 7:33 PM, Terence M. Bandoian wrote: > On 1/7/2020 4:04 PM, Zahid Rahman wrote: >> Jerry Malcolm wrote : >> >>> Again this is the SAME line of code in java reading the >>> >SAME >> field in >>> the SAME database. Only thing different is >Linux/Windows OS >> >> >> >> On Tue, 7 Jan 2020, 21:52 , >> wrote: >> -Original Message- From: Jerry Malcolm Sent: Tuesday, January 07, 2020 3:14 PM To: users@tomcat.apache.org Subject: Re: Dates on Linux vs. Windows On 1/7/2020 3:09 PM, Michael Osipov wrote: > Am 2020-01-07 um 21:58 schrieb Jerry Malcolm: >> This may be more of a Java question than Tomcat. But I'm >> not sure. I have the same code, talking to the same MySql >> Linux (AWS) database. I read a date column value in a >> Tomcat app. After calling resultSet.getDate(...) I >> printed the date instance and the getTime() value: >> >> On windows: 2019-02-01 154900080 >> >> On linux: 2019-01-31 154897920 >> >> Again this is the SAME line of code in java reading the >> SAME field in the SAME database. Only thing different is >> Linux/Windows OS. The date is supposed to be 2/1/2019 >> and shows that in phpMyAdmin. >> >> I've been running on Linux for a few months. But I don't >> have an extensive background in the specifics of Linux. >> I'm sure there must be something that is configured >> differently. I'm at a loss. But this is not a trivial >> problem. I do monthly billing. My dates need to be >> accurate. > Have you verified that you aren't tricked by any timezone > issues? Probably so. But how would I know? I was under the impression that java.sql.Date was timezone independent. Shouldn't it simply convert a month/day/year value to the number of milliseconds since the epoch? How would timezone issues affect that? And if I am 'tricked' how do I 'untrick'. What do I set/change? > >>> Those millisecond values are 6 hours apart, which looks like a >>> timezone issue. I happen to be in US Central time, which is 6 >>> hours earlier than UTC in winter. >>> >>> You're right that System.currentTimeMillis() itself is >>> independent of timezone but Date is not. > > As I understand it, for certain date/time column types, MySQL > subtracts the time zone from the value when written and adds it > back in when read. If your systems always use the same time zone > to read and write the data, it isn't a problem. But it can be if > the time zone varies. > > See https://dev.mysql.com/doc/refman/5.7/en/datetime.html Only for TIMESTAMP columns, which are fairly rarely used. Usually, you want a DATETIME field, which is a SQL standard. > The actual behavior is a little confusing, at least to me, because > I seem to remember variations in the storage of the date/time > columns while the documentation seems to indicate that date/time > values are not modified. Also, if I remember correctly, writing a > date/time value as a formatted string and then reading it back as a > string (e.g. ResultSet.getString) and parsing it circumvented the > time zone issue. I've never had the intestinal fortitude to change the time zone on a running MySQL server. So I'm not sure if it would shift every DATETIME value I've ever written to it. Yikes, I'm using local time. I hope I remember that for every server I ever migrate to. - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4VJrMACgkQHPApP6U8 pFgfyhAAu4jR5+hzu9oJJX9yN2rDeVw+3yGmHsiBF6eAZPUh7BLUkVV+kuhVxC+X pqWAvgStzyUAt/L7mdxNbNhyDSBMn5WJgjenQ70eLTqg+u3PYtkB/S+zxDgfwRbN x5WOzj/N1ypapdXCOZu7JnkmyL9tLQ1F+KfRIXPE9L6phlg4kDDvfvn9CGn+L/ir YkWtDk6YcNiWo4tguYj3lXNQ68CGBM2gkYKjWVtNKO1Keit8w/GgHbXnm9QmzEX8 jeXAL1LO4kUVEZayfaEmaLaSVfltR6ROB1Ubx4KNMG777wy9ln0odP1KSdWcmq+u Fu5kdsB25B+pxym0tPA21xIieGUp/4txCQn5WX66aLVS8CDgrWnl0uSP8iatZmPO wKL6i4qCEfPXYNTzB+CcLBuiK/8PXqcnp3YO2Xj2nqvh4pqqmkCUgJBM5umQVmhR 7iH3T1LjWhOPEBUx50Vz7+Dd7yj4Z6CZ/ubRYXTWXmUifu8hO2d1YehYj0ean+3r LaiTsmOHH9Tw1RDn+Wae4TCS+YEZZMLytSF2HnvXko87b/pU6eguapbO1ScBUepv KFhAUWUAzPtdvf2aZhveVscLCFGR1+Jl3Zv31qjSSriPuB3shRpWa2Q+g0/KPwrl zw3NiPsaIWL5hvxKdBllOKCMqoI7BwDlTkNocqb0QbHrYB5qcoA= =ETH9 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Dates on Linux vs. Windows
Summarizing what I know now... when I use the command line on the linux instance and do a mysql query, I get the correct date (i.e. the date that I set, the date I wanted, the date that mySQL exports to SQL file, and the date that appears in Windows tomcat). So this pretty much rules out the problem being in the mySQL server. I would think this also rules out the problem being in some timezone setting in the base Linux system hosting tomcat since I get the right date in the command line. That only leaves the JVM; JDBC package, and MySQL connector. MySQL RDS instance is set to US Central timezone. So it's going to return dates in central time, right? It appears that jdbc and/or the connector is assuming the db is gmt and knocking off another 6 hours. Is there some place in the datasource to tell tomcat the timezone of the database so it knows not to convert TZ when it doesn't need to? I can't find anything like that in the datasource documentation. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Dates on Linux vs. Windows
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Jerry,
On 1/7/20 7:03 PM, Jerry Malcolm wrote:
>
> On 1/7/2020 5:31 PM, calder wrote:
>> On Tue, Jan 7, 2020, 17:17 Jerry Malcolm
>> wrote:
>>
On Tue, 7 Jan 2020, 21:52 ,
wrote:
>> '. What do I set/change?
> Those millisecond values are 6 hours apart, which looks
> like a timezone issue. I happen to be in US Central time,
> which is 6 hours earlier than UTC in winter.
>
> You're right that System.currentTimeMillis() itself is
> independent of timezone but Date is not.
>>> That all makes sense. But at the end of the day, what do I do
>>> to make it work right? I am also in Central time. My Linux OS
>>> is set to central (at least I tried to set that. Afterwards my
>>> log entries are correctly logging in central time instead of
>>> gmt. So I assume it's set right). What do I need to do in
>>> Tomcat to 'fix' it so that sql dates aren't somehow adjusted?
>>> I simply want a 2019-02-01 in the database to appear as
>>> 2019-02-01 in java. And the same code must work identically on
>>> both OS's.
>>>
>>
>> Have you checked the DST setting?
>
> I googled around trying to see how to check DST in Amazon Linux.
> the Date command gave me the correct date and timezone with no DST
> which is currently correct. I looked at the /etc/sysconfig/clock
> file. It has two lines:
>
> ZONE="CST6ST" UTC=true
>
> But DST is only one hour change. An earlier post said that my two
> different values of times were 6 hours off. Would DST be the cause
> of that?
Welcome to the wonderful world of civil date-reckoning.
First off: you have the correct date. You just aren't holding it
correctly[1].
Second, where are you showing this date? In a log somewhere? How are
you printing it?
If you are using java.sql.Date.toString(), then it should probably be
telling you the TZ. If you are using SimpleDateFormat then you need to
be aware that both java.util.Date (the surprising superclass of
java.sql.Date, which doesn't have a time portion!) and
SimpleDateFormat have their own TimeZone settings. And, for fun, there
is no SimpleDateFormat constructor which takes a TimeZone argument.
And, for more fun, java.util.Date doesn't have a TimeZone... it's got
a (primitive) long offset in milliseconds. And a DST offset. Which is
separate. Confused, yet?
So you pretty much always need to do this:
SimpleDateFormat df = new SimpleDateFormat("-MM-dd");
df.setTimeZone(TimeZone.getTimeZone("America/Chicago"));
Date d = ... // whatever
logger.trace("Got date: " + df.format(d));
If you aren't showing the time zone, you can always become confused.
For example, if your Date object has an offset in UTC and your
SimpleDateFormat is in US-CST, you can get different *days* depending
upon the time of day represented by the Date object.
It's a mess.
The only way to do it is to always always ALWAYS handle the time zone
properly.
If you are using java.sql.Date which should be -MM-dd *only*, then
you may have to truncate the time and/or adjust to e.g. UTC and maybe
even do both of those so that you never accidentally cross the
international date-line when interpreting your dates.
But the good news is that only the humans will be confused by these
dates. Generally speaking, the database and Java are doing things
correctly.
Unless you are accepting input.
Whenever you ask a user to enter a date (or, worse, a date-time), you
need to read their input *in their timezone*, since, well, that's how
they think. It's 19:38 local time for me, but for someone in London
it's 01:38 *tomorrow*. So if I ask them for the current datetime, they
will say 2020-01-08T01:38:00. If I don't interpret that as being in UK
Winter Time, then I might think that the timestamp represents
2020-01-08T01:38:00 CST. Or maybe whatever the default time zone is
for your EC2 instance. Or your JVM. Or for the user who actually
launched your JVM. This time.
So do yourself a favor and fix all your date-manipulation code so it's
always doing the right thing. It may take a while, but it will be Correc
t.
Everybody has to go through this at some point. Good luck.
Oh, and just so you don't feel like you bet on the wrong horse, this
isn't just a Java thing. It's the same with all languages. Java was
written in a quaint time when they thought that java.util.Date would
do everything necessary. Until java.util.Calendar came along. And then
Jodatime. And then java.time.*. If you look at most other languages,
there are similar progressions with vestigial leftovers that still
work, and are littered all over all the APIs.
- -chris
[1] https://knowyourmeme.com/memes/events/iphone-4-death-grip
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4VJZ4ACgkQHPApP6U8
pFgnIQ//S3S/K34K80fQN4nhgzdFBlVEcko+tiDBD5GR2e3Tt0BJ36nF6v9D+p3o
Y37JRaMiU4T2SaMWXREs2rNID+UmZXsfB3Cfgvub+vFqGZiXeEUm2KMv8KS1NYER
goPZ0aSuRqKibI
Re: Dates on Linux vs. Windows
On 1/7/2020 4:04 PM, Zahid Rahman wrote: Jerry Malcolm wrote : >Again this is the SAME line of code in java reading the >SAME field in the SAME database. Only thing different is >Linux/Windows OS On Tue, 7 Jan 2020, 21:52 , wrote: -Original Message- From: Jerry Malcolm Sent: Tuesday, January 07, 2020 3:14 PM To: users@tomcat.apache.org Subject: Re: Dates on Linux vs. Windows On 1/7/2020 3:09 PM, Michael Osipov wrote: Am 2020-01-07 um 21:58 schrieb Jerry Malcolm: This may be more of a Java question than Tomcat. But I'm not sure. I have the same code, talking to the same MySql Linux (AWS) database. I read a date column value in a Tomcat app. After calling resultSet.getDate(...) I printed the date instance and the getTime() value: On windows: 2019-02-01 154900080 On linux: 2019-01-31 154897920 Again this is the SAME line of code in java reading the SAME field in the SAME database. Only thing different is Linux/Windows OS. The date is supposed to be 2/1/2019 and shows that in phpMyAdmin. I've been running on Linux for a few months. But I don't have an extensive background in the specifics of Linux. I'm sure there must be something that is configured differently. I'm at a loss. But this is not a trivial problem. I do monthly billing. My dates need to be accurate. Have you verified that you aren't tricked by any timezone issues? Probably so. But how would I know? I was under the impression that java.sql.Date was timezone independent. Shouldn't it simply convert a month/day/year value to the number of milliseconds since the epoch? How would timezone issues affect that? And if I am 'tricked' how do I 'untrick'. What do I set/change? Those millisecond values are 6 hours apart, which looks like a timezone issue. I happen to be in US Central time, which is 6 hours earlier than UTC in winter. You're right that System.currentTimeMillis() itself is independent of timezone but Date is not. As I understand it, for certain date/time column types, MySQL subtracts the time zone from the value when written and adds it back in when read. If your systems always use the same time zone to read and write the data, it isn't a problem. But it can be if the time zone varies. See https://dev.mysql.com/doc/refman/5.7/en/datetime.html The actual behavior is a little confusing, at least to me, because I seem to remember variations in the storage of the date/time columns while the documentation seems to indicate that date/time values are not modified. Also, if I remember correctly, writing a date/time value as a formatted string and then reading it back as a string (e.g. ResultSet.getString) and parsing it circumvented the time zone issue. Hope that helps. -Terence Bandoian - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Breakthrough, Re: Let's Encrypt with Tomcat?
On 1/7/20 4:17 PM, Christopher Schultz wrote: iptables doesn't work on pipes, it works on packets. So you have to redirect both incoming AND outgoing packets. That's why you have the "output redirect" as well as the (more obvious) "input redirect". Well, that just leaves me more puzzled than ever: why would our webapp (and Manager, for that matter) "work just fine" even though there's no sign of an output redirect in the iptables-save output (which I posted in its entirety)? -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Curl problem with reloadSslHostConfigs, Re: Let's Encrypt with Tomcat?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 James, On 1/7/20 1:33 PM, James H. H. Lampert wrote: > This just gets weirder and weirder. > > I added manager-jmx to the admin account. I continued to get "401 > unauthorized." > > I then tried setting up another user, temporarily, with a > URL-friendly user-ID and password. If I just gave that user > "manager-gui," I got "403 access denied" instead, regardless of > whether I put the user-ID and password into the URL, or into a -u > clause. > > But then, when I tried adding "manager-jmx" to the temporary user, > I got a null pointer exception! > >> java.lang.NullPointerException at >> org.apache.catalina.manager.JMXProxyServlet.invokeOperationInternal(J MXProxyServlet.java:264) >> >> >> at >> org.apache.catalina.manager.JMXProxyServlet.invokeOperation(JMXProxyS ervlet.java:207) >> >> >> at >> org.apache.catalina.manager.JMXProxyServlet.doGet(JMXProxyServlet.jav a:116) >> >> >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:635) >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:742) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl icationFilterChain.java:231) >> >> >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF ilterChain.java:166) >> >> >> at >> org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52 ) >> >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl icationFilterChain.java:193) >> >> >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF ilterChain.java:166) >> >> >> at >> org.apache.catalina.filters.SetCharacterEncodingFilter.doFilter(SetCh aracterEncodingFilter.java:109) >> >> >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl icationFilterChain.java:193) >> >> >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF ilterChain.java:166) >> >> >> at >> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperV alve.java:199) >> >> >> at >> org.apache.catalina.core.StandardContextValve.invoke(StandardContextV alve.java:96) >> >> >> at >> org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authentica torBase.java:610) >> >> >> at >> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.j ava:137) >> >> >> at >> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.j ava:81) >> >> >> at >> org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAcce ssLogValve.java:660) >> >> >> at >> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVal ve.java:87) >> >> >> at >> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.jav a:343) >> >> >> at >> org.apache.coyote.http11.Http11Processor.service(Http11Processor.java :798) >> >> >> at >> org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLig ht.java:66) >> >> >> at >> org.apache.coyote.AbstractProtocol$ConnectionHandler.process(Abstract Protocol.java:808) >> >> >> at >> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpo int.java:1498) >> >> >> at >> org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBas e.java:49) >> >> >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor. java:1149) >> >> >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor .java:624) >> >> >> at >> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskTh read.java:61) >> >> >> at java.lang.Thread.run(Thread.java:748) > > What I have on this box is Tomcat 8.5.40, under JVM 1.8.0_201-b09 > > Anybody know what's wrong now? You probably "spelled" something incorrectly. It might be a quoting/escaping issue. It might be a literal misspelling/typo. The JMXProxyServlet shouldn't NPE like that, though. I'll take a look and see if we can give you a better error message than that when it happens. - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4VICUACgkQHPApP6U8 pFgpHRAAquY32hPePQt4UBarAvgr1WkryFCoHXO+thEvVtpOj6/S/GBS3L6+Hxlu muT90BbQsFy4fhGM7cmSSeC44GQB5FV0EXiMskDnlqohM0BwgiwGUEVaXW9L7UwA G4KrOCRzYdgzjpdEmS2k1s71bcarawKD2sA7EB/GFmIZjTDj1Lgs66hGNNXsyy4e vrWAYWpp3omSh40a5Z5+ROwOvyjI6hgft33UXFwZbbGQdTmpbx5Y8f9mTRnhh8R0 EMq1Olu9ONsbOi0SPHb4/8DHoBIT4cHgrBtV8mqX3MrSn91D55rVouZzmyOttgXO txdH4mku8z8rr/C7+A8NG/Uc2R3YfH4tzYvzum+DavhL6HQ3N+Ob4GcRWwzR/RXN D35zI4trxtELYpnwJ3nNnSms9J79CIO/jfODubsRlWmBQuKcDww4sWyHQGvMbMGZ JW1MjCywXdcuKe9DXynxkTjjbbJktQEsszBhaFptJBzg7iG1BJXQmgXG70npj1pc FZiqvyKF7fATkZLEeumYmeKzKAb3F2M8l8ZuInscaiBWwHskb6JNkKeZNzvMdiGn kZibenXy78dhaYaldXrTzea7DYHFUdzaEL/1vRh6tdYM8OMHQBF+YIa41A5ICrPY Tx5Oav1yO9QQpsgu+BYjxrrK536g6ezLc8d7HjXh6lmq5K+CFHc= =jukF -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For
Re: Breakthrough, Re: Let's Encrypt with Tomcat?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 James, On 1/7/20 12:28 PM, James H. H. Lampert wrote: > On 1/7/20 7:32 AM, Christopher Schultz wrote: >> Hah, sorry about that. Nobody thought of specifying that only >> root can view the iptables stuff. :) > > Not your fault, nor that of anybody else here; I blame the author > of iptables and iptables-save: it should either (a) allow *anybody* > to *see* the information, or (b) *tell* the user that he/she is > not authorized to see it. > > While I occasionally use "quiet failure" myself, when writing code > to protect database fields from unauthorized modification, I > generally do so only when it actually makes sense, and the user can > actually *see* that his or her attempt to change the value(s) was > quietly ignored. > > *** > > But I'm still puzzled about the "output redirect" specified in the > presentation, but absent from this installation (and yet it still > works just fine). iptables doesn't work on pipes, it works on packets. So you have to redirect both incoming AND outgoing packets. That's why you have the "output redirect" as well as the (more obvious) "input redirect". > Does the "proxyPort" clause on the connector have something to do > with it "working just fine" without the "output redirect"? The proxyPort is just a configuration option which overrides the port that will be used when Tomcat is building URLs that point back to itself (e.g. Location: for redirects). If Tomcat is listening on port 8443, then, obviously, port 8443 should be used. But if there is a reverse-proxy in the way (or some other hand-wavy magic like iptables), then you want to use the port that the CLIENT needs to use to get back to you, regardless of the actual port being bound to by Tomcat. It's just like setting the virtual host hostname: you can't just take-over "microsoft.com" by setting your 's hostname to "microsoft.com". But if you don't do that, your users might be sent to "node-1-6-2-4-6-32-34.binhost.net" which isn't quite what you want. - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4VH60ACgkQHPApP6U8 pFiW/g//VnCbgnHs/fbsxKANfdIwNGSZP37SEkfLMOzQxBK9eC6nb6LQeWHw5FQd 8yVFVP1LnbvM0ey+UDhWME7Chbm9iyLfpMO09BqAuzcJWopODk9JYQOn0YFJsiVh kcKeoUGLV1nw4I3qPdh0fjVRV6GDwSpt9XXZvwOZdIbqBUrS+rGuobBDJU5SaA8y SSVzTYKqoHryJAt7yNiPkulrqpS7rgmiLbm/RvDfF5VFnaYMfh3/Mz7kmBhcvDDC lkG2+Zs29g/mQ3YyCoKCKLfs0m7bS3WHlxv9qwsZkJzx0Rql2LJ1PSgPnO9vh4VH LecAk9/6rQGySVuDY4f8r265Gm/jDAn5z+WWT8mv6FsbZZckYbm4f+8DYhxzWjh0 jYJNJf0dOorjjUY7hIQKw9k+QQgBKdufKtfHpDK5u1MIYsC8pdrzyjN9LFl566ad ESEtlXjnFCzCr9wobi7YJAJLXc9rFsd/IoN988Oui69RIroqZWL6Jjxetj4fDr+8 RiJiTiSl8yWXZuSpkHrQuIrD4eLSpdoOWkrNJOOzDExuJbTpPpFABjapqSrWDEV/ BP0+xAKzeH4RMHLyUciVzw4czRe8DB/0mOBIxSv5z2LXKlef07McFzg8ACOsMCS2 oCG7vXqh7iZbNdB+AKhFs0+TIxJNcBe8bT75t0LF7xgcD0nyXf4= =67mG -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Dates on Linux vs. Windows
On 1/7/2020 5:31 PM, calder wrote: On Tue, Jan 7, 2020, 17:17 Jerry Malcolm wrote: On Tue, 7 Jan 2020, 21:52 , wrote: '. What do I set/change? Those millisecond values are 6 hours apart, which looks like a timezone issue. I happen to be in US Central time, which is 6 hours earlier than UTC in winter. You're right that System.currentTimeMillis() itself is independent of timezone but Date is not. That all makes sense. But at the end of the day, what do I do to make it work right? I am also in Central time. My Linux OS is set to central (at least I tried to set that. Afterwards my log entries are correctly logging in central time instead of gmt. So I assume it's set right). What do I need to do in Tomcat to 'fix' it so that sql dates aren't somehow adjusted? I simply want a 2019-02-01 in the database to appear as 2019-02-01 in java. And the same code must work identically on both OS's. Have you checked the DST setting? I googled around trying to see how to check DST in Amazon Linux. the Date command gave me the correct date and timezone with no DST which is currently correct. I looked at the /etc/sysconfig/clock file. It has two lines: ZONE="CST6ST" UTC=true But DST is only one hour change. An earlier post said that my two different values of times were 6 hours off. Would DST be the cause of that? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Dates on Linux vs. Windows
On Tue, Jan 7, 2020, 17:17 Jerry Malcolm wrote: > > > On Tue, 7 Jan 2020, 21:52 , wrote: > '. What do I set/change? > > >> Those millisecond values are 6 hours apart, which looks like a timezone > >> issue. I happen to be in US Central time, which is 6 hours earlier than > >> UTC in winter. > >> > >> You're right that System.currentTimeMillis() itself is independent of > >> timezone but Date is not. > > That all makes sense. But at the end of the day, what do I do to make > it work right? I am also in Central time. My Linux OS is set to > central (at least I tried to set that. Afterwards my log entries are > correctly logging in central time instead of gmt. So I assume it's set > right). What do I need to do in Tomcat to 'fix' it so that sql dates > aren't somehow adjusted? I simply want a 2019-02-01 in the database to > appear as 2019-02-01 in java. And the same code must work identically > on both OS's. > Have you checked the DST setting?
Re: Dates on Linux vs. Windows
On 1/7/2020 4:04 PM, Zahid Rahman wrote: Jerry Malcolm wrote : >Again this is the SAME line of code in java reading the >SAME field in the SAME database. Only thing different is >Linux/Windows OS On Tue, 7 Jan 2020, 21:52 , wrote: -Original Message- From: Jerry Malcolm Sent: Tuesday, January 07, 2020 3:14 PM To: users@tomcat.apache.org Subject: Re: Dates on Linux vs. Windows On 1/7/2020 3:09 PM, Michael Osipov wrote: Am 2020-01-07 um 21:58 schrieb Jerry Malcolm: This may be more of a Java question than Tomcat. But I'm not sure. I have the same code, talking to the same MySql Linux (AWS) database. I read a date column value in a Tomcat app. After calling resultSet.getDate(...) I printed the date instance and the getTime() value: On windows: 2019-02-01 154900080 On linux: 2019-01-31 154897920 Again this is the SAME line of code in java reading the SAME field in the SAME database. Only thing different is Linux/Windows OS. The date is supposed to be 2/1/2019 and shows that in phpMyAdmin. I've been running on Linux for a few months. But I don't have an extensive background in the specifics of Linux. I'm sure there must be something that is configured differently. I'm at a loss. But this is not a trivial problem. I do monthly billing. My dates need to be accurate. Have you verified that you aren't tricked by any timezone issues? Probably so. But how would I know? I was under the impression that java.sql.Date was timezone independent. Shouldn't it simply convert a month/day/year value to the number of milliseconds since the epoch? How would timezone issues affect that? And if I am 'tricked' how do I 'untrick'. What do I set/change? Those millisecond values are 6 hours apart, which looks like a timezone issue. I happen to be in US Central time, which is 6 hours earlier than UTC in winter. You're right that System.currentTimeMillis() itself is independent of timezone but Date is not. That all makes sense. But at the end of the day, what do I do to make it work right? I am also in Central time. My Linux OS is set to central (at least I tried to set that. Afterwards my log entries are correctly logging in central time instead of gmt. So I assume it's set right). What do I need to do in Tomcat to 'fix' it so that sql dates aren't somehow adjusted? I simply want a 2019-02-01 in the database to appear as 2019-02-01 in java. And the same code must work identically on both OS's. Thanks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Dates on Linux vs. Windows
Jerry Malcolm wrote : >Again this is the SAME line of code in java reading the >SAME field in > the SAME database. Only thing different is >Linux/Windows OS On Tue, 7 Jan 2020, 21:52 , wrote: > > > -Original Message- > > From: Jerry Malcolm > > Sent: Tuesday, January 07, 2020 3:14 PM > > To: users@tomcat.apache.org > > Subject: Re: Dates on Linux vs. Windows > > > > On 1/7/2020 3:09 PM, Michael Osipov wrote: > > > Am 2020-01-07 um 21:58 schrieb Jerry Malcolm: > > >> This may be more of a Java question than Tomcat. But I'm not sure. I > > >> have the same code, talking to the same MySql Linux (AWS) database. > > >> I read a date column value in a Tomcat app. After calling > > >> resultSet.getDate(...) I printed the date instance and the getTime() > > >> value: > > >> > > >> On windows: 2019-02-01 154900080 > > >> > > >> On linux: 2019-01-31 154897920 > > >> > > >> Again this is the SAME line of code in java reading the SAME field in > > >> the SAME database. Only thing different is Linux/Windows OS. The > > >> date is supposed to be 2/1/2019 and shows that in phpMyAdmin. > > >> > > >> I've been running on Linux for a few months. But I don't have an > > >> extensive background in the specifics of Linux. I'm sure there must > > >> be something that is configured differently. I'm at a loss. But this > > >> is not a trivial problem. I do monthly billing. My dates need to be > > >> accurate. > > > > > > Have you verified that you aren't tricked by any timezone issues? > > Probably so. But how would I know? I was under the impression that > > java.sql.Date was timezone independent. Shouldn't it simply convert a > > month/day/year value to the number of milliseconds since the epoch? How > > would timezone issues affect that? And if I am 'tricked' how do I > > 'untrick'. What do I set/change? > > > > > > > > Those millisecond values are 6 hours apart, which looks like a timezone > issue. I happen to be in US Central time, which is 6 hours earlier than > UTC in winter. > > You're right that System.currentTimeMillis() itself is independent of > timezone but Date is not. > > > >
RE: Dates on Linux vs. Windows
> -Original Message- > From: Jerry Malcolm > Sent: Tuesday, January 07, 2020 3:14 PM > To: users@tomcat.apache.org > Subject: Re: Dates on Linux vs. Windows > > On 1/7/2020 3:09 PM, Michael Osipov wrote: > > Am 2020-01-07 um 21:58 schrieb Jerry Malcolm: > >> This may be more of a Java question than Tomcat. But I'm not sure. I > >> have the same code, talking to the same MySql Linux (AWS) database. > >> I read a date column value in a Tomcat app. After calling > >> resultSet.getDate(...) I printed the date instance and the getTime() > >> value: > >> > >> On windows: 2019-02-01 154900080 > >> > >> On linux: 2019-01-31 154897920 > >> > >> Again this is the SAME line of code in java reading the SAME field in > >> the SAME database. Only thing different is Linux/Windows OS. The > >> date is supposed to be 2/1/2019 and shows that in phpMyAdmin. > >> > >> I've been running on Linux for a few months. But I don't have an > >> extensive background in the specifics of Linux. I'm sure there must > >> be something that is configured differently. I'm at a loss. But this > >> is not a trivial problem. I do monthly billing. My dates need to be > >> accurate. > > > > Have you verified that you aren't tricked by any timezone issues? > Probably so. But how would I know? I was under the impression that > java.sql.Date was timezone independent. Shouldn't it simply convert a > month/day/year value to the number of milliseconds since the epoch? How > would timezone issues affect that? And if I am 'tricked' how do I > 'untrick'. What do I set/change? > > > > Those millisecond values are 6 hours apart, which looks like a timezone issue. I happen to be in US Central time, which is 6 hours earlier than UTC in winter. You're right that System.currentTimeMillis() itself is independent of timezone but Date is not.
Re: Dates on Linux vs. Windows
If you wish to find out if the database connection API is buggy. Is the result when you use select query from each of the operating system same. Select column_name from table; If select on both return values are same then likely the database API is buggy. You have choice of two database connection APIs. One API is tomcat specific. The other is vendor neutral. On Tue, 7 Jan 2020, 21:09 Michael Osipov, wrote: > Am 2020-01-07 um 21:58 schrieb Jerry Malcolm: > > This may be more of a Java question than Tomcat. But I'm not sure. I > > have the same code, talking to the same MySql Linux (AWS) database. I > > read a date column value in a Tomcat app. After calling > > resultSet.getDate(...) I printed the date instance and the getTime() > value: > > > > On windows: 2019-02-01 154900080 > > > > On linux: 2019-01-31 154897920 > > > > Again this is the SAME line of code in java reading the SAME field in > > the SAME database. Only thing different is Linux/Windows OS. The date > > is supposed to be 2/1/2019 and shows that in phpMyAdmin. > > > > I've been running on Linux for a few months. But I don't have an > > extensive background in the specifics of Linux. I'm sure there must be > > something that is configured differently. I'm at a loss. But this is > > not a trivial problem. I do monthly billing. My dates need to be > accurate. > > Have you verified that you aren't tricked by any timezone issues? > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: Dates on Linux vs. Windows
On 1/7/2020 3:09 PM, Michael Osipov wrote: Am 2020-01-07 um 21:58 schrieb Jerry Malcolm: This may be more of a Java question than Tomcat. But I'm not sure. I have the same code, talking to the same MySql Linux (AWS) database. I read a date column value in a Tomcat app. After calling resultSet.getDate(...) I printed the date instance and the getTime() value: On windows: 2019-02-01 154900080 On linux: 2019-01-31 154897920 Again this is the SAME line of code in java reading the SAME field in the SAME database. Only thing different is Linux/Windows OS. The date is supposed to be 2/1/2019 and shows that in phpMyAdmin. I've been running on Linux for a few months. But I don't have an extensive background in the specifics of Linux. I'm sure there must be something that is configured differently. I'm at a loss. But this is not a trivial problem. I do monthly billing. My dates need to be accurate. Have you verified that you aren't tricked by any timezone issues? Probably so. But how would I know? I was under the impression that java.sql.Date was timezone independent. Shouldn't it simply convert a month/day/year value to the number of milliseconds since the epoch? How would timezone issues affect that? And if I am 'tricked' how do I 'untrick'. What do I set/change? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Dates on Linux vs. Windows
Am 07.01.20 um 21:58 schrieb Jerry Malcolm: > This may be more of a Java question than Tomcat. But I'm not sure. I > have the same code, talking to the same MySql Linux (AWS) database. I > read a date column value in a Tomcat app. After calling > resultSet.getDate(...) I printed the date instance and the getTime() > value: > > On windows: 2019-02-01 154900080 > > On linux: 2019-01-31 154897920 > > Again this is the SAME line of code in java reading the SAME field in > the SAME database. Only thing different is Linux/Windows OS. The > date is supposed to be 2/1/2019 and shows that in phpMyAdmin. > > I've been running on Linux for a few months. But I don't have an > extensive background in the specifics of Linux. I'm sure there must > be something that is configured differently. I'm at a loss. But this > is not a trivial problem. I do monthly billing. My dates need to be > accurate. > > What am I doing wrong? (BTW Tomcat 8.5.x and Java 1.8.0_222 running on > AWS Linux, not AWS Linux 2). Maybe different timezone settings on the clients that propagate to the database? Have you looked at setting/reading the timezones in mysql (and after that on the clients) like https://stackoverflow.com/questions/930900/how-do-i-set-the-time-zone-of-mysql On linux a simple "date" command will print out the currently used timezone. For me it prints: $ date Di 7. Jan 22:06:37 CET 2020 or without a language setting: $ LANG= date Tue Jan 7 22:12:05 CET 2020 Felix > > Thanks. > > Jerry > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Dates on Linux vs. Windows
Am 2020-01-07 um 21:58 schrieb Jerry Malcolm: This may be more of a Java question than Tomcat. But I'm not sure. I have the same code, talking to the same MySql Linux (AWS) database. I read a date column value in a Tomcat app. After calling resultSet.getDate(...) I printed the date instance and the getTime() value: On windows: 2019-02-01 154900080 On linux: 2019-01-31 154897920 Again this is the SAME line of code in java reading the SAME field in the SAME database. Only thing different is Linux/Windows OS. The date is supposed to be 2/1/2019 and shows that in phpMyAdmin. I've been running on Linux for a few months. But I don't have an extensive background in the specifics of Linux. I'm sure there must be something that is configured differently. I'm at a loss. But this is not a trivial problem. I do monthly billing. My dates need to be accurate. Have you verified that you aren't tricked by any timezone issues? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Dates on Linux vs. Windows
This may be more of a Java question than Tomcat. But I'm not sure. I have the same code, talking to the same MySql Linux (AWS) database. I read a date column value in a Tomcat app. After calling resultSet.getDate(...) I printed the date instance and the getTime() value: On windows: 2019-02-01 154900080 On linux: 2019-01-31 154897920 Again this is the SAME line of code in java reading the SAME field in the SAME database. Only thing different is Linux/Windows OS. The date is supposed to be 2/1/2019 and shows that in phpMyAdmin. I've been running on Linux for a few months. But I don't have an extensive background in the specifics of Linux. I'm sure there must be something that is configured differently. I'm at a loss. But this is not a trivial problem. I do monthly billing. My dates need to be accurate. What am I doing wrong? (BTW Tomcat 8.5.x and Java 1.8.0_222 running on AWS Linux, not AWS Linux 2). Thanks. Jerry - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache SSI breaks with tomcat-connectors-1.2.43 or newer
On 07/01/2020 20:22, Ezsra McDonald wrote: > Mark, > > Has there been a decision on when a new release with the fix will go out? It hasn't been forgotten. It is around the middle of my fairly long TODO list. I'd like to say I should get to it this month but between the stuff that is already above it on the TODO list and what might turn up in the next few weeks I can't be at all sure I'll get to it by the end of the month. Mark > > On Fri, Oct 4, 2019 at 10:50 AM Ezsra McDonald > wrote: > >> The SVN Build works for us! Thanks Mark. >> >> When do you think the official release will be ready? >> >> --Ez >> >> On Wed, Oct 2, 2019 at 10:02 AM Mark Thomas wrote: >> >>> On 02/10/2019 15:39, Mark Thomas wrote: On 02/10/2019 14:51, Mark Thomas wrote: >>> >>> >>> >>> There is a work-around. Use virtual="..." in the SSI includes. Meanwhile, I am working on a fix for mod_jk. >>> >>> Done. If you want to test it out you'll have to build from svn. >>> Meanwhile, I'll start thinking about a mod_jk release. We haven't had >>> one for about a year and this bug fix seems like a good reason to have >>> one. >>> >>> Mark >>> >>> - >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >>> > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Apache SSI breaks with tomcat-connectors-1.2.43 or newer
Mark, Has there been a decision on when a new release with the fix will go out? On Fri, Oct 4, 2019 at 10:50 AM Ezsra McDonald wrote: > The SVN Build works for us! Thanks Mark. > > When do you think the official release will be ready? > > --Ez > > On Wed, Oct 2, 2019 at 10:02 AM Mark Thomas wrote: > >> On 02/10/2019 15:39, Mark Thomas wrote: >> > On 02/10/2019 14:51, Mark Thomas wrote: >> >> >> >> >> > There is a work-around. Use virtual="..." in the SSI includes. >> > >> > Meanwhile, I am working on a fix for mod_jk. >> >> Done. If you want to test it out you'll have to build from svn. >> Meanwhile, I'll start thinking about a mod_jk release. We haven't had >> one for about a year and this bug fix seems like a good reason to have >> one. >> >> Mark >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >>
Re: Ignore duplicate HTTP headers in Tomcat 8.5.50-0+deb9u1
Mark, maybe this getting offtopic. > Am 07.01.2020 um 18:58 schrieb Mark Thomas : > > On 07/01/2020 16:22, Christopher Schultz wrote: > > > >> Since the Host header seems to be special in this regard (i.e. there >> is no prohibition against multiple Accept headers), might we be >> willing to interpret the spec in a slightly less strict manner? >> >> " >> A server MUST respond with a 400 (Bad Request) status code to any >> HTTP/1.1 request message that lacks a Host header field and to any >> request message that contains more than one Host header field [[WITH A >> CONFLICTING VALUE]]] or a Host header field with an invalid field-value. >> " >> >> So a request with: >> >> Host: foo.bar.com >> Host: foo.bar.com >> >> Would be okay, while: >> >> Host: foo.bar.com >> Host: bar.foo.com >> >> Would return a 400 response? > > Not sure. > > The usual concern with multiple headers is that a reverse proxy uses > one, the back-end uses another and you get unexpected behaviour that may > result in some sort of information leak - i.e. a vulnerability. That > shouldn't apply here since the values are the same. > > Experience suggests that being more relaxed about parsing an HTTP > request that the specification requires is likely to result - at some > point in the future - with a vulnerability report. > > In this instance I can image some other server somehow merging the two > header values and - essentially - treating it as a different value to > Tomcat. That could lead to a similar information disclosure as above. > I didn’t think that far! However, if they are the same and tomcat would also have to respond to the given host, that would be extremely unlikely... > The usual counter argument is that there is no vulnerability if the > other server is spec compliant. But the same is true if Tomcat is spec > compliant. > > I certainly wouldn't support this behaviour by default. > Agreed. > Making the behaviour configurable is possible so it could be enabled > when necessary and safe to do so (i.e. clients connecting directly to > Tomcat). That then gets you to the question how complex would this be to > implement and is that complexity justified by the benefit it brings? > Just thinking how to handle “n” Host headers at various locations in the request... 8-0 > At this point, I'm not sure. > > So far we are looking at a feature required by a single user to handle > clearly non-spec compliant clients. I lean more towards a custom > protocol / processor implementation when a single user is affected. > That’s true. Could this be a documented “extra”? Like a drop-in Jar? Peter > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Curl problem with reloadSslHostConfigs, Re: Let's Encrypt with Tomcat?
This just gets weirder and weirder. I added manager-jmx to the admin account. I continued to get "401 unauthorized." I then tried setting up another user, temporarily, with a URL-friendly user-ID and password. If I just gave that user "manager-gui," I got "403 access denied" instead, regardless of whether I put the user-ID and password into the URL, or into a -u clause. But then, when I tried adding "manager-jmx" to the temporary user, I got a null pointer exception! java.lang.NullPointerException at org.apache.catalina.manager.JMXProxyServlet.invokeOperationInternal(JMXProxyServlet.java:264) at org.apache.catalina.manager.JMXProxyServlet.invokeOperation(JMXProxyServlet.java:207) at org.apache.catalina.manager.JMXProxyServlet.doGet(JMXProxyServlet.java:116) at javax.servlet.http.HttpServlet.service(HttpServlet.java:635) at javax.servlet.http.HttpServlet.service(HttpServlet.java:742) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.catalina.filters.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:109) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:610) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:660) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:798) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:808) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748) What I have on this box is Tomcat 8.5.40, under JVM 1.8.0_201-b09 Anybody know what's wrong now? -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Ignore duplicate HTTP headers in Tomcat 8.5.50-0+deb9u1
On 07/01/2020 16:22, Christopher Schultz wrote: > Since the Host header seems to be special in this regard (i.e. there > is no prohibition against multiple Accept headers), might we be > willing to interpret the spec in a slightly less strict manner? > > " > A server MUST respond with a 400 (Bad Request) status code to any > HTTP/1.1 request message that lacks a Host header field and to any > request message that contains more than one Host header field [[WITH A > CONFLICTING VALUE]]] or a Host header field with an invalid field-value. > " > > So a request with: > > Host: foo.bar.com > Host: foo.bar.com > > Would be okay, while: > > Host: foo.bar.com > Host: bar.foo.com > > Would return a 400 response? Not sure. The usual concern with multiple headers is that a reverse proxy uses one, the back-end uses another and you get unexpected behaviour that may result in some sort of information leak - i.e. a vulnerability. That shouldn't apply here since the values are the same. Experience suggests that being more relaxed about parsing an HTTP request that the specification requires is likely to result - at some point in the future - with a vulnerability report. In this instance I can image some other server somehow merging the two header values and - essentially - treating it as a different value to Tomcat. That could lead to a similar information disclosure as above. The usual counter argument is that there is no vulnerability if the other server is spec compliant. But the same is true if Tomcat is spec compliant. I certainly wouldn't support this behaviour by default. Making the behaviour configurable is possible so it could be enabled when necessary and safe to do so (i.e. clients connecting directly to Tomcat). That then gets you to the question how complex would this be to implement and is that complexity justified by the benefit it brings? At this point, I'm not sure. So far we are looking at a feature required by a single user to handle clearly non-spec compliant clients. I lean more towards a custom protocol / processor implementation when a single user is affected. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Breakthrough, Re: Let's Encrypt with Tomcat?
On 1/7/20 7:32 AM, Christopher Schultz wrote: Hah, sorry about that. Nobody thought of specifying that only root can view the iptables stuff. :) Not your fault, nor that of anybody else here; I blame the author of iptables and iptables-save: it should either (a) allow *anybody* to *see* the information, or (b) *tell* the user that he/she is not authorized to see it. While I occasionally use "quiet failure" myself, when writing code to protect database fields from unauthorized modification, I generally do so only when it actually makes sense, and the user can actually *see* that his or her attempt to change the value(s) was quietly ignored. *** But I'm still puzzled about the "output redirect" specified in the presentation, but absent from this installation (and yet it still works just fine). Does the "proxyPort" clause on the connector have something to do with it "working just fine" without the "output redirect"? -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Ignore duplicate HTTP headers in Tomcat 8.5.50-0+deb9u1
Chris (and Mark), > Am 07.01.2020 um 17:22 schrieb Christopher Schultz > : > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Mark, > >> On 1/7/20 4:36 AM, Mark Thomas wrote: >>> On 07/01/2020 07:10, Dennis Rech wrote: >>> POST /foo HTTP/1.1 Host: foo.com POST /foo HTTP/1.1 Host: >>> foo.com Content-[stuff] [...] >> >> First two lines are OK. >> >> The third line is going to be treated as an HTTP header. It is >> invalid and Tomcat will reject it with a 400 response but you can >> tell Tomcat to just ignore the invalid header with >> rejectIllegalHeaderName="false" on the Connector. >> >> The problem is going to be the second Host header. >> >> RFC 7230 states: >> >> A server MUST respond with a 400 (Bad Request) status code >> to any HTTP/1.1 request message that lacks a Host header field and >> to any request message that contains more than one Host header >> field or a Host header field with an invalid field-value. >> >> Any spec compliant server is almost certainly going to reject that >> request. I guess a server might provide a hook for request >> modification prior to rejection to allow the "fixing" of known >> invalid requests but I'm not aware of any that do - at least not >> without going down the writing a custom module route. >> >> If we made Http11Processor.prepareRequest() protected then it would >> be fairly simple to write a custom Processor that: - extended >> Http11Processor - overrode prepareRequest() to a) remove the >> duplicate Host header b) call super.prepareRequest() >> >> I could provide one for you if you weren't comfortable doing that >> yourself). However, even if we made the change now (which I'm happy >> to do if you think it would be useful) it will take a while to >> filter through to the Debian distribution. >> >> There are several variations on this theme. One could write a >> custom Processor for 8.5.50 that did the same thing - it would just >> be rather more involved as one would have to copy rather more code >> from Http11Processor. > > Since the Host header seems to be special in this regard (i.e. there > is no prohibition against multiple Accept headers), might we be > willing to interpret the spec in a slightly less strict manner? > > " > A server MUST respond with a 400 (Bad Request) status code to any > HTTP/1.1 request message that lacks a Host header field and to any > request message that contains more than one Host header field [[WITH A > CONFLICTING VALUE]]] or a Host header field with an invalid field-value. > " That would be a good idea - maybe only in conjunction with setting rejectIllegalHeaderName=false If that makes the implementation easier??? > > So a request with: > > Host: foo.bar.com > Host: foo.bar.com > > Would be okay, while: > > Host: foo.bar.com > Host: bar.foo.com > > Would return a 400 response? > That would be a messed up request and worth a 400! Peter > - -chris > -BEGIN PGP SIGNATURE- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4UsEEACgkQHPApP6U8 > pFjprxAAi60mVwH+LHo2HSCl+hwIhIyG2B9Dg2LjIJ8JPMA/WxaiDOOJCS+yMTbV > rVfdPrlT0B6Zd8ceTjz4ooZa79SwPFfCiFM97q1H/JwwsqVxaBEFEx6PgvnJzUUF > ZuJJEtQHijQgZo0gXv2plkqHTBrG5NMPNqQYEJ8aZqdjtSvtNkP2E03agVC/8SqW > mNyERNFcyOP3hUlNHSghPXl81ckSabqa83rLrwFCZQGJ2U71EnnietYxXT5Dz6Kx > W03z8HY2mClTETmZB/WvkCmG0F1AXQ8Xr2E4fJ2+meyNHgTZ2XjfYsKtZNKTQmiC > zlDgweuXuQ1r6DorLB4MUCm7HMffeDTwKEHBaYkIt7reHN8yGfT8sq1F8A0ZDKHi > y9Ugt0KwePPOGFK8mfST7lBWojPJL1wbyBVAYh+FL5f1hMScOdHRxbU9uz2p9NSB > RMubUWNCD1p8+sI8bLjQ//vU/iCLcWg7RStr/FSfXZEqjJv6EZ4OaNafahTcxvey > 37Qz/eVTJQGeYa0+1rBvttVZJB6xrJwcscC3dgskTJ8VXJuAnwK0WdmMRzD7XLos > HP13SOoLXUgek07XH61OPq5dnbpUwq996GqpSLldLUJlCnbMi1vxkAmGe006zVXH > GWPoV1d4r7p0JjkyBlGQYUwiltuDFyNOx9uRS5FTaapaarhY6G0= > =Z571 > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Ignore duplicate HTTP headers in Tomcat 8.5.50-0+deb9u1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 1/7/20 4:36 AM, Mark Thomas wrote: > On 07/01/2020 07:10, Dennis Rech wrote: >> POST /foo HTTP/1.1 Host: foo.com POST /foo HTTP/1.1 Host: >> foo.com Content-[stuff] [...] > > First two lines are OK. > > The third line is going to be treated as an HTTP header. It is > invalid and Tomcat will reject it with a 400 response but you can > tell Tomcat to just ignore the invalid header with > rejectIllegalHeaderName="false" on the Connector. > > The problem is going to be the second Host header. > > RFC 7230 states: > > A server MUST respond with a 400 (Bad Request) status code > to any HTTP/1.1 request message that lacks a Host header field and > to any request message that contains more than one Host header > field or a Host header field with an invalid field-value. > > Any spec compliant server is almost certainly going to reject that > request. I guess a server might provide a hook for request > modification prior to rejection to allow the "fixing" of known > invalid requests but I'm not aware of any that do - at least not > without going down the writing a custom module route. > > If we made Http11Processor.prepareRequest() protected then it would > be fairly simple to write a custom Processor that: - extended > Http11Processor - overrode prepareRequest() to a) remove the > duplicate Host header b) call super.prepareRequest() > > I could provide one for you if you weren't comfortable doing that > yourself). However, even if we made the change now (which I'm happy > to do if you think it would be useful) it will take a while to > filter through to the Debian distribution. > > There are several variations on this theme. One could write a > custom Processor for 8.5.50 that did the same thing - it would just > be rather more involved as one would have to copy rather more code > from Http11Processor. Since the Host header seems to be special in this regard (i.e. there is no prohibition against multiple Accept headers), might we be willing to interpret the spec in a slightly less strict manner? " A server MUST respond with a 400 (Bad Request) status code to any HTTP/1.1 request message that lacks a Host header field and to any request message that contains more than one Host header field [[WITH A CONFLICTING VALUE]]] or a Host header field with an invalid field-value. " So a request with: Host: foo.bar.com Host: foo.bar.com Would be okay, while: Host: foo.bar.com Host: bar.foo.com Would return a 400 response? - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4UsEEACgkQHPApP6U8 pFjprxAAi60mVwH+LHo2HSCl+hwIhIyG2B9Dg2LjIJ8JPMA/WxaiDOOJCS+yMTbV rVfdPrlT0B6Zd8ceTjz4ooZa79SwPFfCiFM97q1H/JwwsqVxaBEFEx6PgvnJzUUF ZuJJEtQHijQgZo0gXv2plkqHTBrG5NMPNqQYEJ8aZqdjtSvtNkP2E03agVC/8SqW mNyERNFcyOP3hUlNHSghPXl81ckSabqa83rLrwFCZQGJ2U71EnnietYxXT5Dz6Kx W03z8HY2mClTETmZB/WvkCmG0F1AXQ8Xr2E4fJ2+meyNHgTZ2XjfYsKtZNKTQmiC zlDgweuXuQ1r6DorLB4MUCm7HMffeDTwKEHBaYkIt7reHN8yGfT8sq1F8A0ZDKHi y9Ugt0KwePPOGFK8mfST7lBWojPJL1wbyBVAYh+FL5f1hMScOdHRxbU9uz2p9NSB RMubUWNCD1p8+sI8bLjQ//vU/iCLcWg7RStr/FSfXZEqjJv6EZ4OaNafahTcxvey 37Qz/eVTJQGeYa0+1rBvttVZJB6xrJwcscC3dgskTJ8VXJuAnwK0WdmMRzD7XLos HP13SOoLXUgek07XH61OPq5dnbpUwq996GqpSLldLUJlCnbMi1vxkAmGe006zVXH GWPoV1d4r7p0JjkyBlGQYUwiltuDFyNOx9uRS5FTaapaarhY6G0= =Z571 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 9 does not allow to read file in /tmp folder with 777 permission?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Zahid, On 1/7/20 9:17 AM, zahid wrote: >> Well - why do you think someone is calling you names? Mark did >> not, > right? > > My efforts in chasing up a bug which effected many Apache and non > Apache products > > and with MR Emmanuel Bourg 's DILIGENT , VIGOROUS efforts > produced this :- > > [1] https://bugs.debian.org/948309 [2] > https://bugs.debian.org/948310 > > IBM can now upgrade from JDK 8 > https://developer.ibm.com/javasdk/downloads/. > > if this was their issue too. > > I also sent same message to Apache Struts because the local expert > there was recommending to use JDK 8 to people who had MAVEN warning > caused when using Internationalisation API. (I looked through > archive and saw that) > > I also sent same message to Apache NetBeans because they were > using Maven 3.3.9 (2015) which knows nothing about the trouble > some java classes. > >> Well - why do you think someone is calling you names? Mark did >> not, > right? > > Mark T refer to me as "troll" > > I am not part of the fashion victim of *nix, so Mr Shultz also > referred to me as a "troll". Anyone who is stirring-up off-topic trouble on a mailing list for no apparent purpose is trolling. Whether or not that makes you a troll is debatable. But posting messages about how one operating environment versus another is superior/inferior is definitely off-topic, especially if it is not some frustration which you are trying to solve and get past. It is not useful to the community to post open-ended complaints about e.g. UNIX or Windows for that matter. So if you hate the UNIX philosophy, that's fine. We just don't really care to hear you complain about it. We also don't want to hear complaints about Windows, MacOS, BeOS, iOS, etc., either. Extending the (useless) debate just wastes people's time. Extending the debate is also a technique used by trolls to continue to anger peopl e. This is a community that exists to support users of Apache Tomcat. If you are having a specific problem with an operating environment, someone (or, typically, more than one someone) who has expertise in that environment will generally try to explain what is happening and help you. Complaining about the answer doesn't encourage others to help you in the future. It also discourages others from participating in the community, and THAT is the reason why we will (eventually) ban people who continuously troll our community. We are not threatening to ban you. We are explaining that actual trolls WILL be banned. - -chris > On 06/01/2020 21:45, logo wrote: >> Well - why do you think someone is calling you names? Mark did >> not, right? >> >>> Am 06.01.2020 um 22:11 schrieb Zahid Rahman >>> : >>> >>> Are you calling me names ? >>> >>> On Mon, 6 Jan 2020, 20:35 Mark Thomas, >>> wrote: >>> On 06/01/2020 16:29, Christopher Schultz wrote: > You have a right to a view, and you can troll all you want. > But you will be ignored. Up to a point. Users that continue to troll will be unsubscribed and blocked from re-subscribing. As a general reminder aimed at keeping noise down on the list: Please don't feed the trolls. Mark --- - -- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org >> >> - >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4UrqMACgkQHPApP6U8 pFjx/w//Xs5LSFDgWtubi3hDdQqr/IYzPCSfWWhxsRxtT9sZRXx3dPd+O39Hj62v 7+Oiy/hQcTx+LFhLpdxbaJ2ntHU5B+Cj1336ikd8ndpeauMK8XPibv/Zf/fmeQb1 WO6g2+o4HA0OGtVtcZ56Q8W7UduHcVUHIYxim1dclscABrHbNzyNI+biX8IPA5Uu D2XmItyjRuRnFZjeSwNAjMD+zPRs2K/j7Q+IDChObJJasjX04cDOV2QWKnAlUTWb yoY5we6I7qVrGymp0eHovlMN6wKU+d620+/XKd9CLPlcID/TcAzmyCdxInKob+9m uXW/B9CDAY3TwpiSIE6nsfjox/vCoNzLB6nUWH16VtTf+YqQwk036vvcpsX4qvof uiV8I7PdUuwIik/g5/uaynXlSXOY+QMls0p4dveIj89GYhlGKuv/w3KZh5ugedSO RYzHDyiHtCkP2uQddJMxKbsjEV4sWfai5I2TY7BUBoL8muPFso8/o8fwjK32yaUt a3HrEAWa/NL7nfwG9VbtzWEDAtSiKsCxRpoCh7bgHnLt9ez+Bt+MIGpuVRWf0tGt hTANri4MquduPz/phZpWFp930YlSBaWC15ZdDiZeoF0kclml/JhHtc+yJfufRjxO BWksNkttTxMHkC2vlB44OUicTNxW0xowni2I+olieYDs1uUXDLQ= =b3mX -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Curl problem with reloadSslHostConfigs, Re: Let's Encrypt with Tomcat?
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
James,
On 1/6/20 9:10 PM, James H. H. Lampert wrote:
> Dear Mr. Schultz, et al.:
>
> The manager password on this Tomcat server has an embedded curly
> brace, and an embedded question mark.
>
> If I do this (the names have been changed to protect the innocent,
> and the -k!)
>
>> curl -k
>> "https://foo:b?a{r@localhost:8443/manager/jmxproxy?invoke=Catalina%3A
type%3DProtocolHandler%2Cport%3D8443%2Caddress%3D%22127.0.0.1%22&op=relo
adSslHostConfigs"
>>
>
>>
> I get curl: (3) [globbing] unmatched brace in column xx
>
> If I change the curly brace to "%7B," I get:
>
>> curl -k
>> "https://foo:b?a%7Br@localhost:8443/manager/jmxproxy?invoke=Catalina%
3Atype%3DProtocolHandler%2Cport%3D8443%2Caddress%3D%22127.0.0.1%22&op=re
loadSslHostConfigs"
>>
>
>>
> I get curl: (3) Port number ended with 'n'
>
> And if I put the user-ID and password in with a -u clause on curl,
> rather than in the URL itself, I get "Unauthorized."
>
> What is wrong here? Are there characters it simply can't tolerate
> in passwords, even if URL-escaped?
>
> Or do I need to give the manager user an additional role?
> Currently, I have: roles="manager-gui"/>
You need another role. The role necessary for jmxproxy is "manager-jmx".
- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4Up+EACgkQHPApP6U8
pFjy0xAAmwbNbBSnW5mydxPPSD5OXyJW13wmLtZy2BoMyV5E6HR9wu/u79i27VbI
qfNoIMk3K1wAKNTzuBOtM+cUgXaiFBZeehXuN9lF2AvqiOnp948n3JXrY2JvAovk
Adr3tsx+21nZgNVaVTsEezdKcad+odCRVWER52eVKdnz8In3oh4bWXOEcHQ6T22o
/o+JvQY0kjrRFGMWGHGUu7EvtzM+zawf3RDMuRD2xdhMv3MWhH5o5nrt4DalglUU
qhvZQ5RfVcjMNC43clCjdRhoz7hhCAkf6GTCkqQmVGW0KYP4x8yGxM2NFV0ft8Vc
/DJiy3h3rX6j4lE1c7XXDksUqfPx70h8RJ1ApzcYumXrGxHDUsvYzkuzsGQCBMSF
5qo1lRCgK+qaITNuc9nZIhKdtai3iojjCUr0VNN9+3wI61rNBlncPyIRrNJR2pS7
m6IeML1cKxE7c4sWr7Th4egM+NOX65E4oyv1X6vqpWZYL5TrB2Eys+zcPdG981KI
OF06FybbBW4XDpyv9ECTE9gmtqiw0LYLTz8bg9ytRqOfCgSCmUxVzIc9CTk0glgZ
3AJA8QElFlibnORB7rD1nagDBO4VYmcSXnttHrXf47jjtchWEF+cI24IUUZnbWKb
+yVgFfBJS4mqIIe7IvxYjL2I2bMTx+FWGf7erAm+/WYbMt8DAEE=
=bHGS
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Breakthrough, Re: Let's Encrypt with Tomcat?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 James, On 1/6/20 4:28 PM, James H. H. Lampert wrote: > I think I found something, with the help of "MLu" on ServerFault: > > He advised me to try "iptables -L" and "iptables-save" again, only > this time "sudo" them. Hah, sorry about that. Nobody thought of specifying that only root can view the iptables stuff. :) > When I did "iptables -L" under root privileges, I still only got > column headings, but when I did "iptables-save" under root > privileges, I hit what appears to be paydirt: >> # Generated by iptables-save v1.4.18 on Mon Jan 6 21:17:22 2020 >> *filter :INPUT ACCEPT [5018099:5766179544] :FORWARD ACCEPT [0:0] >> :OUTPUT ACCEPT [400:2863742410] COMMIT This means "no filtering". You have a firewall, so that's fine. >> # Completed on Mon Jan 6 21:17:22 2020 # Generated by >> iptables-save v1.4.18 on Mon Jan 6 21:17:22 2020 *nat >> :PREROUTING ACCEPT [41828:2351495] :INPUT ACCEPT [76356:4167904] >> :OUTPUT ACCEPT [254990:18418937] :POSTROUTING ACCEPT >> [254990:18418937] -A PREROUTING -p tcp -m tcp --dport 443 -j >> REDIRECT --to-ports 8443 COMMIT This means that the NAT table is being used to forward port 443 -> 8443 just like we were all assuming, but hadn't yet proven. >> # Completed on Mon Jan 6 21:17:22 2020 > > Other than the one obvious line near the bottom, >> -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports >> 8443 > I'm not entirely sure what all of this means, nor do I remember > what I did to set it up. This definitely means that clients can connect to host:443 and will actually communicate with host:8443. Mystery solved! - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4UpIQACgkQHPApP6U8 pFgHWg/9GkBh1aVeCqqUmKd4l8BcBTrYGCEdVf5FxirWHwWTbmqAY5NYwDPqNOEU OzOrdbFr6O4tbrcrQGg78pD/ZqhyuwyTKN+NY41/IOFBegbB7ziHyGMNWt81mWbW n9yYQblEHDkwrdLxu1p6l9DFLsNkWmZxbIE+Ktp8Dyvocv0rfeEh6Ht2jQGOyWKm m4xhgIc9i9ewGglpRoOwJmfSYuHLs8ijw8CA7owfMz+A3brS4RzreNzLW1nxU7m0 1neLHu2e8AFHw0CPb8NAMt4kC1Rf67wyLbxE2umOPIK16V6yIY96fWmkFNqIlHCl tiY2oncn6A9jG4r86W2i1MHMEust8a2d/F/bvL5Yjiw26TMr+T5rL/EFU6debTfW jkFSCS2gFaUM/bBb78d6vQfmpHTj17lP87YK4YJtjQT5/SAXnnty8g7PtOO+jp+W 6gaHYKp1TSYPareexO9NcNd4QM6aWMjMqNgNqiPnggZ6We1Xc+eK7U7kmMpp3hee 7Jggk4oM7G7d8ld1KNW5lRvEGc15E39ZEstFP0UJ78qbHv0ROlh4xoD0lhkW00YB fC4P4RQE4nwCbDRC7hd2vNPPrSKu6IKo/rwTcGl7yPpi0oX1eTg0AYkaxd2MOTX8 o7NemE0CY01Y65Fev7Yir/WRBxuC1wfuJb1U91t8WblAejQV5bU= =z5M1 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 9 does not allow to read file in /tmp folder with 777 permission?
> Well - why do you think someone is calling you names? Mark did not, right? My efforts in chasing up a bug which effected many Apache and non Apache products and with MR Emmanuel Bourg 's DILIGENT , VIGOROUS efforts produced this :- [1] https://bugs.debian.org/948309 [2] https://bugs.debian.org/948310 IBM can now upgrade from JDK 8 https://developer.ibm.com/javasdk/downloads/. if this was their issue too. I also sent same message to Apache Struts because the local expert there was recommending to use JDK 8 to people who had MAVEN warning caused when using Internationalisation API. (I looked through archive and saw that) I also sent same message to Apache NetBeans because they were using Maven 3.3.9 (2015) which knows nothing about the trouble some java classes. > Well - why do you think someone is calling you names? Mark did not, right? Mark T refer to me as "troll" I am not part of the fashion victim of *nix, so Mr Shultz also referred to me as a "troll". On 06/01/2020 21:45, logo wrote: Well - why do you think someone is calling you names? Mark did not, right? Am 06.01.2020 um 22:11 schrieb Zahid Rahman : Are you calling me names ? On Mon, 6 Jan 2020, 20:35 Mark Thomas, wrote: On 06/01/2020 16:29, Christopher Schultz wrote: You have a right to a view, and you can troll all you want. But you will be ignored. Up to a point. Users that continue to troll will be unsubscribed and blocked from re-subscribing. As a general reminder aimed at keeping noise down on the list: Please don't feed the trolls. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- www.backbutton.co.uk ♡۶¯\_(ツ)_/¯ ♡۶ Marriage of loose and tight coupling -> healthy applications ♡۶ java -cp classpath class-path - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: HTTP/2 configuration
Hey Mark et. al., On Tue, 7 Jan 2020 at 11:20, Mark Thomas wrote: > On 12/12/2019 15:23, Christopher Schultz wrote: > > Arief, > > > > On 12/12/19 00:25, Arief Hasani wrote: > >> IMHO, being able to override form HTTP1.1 conf is all good as user > >> could easily assume that if not specified in the upgrade than use > >> http1.1 configs > > I'm not sure you understand the question. > > > > Mark is asking if any users in the community are finding that they > > need to independently configure specific parts of the HTTP/<2 versus > > h2 *for the same port*. > > > > Thinks like the compression, keepalives, max headers/trailers, > > timeouts, sendfile config, etc. > > > > Does it ever make sense to have sendFile enabled on the HTTP/1.1 > > connector but disable sendFile if the client upgrades to h2? > > Exactly. > > > The suspicion is that identical configuration is acceptable. Mark is > > trying to ask if there are any exceptions before we simplify the code > > which handles the configuration. > > > > If you have a specific use-case, please explain. > > Just pinging this thread in case there is someone with a specific use case. > > At the moment, I'm leaning towards the simplification for Tomcat 10 > onwards. > It's probably better that way. The change here is big and a major release such as 10.x is more appropriate for GA. > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: HTTP/2 configuration
On 12/12/2019 15:23, Christopher Schultz wrote: > Arief, > > On 12/12/19 00:25, Arief Hasani wrote: >> IMHO, being able to override form HTTP1.1 conf is all good as user >> could easily assume that if not specified in the upgrade than use >> http1.1 configs > I'm not sure you understand the question. > > Mark is asking if any users in the community are finding that they > need to independently configure specific parts of the HTTP/<2 versus > h2 *for the same port*. > > Thinks like the compression, keepalives, max headers/trailers, > timeouts, sendfile config, etc. > > Does it ever make sense to have sendFile enabled on the HTTP/1.1 > connector but disable sendFile if the client upgrades to h2? Exactly. > The suspicion is that identical configuration is acceptable. Mark is > trying to ask if there are any exceptions before we simplify the code > which handles the configuration. > > If you have a specific use-case, please explain. Just pinging this thread in case there is someone with a specific use case. At the moment, I'm leaning towards the simplification for Tomcat 10 onwards. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: performance issue with Tomcat 8.5.35 in org.apache.tomcat.util.net.NioBlockingSelector.write API
Hi Remy, Thanks for the reply, As you mention below points "There's a problem only if things are blocked improperly, for example if the client is correctly reading the data and/or there's no network backlog. Also the timeout configured on the connector must be respected by the operation." 1. how can we check the network backlog or data read/write not working properly, if any tool pls let us know 2. how can we set connector timeout. Thanks and Regards, Rajendra Rathore 9922701491 -Original Message- From: Rémy Maucherat Sent: Tuesday, January 7, 2020 4:11 PM To: Tomcat Users List Subject: Re: performance issue with Tomcat 8.5.35 in org.apache.tomcat.util.net.NioBlockingSelector.write API External email from: users-return-269207-rarathore=ptc@tomcat.apache.org On Tue, Jan 7, 2020 at 6:33 AM Rathore, Rajendra wrote: > Hi Rémy/ Christopher, > > It will stuck there for 10-15 minutes, so it will take time to load > simple Web UI, there is no WebSocket call. I am giving you one of the > sample where it will take 90% time in write operation, sometime it will reach > to 100%. > > > || > > O-org.apache.coyote.ajp.AjpProcessor.writeData(AjpProcessor.java:1331) > count=1669(%92.877) > || > > O-org.apache.tomcat.util.net.SocketWrapperBase.write(SocketWrapperBase > .java:385) > count=1669(%92.877) > || > > O-org.apache.tomcat.util.net.SocketWrapperBase.writeBlocking(SocketWra > pperBase.java:462) > count=1669(%92.877) > || > > O-org.apache.tomcat.util.net.SocketWrapperBase.doWrite(SocketWrapperBa > se.java:726) > count=1669(%92.877) > || > > O-org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper.doWrite(NioE > ndpoint.java:1316) > count=1669(%92.877) > || > > O-org.apache.tomcat.util.net.NioSelectorPool.write(NioSelectorPool.jav > a:157) > count=1669(%92.877) > || > > O-org.apache.tomcat.util.net.NioBlockingSelector.write(NioBlockingSele > ctor.java:114) > count=1667(%92.766) > || > | > O-org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper.awaitWriteLa > tch(NioEndpoint.java:1160) > count=1667(%92.766) > || > | > O-org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper.awaitLatch(NioEndpoint.java:1157) > count=1667(%92.766) > || > | > O-java.util.concurrent.CountDownLatch.await(CountDownLatch.java:277) > count=1667(%92.766) > > It's a normal blocking write, and the await does not consume CPU (it sits there however and a profiler will count that but it doesn't matter). There's a problem only if things are blocked improperly, for example if the client is correctly reading the data and/or there's no network backlog. Also the timeout configured on the connector must be respected by the operation. Rémy
Re: performance issue with Tomcat 8.5.35 in org.apache.tomcat.util.net.NioBlockingSelector.write API
On Tue, Jan 7, 2020 at 6:33 AM Rathore, Rajendra wrote: > Hi Rémy/ Christopher, > > It will stuck there for 10-15 minutes, so it will take time to load simple > Web UI, there is no WebSocket call. I am giving you one of the sample where > it will take 90% time in write operation, sometime it will reach to 100%. > > > || > > O-org.apache.coyote.ajp.AjpProcessor.writeData(AjpProcessor.java:1331) > count=1669(%92.877) > || > > O-org.apache.tomcat.util.net.SocketWrapperBase.write(SocketWrapperBase.java:385) > count=1669(%92.877) > || > > O-org.apache.tomcat.util.net.SocketWrapperBase.writeBlocking(SocketWrapperBase.java:462) > count=1669(%92.877) > || > > O-org.apache.tomcat.util.net.SocketWrapperBase.doWrite(SocketWrapperBase.java:726) > count=1669(%92.877) > || > > O-org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper.doWrite(NioEndpoint.java:1316) > count=1669(%92.877) > || > > O-org.apache.tomcat.util.net.NioSelectorPool.write(NioSelectorPool.java:157) > count=1669(%92.877) > || > > O-org.apache.tomcat.util.net.NioBlockingSelector.write(NioBlockingSelector.java:114) > count=1667(%92.766) > || > | > O-org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper.awaitWriteLatch(NioEndpoint.java:1160) > count=1667(%92.766) > || > | > O-org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper.awaitLatch(NioEndpoint.java:1157) > count=1667(%92.766) > || > | > O-java.util.concurrent.CountDownLatch.await(CountDownLatch.java:277) > count=1667(%92.766) > > It's a normal blocking write, and the await does not consume CPU (it sits there however and a profiler will count that but it doesn't matter). There's a problem only if things are blocked improperly, for example if the client is correctly reading the data and/or there's no network backlog. Also the timeout configured on the connector must be respected by the operation. Rémy
Re: Ignore duplicate HTTP headers in Tomcat 8.5.50-0+deb9u1
Dear Mark, thanks a lot for your effort and your feedback. Am 07.01.20 um 10:36 schrieb Mark Thomas: On 07/01/2020 07:10, Dennis Rech wrote: POST /foo HTTP/1.1 Host: foo.com POST /foo HTTP/1.1 Host: foo.com Content-[stuff] [...] First two lines are OK. The third line is going to be treated as an HTTP header. It is invalid and Tomcat will reject it with a 400 response but you can tell Tomcat to just ignore the invalid header with rejectIllegalHeaderName="false" on the Connector. I already tried the connector option in server.xml and also saw in the documentation the rejectIllegalHeaderName option should be on "false" even as default. The problem is going to be the second Host header. The second "Host" part is still a problem, you're right. We have just tried putting nginx as a proxy before the tomcat8 instance and it has intercepted the malformed request fine at least it has not rejected the request with HTTP response code 400. RFC 7230 states: A server MUST respond with a 400 (Bad Request) status code to any HTTP/1.1 request message that lacks a Host header field and to any request message that contains more than one Host header field or a Host header field with an invalid field-value. Any spec compliant server is almost certainly going to reject that request. I guess a server might provide a hook for request modification prior to rejection to allow the "fixing" of known invalid requests but I'm not aware of any that do - at least not without going down the writing a custom module route. If we made Http11Processor.prepareRequest() protected then it would be fairly simple to write a custom Processor that: - extended Http11Processor - overrode prepareRequest() to a) remove the duplicate Host header b) call super.prepareRequest() I could provide one for you if you weren't comfortable doing that yourself). However, even if we made the change now (which I'm happy to do if you think it would be useful) it will take a while to filter through to the Debian distribution. There are several variations on this theme. One could write a custom Processor for 8.5.50 that did the same thing - it would just be rather more involved as one would have to copy rather more code from Http11Processor. We will see if the nginx workaround is sufficient :-). Otherwise we will take into consideration your suggestion. Thanks again. Dennis Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Re: Maven Warning. Ubuntu Users
Thank you sir. I was truly lucky because I don't know how this Apache organisation works at the moment. Now I can prototype a rather complex skeleton application I am working on with a stable environment, without concern for platform warnings. Best Regards Zahid secure by design http https://www.youtube.com/watch?v=idViw4anA6E&t=1276s ♡۶ www.backbutton.co.uk ¯\_(ツ)_/¯ Marriage of loose and tight coupling -> healthy applications On 06/01/2020 23:34, Emmanuel Bourg wrote: Le 06/01/2020 à 21:24, Zahid Rahman a écrit : Don't shoot the messenger. You are not sending the message to the right list, there is nothing the Tomcat developers can do to fix this issue. This should be brought to debian-j...@lists.debian.org instead (Debian is the source of Ubuntu Java packages). But you are lucky because beside maintaining Tomcat in Debian, I also maintain Maven, and thanks to your message I've filled the bugs to address this issue [1][2]. Emmanuel Bourg [1] https://bugs.debian.org/948309 [2] https://bugs.debian.org/948310 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- www.backbutton.co.uk ♡۶¯\_(ツ)_/¯ ♡۶ Marriage of loose and tight coupling -> healthy applications ♡۶ java -cp classpath class-path - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Ignore duplicate HTTP headers in Tomcat 8.5.50-0+deb9u1
On 07/01/2020 07:10, Dennis Rech wrote: > POST /foo HTTP/1.1 > Host: foo.com > POST /foo HTTP/1.1 > Host: foo.com > Content-[stuff] [...] First two lines are OK. The third line is going to be treated as an HTTP header. It is invalid and Tomcat will reject it with a 400 response but you can tell Tomcat to just ignore the invalid header with rejectIllegalHeaderName="false" on the Connector. The problem is going to be the second Host header. RFC 7230 states: A server MUST respond with a 400 (Bad Request) status code to any HTTP/1.1 request message that lacks a Host header field and to any request message that contains more than one Host header field or a Host header field with an invalid field-value. Any spec compliant server is almost certainly going to reject that request. I guess a server might provide a hook for request modification prior to rejection to allow the "fixing" of known invalid requests but I'm not aware of any that do - at least not without going down the writing a custom module route. If we made Http11Processor.prepareRequest() protected then it would be fairly simple to write a custom Processor that: - extended Http11Processor - overrode prepareRequest() to a) remove the duplicate Host header b) call super.prepareRequest() I could provide one for you if you weren't comfortable doing that yourself). However, even if we made the change now (which I'm happy to do if you think it would be useful) it will take a while to filter through to the Debian distribution. There are several variations on this theme. One could write a custom Processor for 8.5.50 that did the same thing - it would just be rather more involved as one would have to copy rather more code from Http11Processor. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Ignore duplicate HTTP headers in Tomcat 8.5.50-0+deb9u1
Dennis, Am 07.01.2020 um 08:10 schrieb Dennis Rech : Hi Christopher, Am 06.01.20 um 17:39 schrieb Christopher Schultz: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Dennia, On 1/6/20 07:09, Dennis Rech wrote: we have an application where HTTP clients have a kind of unclean way of submitting HTTP POST requests to our tomcat server for data upload: The |POST| and |Host: xxx| part appears twice in the request. Yuck. You mean like this? POST /foo HTTP/1.1 POST /foo HTTP/1.1 Host: foo.com Host: foo.com Content-Type: application/x-www-url-encoded Content-Length: 13 q=Hello World ? No, rather like that: POST /foo HTTP/1.1 Host: foo.com POST /foo HTTP/1.1 Host: foo.com Content-[stuff] [...] It could be worse. But at least the first two lines are protocol compliant. As Chris mentioned you may add a reverse proxy like nginx or traefik in front of it and strip the lines - the POST line not a „real“ header though - before passing the request to tomcat. Then if the first two lines are compliant, I wonder if a Valve on tomcat level could intercept the request and deal with the bad lines before reaching the app layer. Peter Until now this didn't cause any problems with tomcat, but since the latest release, Tomcat refuses to accept this message and returns a 400 bad request immediately. Having two "host" headers should be okay. But repeating the request line is a clear violation of the HTTP spec that will be difficult to get over. I can't believe Tomcat ever allowed that, though it may have done so. I read in the changelog that since Tomcat 8.5.22 it will also reply with Bad request 400 if there are two Host fields in the header. But I guess the double "POST" is even worse. Unfortunately we'll not be able to change the client-side code. Is there any way to tell the tomcat connector "ignore duplicate headers" or so to make it work again? I guess the rewrite filters for tomcat won't help as tomcat probably discards the incoming message before handing it over to rewrite. Tomcat is responsible for reading the request line and routing the request to an application. If the request is broken badly enough, it won't be able to route. Headers are parsed as a part of that, and: POST /foo HTTP/1.1 is not a valid header for at least two reasons: 1. There is no : character (required, even when the header has no value) 2. There are spaces in the "name" (the name is everything before colon ) Well, "POST"... is the actual request followed by the HTTP headers. POST is not part of the actual header. Maybe I haven't pointed that out. Example request: |POST /data/upload/test HTTP/1.1 Host: www.myhost.de:8180 POST /data/upload/test HTTP/1.1 Host: www.myhost.de:8180 [...rest of the request is ok...] | This got word-wrapped. Was this? Yes I copied it from a formatted document, the pipes probably indicate that this text was preformatted in the original document, sorry. Also the newlines are missing. POST /data/upload/test HTTP/1.1 Host: www.myhost.de:8180 POST/data/upload/test HTTP/1.1 Host: www.myhost.de:8180 [...here comes the remaining header with Content-Length etc followed by the body...] POST /data/upload/test HTTP/1.1 Host: www.myhost.de:8180 POST /data/upload/test HTTP/1.1 Host: www.myhost.de:8180 [...rest of the request is ok...] ? Yikes. What kind of client is this? It's a remote unit transmitting data to a server using POST file uploads with - obviously - a little bug in the firmware that builds the HTTP request manually as there is no curl library for the unit etc. which can be used to generate the requests. I wonder if there is a parameter for the |Connector| part in server.xml or so to workaround this problem and restore the old behaviour without downgrading. The good news is that the second POST could theoretically be considered to be a "broken" header and ignored. But Tomcat has been getting progressively more strict about what it will accept. There are all kinds of nasty ways to use malformed messages like this to confuse environments where e.g. a reverse-proxy and the origin server behave differently when they see requests like those above. It's better to just fail and fix the software. Why can't you fix the clients? Is this another case of internet-of-things garbage that can't practically be repaired? Something like that. The devices could be updated in theory but probably not over-the-air and many of them are already deployed somewhere in the "wild" so we don't have physical access to them anymore. Unfortunately we did not notice that in the past as tomcat always accepted these requests until the latest update for debian came out. I totally agree that the best solution would be to let those devices send proper HTTP protocol but I guess we'll have to find a workaround on server-side. - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4T
