Re: Version Question

2020-03-20 Thread Martin Grigorov 
Hi,

On Sat, Mar 21, 2020, 00:37  wrote:

> Good afternoon Mark and group.
>
> There is a question as to WHAT are the correct versions released. Are
> these 7.0.103, 8.5.53, and 9.0.33 as shown on tomcat.apache.org, OR is it
> 7.0.104, 8.5.54 and 9.0.34 as shown on ci.apache.org?
>

The first.
CI lists the currently developed versions.

Martin


> Thank you,
>
>
> Dream * Excel * Explore * Inspire
> Jon McAlexander
> Asst Vice President
>
> Middleware Product Engineering
> Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions
>
> Upcoming PTO: 11/8, 11/11, 11/15, 11/22, 11/28, 11/29, 12/2, 12/6, 12/13,
> 12/20 - 12/31
>
> 8080 Cobblestone Rd | Urbandale, IA 50322
> MAC: F4469-010
> Tel 515-988-2508 | Cell 515-988-2508
>
> jonmcalexan...@wellsfargo.com
>
>
> This message may contain confidential and/or privileged information. If
> you are not the addressee or authorized to receive this for the addressee,
> you must not use, copy, disclose, or take any action based on this message
> or any information herein. If you have received this message in error,
> please advise the sender immediately by reply e-mail and delete this
> message. Thank you for your cooperation.
>
>

Version Question

2020-03-20 Thread jonmcalexander 
Good afternoon Mark and group.

There is a question as to WHAT are the correct versions released. Are these 
7.0.103, 8.5.53, and 9.0.33 as shown on tomcat.apache.org, OR is it 7.0.104, 
8.5.54 and 9.0.34 as shown on ci.apache.org?

Thank you,


Dream * Excel * Explore * Inspire
Jon McAlexander
Asst Vice President

Middleware Product Engineering
Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions

Upcoming PTO: 11/8, 11/11, 11/15, 11/22, 11/28, 11/29, 12/2, 12/6, 12/13, 12/20 
- 12/31

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com


This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

Re: Security audit raises questions (Tomcat 7.0.93)

2020-03-20 Thread James H. H. Lampert 

On 3/18/20 4:03 AM, Mark Thomas replied to my questions:


But I'm not sure (1) how security constraints interact with other
security constraints, and


See section 13.8.1 of the Servlet 4.0 spec.


(2) whether they can go in the conf/web.xml as
well as individual webapps' web.xml files.


Yes they can.


Dear Mr. Thomas, et al.:

Ok. I've finally gotten back to this, and I've found a copy of the 
Servlet 4.0 spec, and read the entire 13.8 section.


I'm not yet clear on how they interact with each other if they exist at 
both the conf/web.xml level and the individual webapp level.


Given a Tomcat server with several webapps running, including multiple 
copies of the same webapp (call it A), each accessing different 
underlying resources.


Each copy of A has this:

     
Logs
Logs
/logs/* 
/logs.jsp   
    
   
   


The manager and host-manager have their "out-of-the-box" security 
constraints.


Another specialized webapp (call it "S") has no security constraints in 
its web.xml.


There is also a context that consists only of static content, with no 
web.xml, and therefore no security constraints of its own.


And conf/web.xml has no security constraints.

Now, suppose I were to put this into conf/web.xml:



  
  Suppress OPTIONS
  /*
  OPTIONS
 
 
 


Would that (1) block OPTIONS globally, and (2) *not* get into any fights 
with any of the individual webapp security constraints?


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: How to pass the --enable-preview parameter when using JSVC?

2020-03-20 Thread ken edward 
Yes, I did try -X--enable-preview, was passed via jsvc, but not in a
meaningful or understandable way to java/tomcat.



On Thu, Mar 19, 2020 at 3:11 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Ken,
>
> On 3/18/20 16:25, ken edward wrote:
> > Hello,
> >
> > When I deploy my war it produces the below error message, telling
> > me to pass  the "--enable-preview".  I can add the
> > "--enable-preview" to my tomcat start.sh script dev environment to
> > resolve the problem. However, if I launch the production tomcat
> > using the jsvc binary (to bind to port 443 instead of 8443), the
> > JSVC binary doesn't seem to pass the "--enable-preview" parameter.
> >
> > What must I do to allow JSVC to accept and pass the
> > "--enable-preview" parameter?
> >
> > apache-tomcat-9.0.27 jdk-13.0.1
> >
> > 18-Mar-2020 15:38:27.659 SEVERE [main]
> > org.apache.catalina.core.StandardContext.filterStart Exception
> > starting filter [FrameSecurityFilter]
> > java.lang.UnsupportedClassVersionError: Preview features are not
> > enabled for com/marsh/div/rock/emp/FrameSecurityFilter (class file
> > version 57.65535). Try running with '--enable-preview' (unable to
> > load class ..)
> >
> > BUT then if I try to add --enable-preview to the production JSVC
> > script environment: "Invalid option --enable-preview Cannot parse
> > command line arguments"
>
> Have you tried "-X--enable-preview"?
>
> Most Java-related binaries which call through to the JVM (e.g. javac)
> offer an option to pass JVM parameters using "-J[foo]". I don't see a
> mirror of that for jsvc unless maybe -X is intended to provide that
> facility.
>
> I would suggest that you ask the jsvc folks if they would consider
> adding a -J alias to -X if indeed that's what it's for. If -X is
> different than -J, then they should probably introduce a new -J option
> to support such things.
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5zw8UACgkQHPApP6U8
> pFgBnBAAmTZhyH/xSO2Nwtn0pYz3ddG1L6uvqfi1CVH0SxOZuf0MLzvxwtLAkgNU
> eqH72v8wXc0yBUm62Phphb/YtG2jhesOIKS2X8Tr33gYS9XNV8wkhfRMB/4/k295
> 2tkdydVgTezI3jXOG/ONA1kHVIEcuhxQWcdHJuYK2oFqGn559bHOj+SQB+FMPdLE
> BQNc5ZAFt20o05Q0Bx9Nsv69tlZPkaCc28DiQlinGFvPVqE4j/0M5VIxlc8uR3KR
> FbharaHsnMs0RIesec3+ITSyv7Vz16AQEPlEaNBuhSEN8e4S4Pk8xS7VGDbh/N7z
> J3pTWxi/VDoEunioqjr6KxIrzlSVF+KrNpIpJWUtT+k2if8CzvztkLDW9HoSdj3o
> GsMoSf1Pr4Jj5hHdr/MvmBthJ3d4BxD92iS1ADB2hinfu28mEPHiLRBWLd2GICOH
> zCKDTGfe9w+7y1kYcvz9Mf4nm0vnGE7/iaTZ3ZKJRLAHwJC6xQksA0S/OavmCsrx
> CtqHnzZoWZo2hXB4GoyK92qmy5iihfxyMHaQ5fADcQ7Kn+xPqv6DxEnASLqV/pj5
> ZZCBfgJYAo/6IOYpte1MJ8AVAAwDvLIlsWcNpIF2Cfdu5vwHwh+9wSnM3eqGHznP
> 4FYdaRuuQIqKZS4VOdE6GTDzm2SloZGYWGx7fYuVlUaszflWzF0=
> =Z/9B
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: AW: AW: AJP Connector issue

2020-03-20 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

RK,

On 3/20/20 13:33, RK Ashburn wrote:
> thanks Chirs. fixed it to an real ip,

In many cases, 0.0.0.0 is basically the same as binding to the
interface which represents the outside world (e.g. eth0, etc.).

See my other reply in this thread to see what I would recommend in
terms of a secure deployment of AJP.

- -chris

> On Fri, Mar 20, 2020 at 12:40 PM Christopher Schultz <
> ch...@christopherschultz.net> wrote:
>
> RK,
>
> On 3/20/20 09:57, RK Ashburn wrote:
 I have tested r successful AJP connector with apache proxy
 on (tomcat 7)

 1. For AJP connector adding  secretRequired="false" and
> address="0.0.0.0"
 resolved my connectivity issue. I suspect the issue you are
 having (with 403)  is more like a permissions issue on the
 site the request is
> trying to
 reach, than a AJP connector configuration issue.
>
> binding to "all interfaces" may work, but it's not terribly
> secure. Are you really expecting an AJP connection from anywhere in
> the world?
>
> -chris
>
 On Fri, Mar 20, 2020 at 8:50 AM Fritze, Florian <
 florian.fri...@irb.fraunhofer.de> wrote:

> Just to make it clear what from my opinion the problem is:
>
> SCHWERWIEGEND [main]
> org.apache.catalina.core.StandardService.startInternal
> Failed to start connector [Connector[AJP/1.3-8011]]
> org.apache.catalina.LifecycleException: Der Start des
> Protokoll-Handlers ist fehlgeschlagen at
>
> org.apache.catalina.connector.Connector.startInternal(Connector.java:1
05
>
>
7)
> at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:18
3)
>
>
>
>
at
>
> org.apache.catalina.core.StandardService.startInternal(StandardService
.j
>
>
ava:440)
> at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:18
3)
>
>
>
>
at
>
> org.apache.catalina.core.StandardServer.startInternal(StandardServer.j
av
>
>
a:766)
> at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:18
3)
>
>
>
>
at
> org.apache.catalina.startup.Catalina.start(Catalina.java:688)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
> Method) at
>
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.j
av
>
>
a:62)
> at
>
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccess
or
>
>
Impl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498) at
> org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343)
>
>
at
> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474)
>
>
Caused by: java.lang.IllegalArgumentException: The AJP
> Connector
> is configured with secretRequired="true" but the secret
> attribute
> is either
> null or "". This combination is not valid. at
>
> org.apache.coyote.ajp.AbstractAjpProtocol.start(AbstractAjpProtocol.ja
va
>
>
:274)
> at
>
> org.apache.catalina.connector.Connector.startInternal(Connector.java:1
05
>
>
5)
> ... 12 more
>
> This new "secretRequired" attribute prevents the Tomcat
> from starting flawlessly. It was first introduced with the
> Ghostcat release. So this is a wish from me to the Tomcat
> developers: Please set this new attribute not mandatory but
> optional. So that I can run the newest
> Tomcat
> without this attribute which I do now with the
> pre-Ghostcat releases.
>
> Have a nice weekend Florian Fritze
>
> -- Florian Fritze M.A. Fraunhofer-Informationszentrum Raum
> und Bau IRB Competence Center Research Services & Open
> Science Nobelstr. 12, 70569 Stuttgart, Germany Telefon +49
> 711 970-2713 florian.fri...@irb.fraunhofer.de |
> www.irb.fraunhofer.de
>
>
> -Ursprüngliche Nachricht- Von: André Warnier
> (tomcat/perl)  Gesendet: Freitag, 20. März
> 2020 13:34 An: users@tomcat.apache.org Betreff: Re: AW: AW:
> AJP Connector issue
>
> Ok, so it looks like : - the request is effectively
> reaching tomcat, and that it is tomcat sending back the 403
> response. - the URL is "/", so presumably it is
> "well-formed" etc.
>
> Furthermore, according to something you wrote below, both
> Apache
> httpd and
> tomcat are running on the same Linux host.
>
> This reminds me vaguely of some issue previously (and
> recently)
> discussed
> on the list, with some request attributes which tomcat did
> not like.. But I do not remember ptecisely what the issue
> was, and it also
> seems to
> me that this concerned an IIS front-end, not Apache httpd.
>
> Perhaps someone else on the list has a better idea.
>
>
> Incidentally, it also seems that you are, in httpd,
> proxying *all* requests to tomcat. Which raises the
> question of why you have a httpd front-end in the
> first
> place. (But that's a later

Re: AW: AW: AJP Connector issue

2020-03-20 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Jon,

On 3/20/20 13:28, jonmcalexan...@wellsfargo.com.INVALID wrote:
> Christopher,
>
> Is there an entry that can go in the AJP connector to restrict
> what
addresses it will listen to requests from? Meaning you can list the IP
addresses of the web servers?

Tomcat has no knowledge of your web servers. But presumably YOU know
where your web servers are and how they should be connecting. If they
are on different hosts, using AJP means that you are communicating
over an insecure channel over a network. Is that acceptable to you? IF
not, you need to either switch protocols (e.g. HTTPS) or tunnel AJP
through something like stunnel.

IMO, if you want to use AJP then you need to do this:

client
 |
 | HTTP
 \/
web server
 |
 | AJP-over-TLS (stunnel)
 |
 |
 \/
app server:8010
 |
 | stunnel unwraps AJP
 |
 \/
app server:8009

In this scenario, Tomcat listens on 127.0.0.1:8009 and stunnel listens
on the public interface and requires mutual TLS in order to connect.
You can also use IP whitelisting if you want to be even more paranoid.

> I know I'm top replying, but Outlook sucks with this. :-(

Just go to the bottom of the message and start typing instead of
typing at the top :)

- -chris

> -Original Message- From: Christopher Schultz
>  Sent: Friday, March 20, 2020 11:40
> AM To: users@tomcat.apache.org Subject: Re: AW: AW: AJP Connector
> issue
>
> RK,
>
> On 3/20/20 09:57, RK Ashburn wrote:
>> I have tested r successful AJP connector with apache proxy on
>> (tomcat 7)
>
>> 1. For AJP connector adding  secretRequired="false" and
> address="0.0.0.0"
>> resolved my connectivity issue. I suspect the issue you are
>> having (with 403)  is more like a permissions issue on the site
>> the request is
> trying to
>> reach, than a AJP connector configuration issue.
>
> binding to "all interfaces" may work, but it's not terribly
> secure. Are you really expecting an AJP connection from anywhere in
> the world?
>
> -chris
>
>> On Fri, Mar 20, 2020 at 8:50 AM Fritze, Florian <
>> florian.fri...@irb.fraunhofer.de> wrote:
>
>>> Just to make it clear what from my opinion the problem is:
>>>
>>> SCHWERWIEGEND [main]
>>> org.apache.catalina.core.StandardService.startInternal Failed
>>> to start connector [Connector[AJP/1.3-8011]]
>>> org.apache.catalina.LifecycleException: Der Start des
>>> Protokoll-Handlers ist fehlgeschlagen at
>>>
> org.apache.catalina.connector.Connector.startInternal(Connector.java:1
05
>
>
7)
>>> at
>>> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
>>>
>>>
>
>>>
at
>>>
> org.apache.catalina.core.StandardService.startInternal(StandardService
.j
>
>
ava:440)
>>> at
>>> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
>>>
>>>
>
>>>
at
>>>
> org.apache.catalina.core.StandardServer.startInternal(StandardServer.j
av
>
>
a:766)
>>> at
>>> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
>>>
>>>
>
>>>
at
>>> org.apache.catalina.startup.Catalina.start(Catalina.java:688)
>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>> at
>>>
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.j
av
>
>
a:62)
>>> at
>>>
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccess
or
>
>
Impl.java:43)
>>> at java.lang.reflect.Method.invoke(Method.java:498) at
>>> org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343)
>>>
>>>
at
>>> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474)
>>> Caused by: java.lang.IllegalArgumentException: The AJP
> Connector
>>> is configured with secretRequired="true" but the secret
>>> attribute
> is either
>>> null or "". This combination is not valid. at
>>>
> org.apache.coyote.ajp.AbstractAjpProtocol.start(AbstractAjpProtocol.ja
va
>
>
:274)
>>> at
>>>
> org.apache.catalina.connector.Connector.startInternal(Connector.java:1
05
>
>
5)
>>> ... 12 more
>>>
>>> This new "secretRequired" attribute prevents the Tomcat from
>>> starting flawlessly. It was first introduced with the Ghostcat
>>> release. So this is a wish from me to the Tomcat developers:
>>> Please set this new attribute not mandatory but optional. So
>>> that I can run the newest
> Tomcat
>>> without this attribute which I do now with the pre-Ghostcat
>>> releases.
>>>
>>> Have a nice weekend Florian Fritze
>>>
>>> -- Florian Fritze M.A. Fraunhofer-Informationszentrum Raum und
>>> Bau IRB Competence Center Research Services & Open Science
>>> Nobelstr. 12, 70569 Stuttgart, Germany Telefon +49 711 970-2713
>>>  florian.fri...@irb.fraunhofer.de | www.irb.fraunhofer.de
>>>
>>>
>>> -Ursprüngliche Nachricht- Von: André Warnier
>>> (tomcat/perl)  Gesendet: Freitag, 20. März 2020
>>> 13:34 An: users@tomcat.apache.org Betreff: Re: AW: AW: AJP
>>> Connector issue
>>>
>>> Ok, so it looks like : - the request is effectively reaching
>>> tomcat, and that it is tomcat sending back the 403 response. -
>>> the URL is "/", so presumably it is "well-formed"

Re: AW: AW: AJP Connector issue

2020-03-20 Thread RK Ashburn 
thanks Chirs. fixed it to an real ip,





On Fri, Mar 20, 2020 at 12:40 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> RK,
>
> On 3/20/20 09:57, RK Ashburn wrote:
> > I have tested r successful AJP connector with apache proxy on
> > (tomcat 7)
> >
> > 1. For AJP connector adding  secretRequired="false" and
> address="0.0.0.0"
> > resolved my connectivity issue. I suspect the issue you are having
> > (with 403)  is more like a permissions issue on the site the
> > request is
> trying to
> > reach, than a AJP connector configuration issue.
>
> binding to "all interfaces" may work, but it's not terribly secure.
> Are you really expecting an AJP connection from anywhere in the world?
>
> - -chris
>
> > On Fri, Mar 20, 2020 at 8:50 AM Fritze, Florian <
> > florian.fri...@irb.fraunhofer.de> wrote:
> >
> >> Just to make it clear what from my opinion the problem is:
> >>
> >> SCHWERWIEGEND [main]
> >> org.apache.catalina.core.StandardService.startInternal Failed to
> >> start connector [Connector[AJP/1.3-8011]]
> >> org.apache.catalina.LifecycleException: Der Start des
> >> Protokoll-Handlers ist fehlgeschlagen at
> >>
> org.apache.catalina.connector.Connector.startInternal(Connector.java:105
> 7)
> >> at
> >> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
> >>
> >>
> at
> >>
> org.apache.catalina.core.StandardService.startInternal(StandardService.j
> ava:440)
> >> at
> >> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
> >>
> >>
> at
> >>
> org.apache.catalina.core.StandardServer.startInternal(StandardServer.jav
> a:766)
> >> at
> >> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
> >>
> >>
> at
> >> org.apache.catalina.startup.Catalina.start(Catalina.java:688) at
> >> sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at
> >>
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav
> a:62)
> >> at
> >>
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
> Impl.java:43)
> >> at java.lang.reflect.Method.invoke(Method.java:498) at
> >> org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343)
> >> at
> >> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474)
> >> Caused by: java.lang.IllegalArgumentException: The AJP
> Connector
> >> is configured with secretRequired="true" but the secret
> >> attribute
> is either
> >> null or "". This combination is not valid. at
> >>
> org.apache.coyote.ajp.AbstractAjpProtocol.start(AbstractAjpProtocol.java
> :274)
> >> at
> >>
> org.apache.catalina.connector.Connector.startInternal(Connector.java:105
> 5)
> >> ... 12 more
> >>
> >> This new "secretRequired" attribute prevents the Tomcat from
> >> starting flawlessly. It was first introduced with the Ghostcat
> >> release. So this is a wish from me to the Tomcat developers:
> >> Please set this new attribute not mandatory but optional. So that
> >> I can run the newest
> Tomcat
> >> without this attribute which I do now with the pre-Ghostcat
> >> releases.
> >>
> >> Have a nice weekend Florian Fritze
> >>
> >> -- Florian Fritze M.A. Fraunhofer-Informationszentrum Raum und
> >> Bau IRB Competence Center Research Services & Open Science
> >> Nobelstr. 12, 70569 Stuttgart, Germany Telefon +49 711 970-2713
> >> florian.fri...@irb.fraunhofer.de | www.irb.fraunhofer.de
> >>
> >>
> >> -Ursprüngliche Nachricht- Von: André Warnier
> >> (tomcat/perl)  Gesendet: Freitag, 20. März 2020
> >> 13:34 An: users@tomcat.apache.org Betreff: Re: AW: AW: AJP
> >> Connector issue
> >>
> >> Ok, so it looks like : - the request is effectively reaching
> >> tomcat, and that it is tomcat sending back the 403 response. -
> >> the URL is "/", so presumably it is "well-formed" etc.
> >>
> >> Furthermore, according to something you wrote below, both Apache
> httpd and
> >> tomcat are running on the same Linux host.
> >>
> >> This reminds me vaguely of some issue previously (and recently)
> discussed
> >> on the list, with some request attributes which tomcat did not
> >> like.. But I do not remember ptecisely what the issue was, and it
> >> also
> seems to
> >> me that this concerned an IIS front-end, not Apache httpd.
> >>
> >> Perhaps someone else on the list has a better idea.
> >>
> >>
> >> Incidentally, it also seems that you are, in httpd, proxying
> >> *all* requests to tomcat. Which raises the question of why you
> >> have a httpd front-end in the
> first
> >> place. (But that's a later discussion maybe, let's first see why
> >> "/"
> doesn't work)
> >>
> >>
> >> On 20.03.2020 11:07, Fritze, Florian wrote:
> >>> Here is the additional information:
> >>>
> >>> The error page looks like Tomcat:
> >>>
> >>> HTTP Status 403 – Forbidden
> >>>
> >>> _
> >>>
> >>> Type Status Report
> >>>
> >>> Beschreibung Der Server hat die Anfrage verstanden, verbietet
> >>> aber
> eine
> >> Autorisierung.
> >>>
> >>> _
> >>>
> >>> Apache Tomcat/8.5.53
>

RE: AW: AW: AJP Connector issue

2020-03-20 Thread jonmcalexander 
Christopher,

Is there an entry that can go in the AJP connector to restrict what addresses 
it will listen to requests from? Meaning you can list the IP addresses of the 
web servers?

I know I'm top replying, but Outlook sucks with this. :-(

Thanks,


Dream * Excel * Explore * Inspire
Jon McAlexander
Asst Vice President

Middleware Product Engineering
Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions

Upcoming PTO: 11/8, 11/11, 11/15, 11/22, 11/28, 11/29, 12/2, 12/6, 12/13, 12/20 
– 12/31

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com


This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


-Original Message-
From: Christopher Schultz  
Sent: Friday, March 20, 2020 11:40 AM
To: users@tomcat.apache.org
Subject: Re: AW: AW: AJP Connector issue

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

RK,

On 3/20/20 09:57, RK Ashburn wrote:
> I have tested r successful AJP connector with apache proxy on (tomcat 
> 7)
>
> 1. For AJP connector adding  secretRequired="false" and
address="0.0.0.0"
> resolved my connectivity issue. I suspect the issue you are having 
> (with 403)  is more like a permissions issue on the site the request 
> is
trying to
> reach, than a AJP connector configuration issue.

binding to "all interfaces" may work, but it's not terribly secure.
Are you really expecting an AJP connection from anywhere in the world?

- -chris

> On Fri, Mar 20, 2020 at 8:50 AM Fritze, Florian < 
> florian.fri...@irb.fraunhofer.de> wrote:
>
>> Just to make it clear what from my opinion the problem is:
>>
>> SCHWERWIEGEND [main]
>> org.apache.catalina.core.StandardService.startInternal Failed to 
>> start connector [Connector[AJP/1.3-8011]]
>> org.apache.catalina.LifecycleException: Der Start des 
>> Protokoll-Handlers ist fehlgeschlagen at
>>
org.apache.catalina.connector.Connector.startInternal(Connector.java:105
7)
>> at
>> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
>>
>>
at
>>
org.apache.catalina.core.StandardService.startInternal(StandardService.j
ava:440)
>> at
>> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
>>
>>
at
>>
org.apache.catalina.core.StandardServer.startInternal(StandardServer.jav
a:766)
>> at
>> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
>>
>>
at
>> org.apache.catalina.startup.Catalina.start(Catalina.java:688) at 
>> sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at
>>
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav
a:62)
>> at
>>
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
Impl.java:43)
>> at java.lang.reflect.Method.invoke(Method.java:498) at
>> org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343)
>> at
>> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474)
>> Caused by: java.lang.IllegalArgumentException: The AJP
Connector
>> is configured with secretRequired="true" but the secret attribute
is either
>> null or "". This combination is not valid. at
>>
org.apache.coyote.ajp.AbstractAjpProtocol.start(AbstractAjpProtocol.java
:274)
>> at
>>
org.apache.catalina.connector.Connector.startInternal(Connector.java:105
5)
>> ... 12 more
>>
>> This new "secretRequired" attribute prevents the Tomcat from starting 
>> flawlessly. It was first introduced with the Ghostcat release. So 
>> this is a wish from me to the Tomcat developers:
>> Please set this new attribute not mandatory but optional. So that I 
>> can run the newest
Tomcat
>> without this attribute which I do now with the pre-Ghostcat releases.
>>
>> Have a nice weekend Florian Fritze
>>
>> -- Florian Fritze M.A. Fraunhofer-Informationszentrum Raum und Bau 
>> IRB Competence Center Research Services & Open Science Nobelstr. 12, 
>> 70569 Stuttgart, Germany Telefon +49 711 970-2713 
>> florian.fri...@irb.fraunhofer.de | www.irb.fraunhofer.de
>>
>>
>> -Ursprüngliche Nachricht- Von: André Warnier
>> (tomcat/perl)  Gesendet: Freitag, 20. März 2020
>> 13:34 An: users@tomcat.apache.org Betreff: Re: AW: AW: AJP Connector 
>> issue
>>
>> Ok, so it looks like : - the request is effectively reaching tomcat, 
>> and that it is tomcat sending back the 403 response. - the URL is 
>> "/", so presumably it is "well-formed" etc.
>>
>> Furthermore, according to something you wrote below, both Apache
httpd and
>> tomcat are running on the same Linux host.
>>
>> This reminds me vaguely of some issue previously (and recently)
discussed
>> on the list, with some request attributes which tomcat did not like.. 
>> But I do not remember

Re: AW: AW: AJP Connector issue

2020-03-20 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

RK,

On 3/20/20 09:57, RK Ashburn wrote:
> I have tested r successful AJP connector with apache proxy on
> (tomcat 7)
>
> 1. For AJP connector adding  secretRequired="false" and
address="0.0.0.0"
> resolved my connectivity issue. I suspect the issue you are having
> (with 403)  is more like a permissions issue on the site the
> request is
trying to
> reach, than a AJP connector configuration issue.

binding to "all interfaces" may work, but it's not terribly secure.
Are you really expecting an AJP connection from anywhere in the world?

- -chris

> On Fri, Mar 20, 2020 at 8:50 AM Fritze, Florian <
> florian.fri...@irb.fraunhofer.de> wrote:
>
>> Just to make it clear what from my opinion the problem is:
>>
>> SCHWERWIEGEND [main]
>> org.apache.catalina.core.StandardService.startInternal Failed to
>> start connector [Connector[AJP/1.3-8011]]
>> org.apache.catalina.LifecycleException: Der Start des
>> Protokoll-Handlers ist fehlgeschlagen at
>>
org.apache.catalina.connector.Connector.startInternal(Connector.java:105
7)
>> at
>> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
>>
>>
at
>>
org.apache.catalina.core.StandardService.startInternal(StandardService.j
ava:440)
>> at
>> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
>>
>>
at
>>
org.apache.catalina.core.StandardServer.startInternal(StandardServer.jav
a:766)
>> at
>> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
>>
>>
at
>> org.apache.catalina.startup.Catalina.start(Catalina.java:688) at
>> sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at
>>
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav
a:62)
>> at
>>
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
Impl.java:43)
>> at java.lang.reflect.Method.invoke(Method.java:498) at
>> org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343)
>> at
>> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474)
>> Caused by: java.lang.IllegalArgumentException: The AJP
Connector
>> is configured with secretRequired="true" but the secret
>> attribute
is either
>> null or "". This combination is not valid. at
>>
org.apache.coyote.ajp.AbstractAjpProtocol.start(AbstractAjpProtocol.java
:274)
>> at
>>
org.apache.catalina.connector.Connector.startInternal(Connector.java:105
5)
>> ... 12 more
>>
>> This new "secretRequired" attribute prevents the Tomcat from
>> starting flawlessly. It was first introduced with the Ghostcat
>> release. So this is a wish from me to the Tomcat developers:
>> Please set this new attribute not mandatory but optional. So that
>> I can run the newest
Tomcat
>> without this attribute which I do now with the pre-Ghostcat
>> releases.
>>
>> Have a nice weekend Florian Fritze
>>
>> -- Florian Fritze M.A. Fraunhofer-Informationszentrum Raum und
>> Bau IRB Competence Center Research Services & Open Science
>> Nobelstr. 12, 70569 Stuttgart, Germany Telefon +49 711 970-2713
>> florian.fri...@irb.fraunhofer.de | www.irb.fraunhofer.de
>>
>>
>> -Ursprüngliche Nachricht- Von: André Warnier
>> (tomcat/perl)  Gesendet: Freitag, 20. März 2020
>> 13:34 An: users@tomcat.apache.org Betreff: Re: AW: AW: AJP
>> Connector issue
>>
>> Ok, so it looks like : - the request is effectively reaching
>> tomcat, and that it is tomcat sending back the 403 response. -
>> the URL is "/", so presumably it is "well-formed" etc.
>>
>> Furthermore, according to something you wrote below, both Apache
httpd and
>> tomcat are running on the same Linux host.
>>
>> This reminds me vaguely of some issue previously (and recently)
discussed
>> on the list, with some request attributes which tomcat did not
>> like.. But I do not remember ptecisely what the issue was, and it
>> also
seems to
>> me that this concerned an IIS front-end, not Apache httpd.
>>
>> Perhaps someone else on the list has a better idea.
>>
>>
>> Incidentally, it also seems that you are, in httpd, proxying
>> *all* requests to tomcat. Which raises the question of why you
>> have a httpd front-end in the
first
>> place. (But that's a later discussion maybe, let's first see why
>> "/"
doesn't work)
>>
>>
>> On 20.03.2020 11:07, Fritze, Florian wrote:
>>> Here is the additional information:
>>>
>>> The error page looks like Tomcat:
>>>
>>> HTTP Status 403 – Forbidden
>>>
>>> _
>>>
>>> Type Status Report
>>>
>>> Beschreibung Der Server hat die Anfrage verstanden, verbietet
>>> aber
eine
>> Autorisierung.
>>>
>>> _
>>>
>>> Apache Tomcat/8.5.53
>>>
>>> The Apache HTTPD log file says:
>>>
>>> - "" [20/Mar/2020:10:56:24 +0100] "GET / HTTP/1.1" 403 1042
>>> "-"
>> "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like
>> Gecko) Chrome/80.0.3987.149 Safari/537.36 Edg/80.0.361.69"
>>>
>>> - "" [20/Mar/2020:10:56:24 +0100] "GET /favicon.ico HTTP/1.1"
>>> 403
885 "
>> https://dev-fordatis.fraunhofer.de/; "Mozilla/5.0 (Windows NT
>> 10.0; Win64; x64)

Re: AW: AW: AW: AJP Connector issue

2020-03-20 Thread tomcat/perl 

Hi Florian.

The log below shows clearly "The AJP Connector is configured with 
secretRequired="true"".
This probably comes from the fact that in your AJP Connector configuration, you 
either
- have an explicit secretRequired="true" attribute
or
- you do not mention this attribute, and it defaults to "true"

To get the previous behaviour (without secret), you now *must* specify : 
secretRequired="false".
This is one of the changes in the latest tomcat versions compared to the previous one, and 
this was motivated by security reasons.

So I doubt that there is any chance for that change to be reversed.


On 20.03.2020 13:49, Fritze, Florian wrote:

Just to make it clear what from my opinion the problem is:

SCHWERWIEGEND [main] org.apache.catalina.core.StandardService.startInternal 
Failed to start connector [Connector[AJP/1.3-8011]]
org.apache.catalina.LifecycleException: Der Start des 
Protokoll-Handlers ist fehlgeschlagen
at 
org.apache.catalina.connector.Connector.startInternal(Connector.java:1057)
at 
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at 
org.apache.catalina.core.StandardService.startInternal(StandardService.java:440)
at 
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at 
org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:766)
at 
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at org.apache.catalina.startup.Catalina.start(Catalina.java:688)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at 
org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343)
at 
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474)
Caused by: java.lang.IllegalArgumentException: The AJP Connector is configured with 
secretRequired="true" but the secret attribute is either null or "". This 
combination is not valid.
at 
org.apache.coyote.ajp.AbstractAjpProtocol.start(AbstractAjpProtocol.java:274)
at 
org.apache.catalina.connector.Connector.startInternal(Connector.java:1055)
... 12 more

This new "secretRequired" attribute prevents the Tomcat from starting 
flawlessly. It was first introduced with the Ghostcat release.
So this is a wish from me to the Tomcat developers: Please set this new 
attribute not mandatory but optional. So that I can run the newest Tomcat 
without this attribute which I do now with the pre-Ghostcat releases.

Have a nice weekend
Florian Fritze

--
Florian Fritze M.A.
Fraunhofer-Informationszentrum Raum und Bau IRB
Competence Center Research Services & Open Science
Nobelstr. 12, 70569 Stuttgart, Germany
Telefon +49 711 970-2713
florian.fri...@irb.fraunhofer.de | www.irb.fraunhofer.de


-Ursprüngliche Nachricht-
Von: André Warnier (tomcat/perl) 
Gesendet: Freitag, 20. März 2020 13:34
An: users@tomcat.apache.org
Betreff: Re: AW: AW: AJP Connector issue

Ok, so it looks like :
- the request is effectively reaching tomcat, and that it is tomcat sending 
back the 403 response.
- the URL is "/", so presumably it is "well-formed" etc.

Furthermore, according to something you wrote below, both Apache httpd and 
tomcat are running on the same Linux host.

This reminds me vaguely of some issue previously (and recently) discussed on 
the list, with some request attributes which tomcat did not like..
But I do not remember ptecisely what the issue was, and it also seems to me 
that this concerned an IIS front-end, not Apache httpd.

Perhaps someone else on the list has a better idea.


Incidentally, it also seems that you are, in httpd, proxying *all* requests to 
tomcat.
Which raises the question of why you have a httpd front-end in the first place.
(But that's a later discussion maybe, let's first see why "/" doesn't work)


On 20.03.2020 11:07, Fritze, Florian wrote:

Here is the additional information:

The error page looks like Tomcat:

HTTP Status 403 – Forbidden

_

Type Status Report

Beschreibung Der Server hat die Anfrage verstanden, verbietet aber eine 
Autorisierung.

_

Apache Tomcat/8.5.53

The Apache HTTPD log file says:

- "" [20/Mar/2020:10:56:24 +0100] "GET / HTTP/1.1" 403 1042 "-" "Mozilla/5.0 
(Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 
Edg/80.0.361.69"

- "" [20/Mar/2020:10:56:24 +0100] "GET /favicon.ico HTTP/1.1" 403 885 
"https://dev-fordatis.fraunhofer.de/; "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 Edg/80.0.361.69"



The

Re: AW: AW: AJP Connector issue

2020-03-20 Thread RK Ashburn 
I have tested r successful AJP connector with apache proxy on (tomcat 7)

1. For AJP connector adding  secretRequired="false" and address="0.0.0.0"
resolved my connectivity issue. I suspect the issue you are having (with
403)  is more like a permissions issue on the site the request is trying to
reach, than a AJP connector configuration issue.


On Fri, Mar 20, 2020 at 8:50 AM Fritze, Florian <
florian.fri...@irb.fraunhofer.de> wrote:

> Just to make it clear what from my opinion the problem is:
>
> SCHWERWIEGEND [main]
> org.apache.catalina.core.StandardService.startInternal Failed to start
> connector [Connector[AJP/1.3-8011]]
> org.apache.catalina.LifecycleException: Der Start des
> Protokoll-Handlers ist fehlgeschlagen
> at
> org.apache.catalina.connector.Connector.startInternal(Connector.java:1057)
> at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
> at
> org.apache.catalina.core.StandardService.startInternal(StandardService.java:440)
> at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
> at
> org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:766)
> at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
> at
> org.apache.catalina.startup.Catalina.start(Catalina.java:688)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
> Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at
> org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343)
> at
> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474)
> Caused by: java.lang.IllegalArgumentException: The AJP Connector
> is configured with secretRequired="true" but the secret attribute is either
> null or "". This combination is not valid.
> at
> org.apache.coyote.ajp.AbstractAjpProtocol.start(AbstractAjpProtocol.java:274)
> at
> org.apache.catalina.connector.Connector.startInternal(Connector.java:1055)
> ... 12 more
>
> This new "secretRequired" attribute prevents the Tomcat from starting
> flawlessly. It was first introduced with the Ghostcat release.
> So this is a wish from me to the Tomcat developers: Please set this new
> attribute not mandatory but optional. So that I can run the newest Tomcat
> without this attribute which I do now with the pre-Ghostcat releases.
>
> Have a nice weekend
> Florian Fritze
>
> --
> Florian Fritze M.A.
> Fraunhofer-Informationszentrum Raum und Bau IRB
> Competence Center Research Services & Open Science
> Nobelstr. 12, 70569 Stuttgart, Germany
> Telefon +49 711 970-2713
> florian.fri...@irb.fraunhofer.de | www.irb.fraunhofer.de
>
>
> -Ursprüngliche Nachricht-
> Von: André Warnier (tomcat/perl) 
> Gesendet: Freitag, 20. März 2020 13:34
> An: users@tomcat.apache.org
> Betreff: Re: AW: AW: AJP Connector issue
>
> Ok, so it looks like :
> - the request is effectively reaching tomcat, and that it is tomcat
> sending back the 403 response.
> - the URL is "/", so presumably it is "well-formed" etc.
>
> Furthermore, according to something you wrote below, both Apache httpd and
> tomcat are running on the same Linux host.
>
> This reminds me vaguely of some issue previously (and recently) discussed
> on the list, with some request attributes which tomcat did not like..
> But I do not remember ptecisely what the issue was, and it also seems to
> me that this concerned an IIS front-end, not Apache httpd.
>
> Perhaps someone else on the list has a better idea.
>
>
> Incidentally, it also seems that you are, in httpd, proxying *all*
> requests to tomcat.
> Which raises the question of why you have a httpd front-end in the first
> place.
> (But that's a later discussion maybe, let's first see why "/" doesn't work)
>
>
> On 20.03.2020 11:07, Fritze, Florian wrote:
> > Here is the additional information:
> >
> > The error page looks like Tomcat:
> >
> > HTTP Status 403 – Forbidden
> >
> >_
> >
> > Type Status Report
> >
> > Beschreibung Der Server hat die Anfrage verstanden, verbietet aber eine
> Autorisierung.
> >
> >_
> >
> > Apache Tomcat/8.5.53
> >
> > The Apache HTTPD log file says:
> >
> > - "" [20/Mar/2020:10:56:24 +0100] "GET / HTTP/1.1" 403 1042 "-"
> "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
> Gecko) Chrome/80.0.3987.149 Safari/537.36 Edg/80.0.361.69"
> >
> > - "" [20/Mar/2020:10:56:24 +0100] "GET /favicon.ico HTTP/1.1" 403 885 "
> https://dev-fordatis.fraunhofer.de/; "Mozilla/5.0 (Windows NT 10.0;
> Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149
> Safari/537.36 Edg/80.0.361.69"
> >

AW: OpenId with apache and tomcat

2020-03-20 Thread bernd . schatz 
Hi Stephane,

> -Ursprüngliche Nachricht-
> Von: Stephane Passignat 
> Gesendet: 13 March 2020 17:53
> An: Tomcat Users List 


> Actually I have Apache2 operating as proxy and authenticate layer (HTTP
> Form and HTTP Basic), in front of several Tomcat instances and webapps.
> Apache pushes the userId to tomcat through AJP.
> On tomcat side, the webapp has a Basic login-module in web.xml.
>
> I'm quite satisfied of the result, authentication and authorization are
> out of the application scope. The deployment and maintenance of
> application is super easy. The sensitive maintenance of authentication
> is made by a dedicated team...
>
> I wish to improve that adding OpenId Authentication, keeping apache as
> authentication layer with an openid connector, but the one I saw
> doesn't seems to be used a lot and is not available as precompiled for
> my os...
> I'm looking also at moving authentication at tomcat level with an
> openid Realm. It's not ideal because of the large number of
> applications are servers do impact and network configuration to change,
> ...
>
>
>
> Does someone have experience in this architecture ? Do you have some
> recommendation for Apache Module or Tomcat Realm to use ?

We implement a server extension (with help of nimbusd-library on top of jaspic),
that works on tomcat9  (and all other java-ee application server).
See here ==> https://connect2id.com/products/nimbus-oauth-openid-connect-sdk

Unfortunately it is not open source, yet.


--
Mit freundlichen Grüßen / Kind Regards/ नमस्ते(Namaste)
Bernd Schatz
ITT/FT - Java Free and Open Source Software (JFoSS)
HPC Z252
Gebäude VDZ Ost 1.OG
Plieninger Str. 150
70567 Stuttgart

Bernd Schatz
Büro: +49 711 17 41463
Mobile: +49 151 5862 6591
FAX: +49 711 17 7904 1252
mailto:bernd.sch...@daimler.com
https://git.daimler.com/jfoss
https://matter.i.daimler.com
https://matter.i.daimler.com/daimler-ag/channels/jfoss








If you are not the addressee, please inform us immediately that you have 
received this e-mail by mistake, and delete it. We thank you for your support.

AW: AW: AW: AJP Connector issue

2020-03-20 Thread Fritze, Florian 
Just to make it clear what from my opinion the problem is:

SCHWERWIEGEND [main] org.apache.catalina.core.StandardService.startInternal 
Failed to start connector [Connector[AJP/1.3-8011]]
org.apache.catalina.LifecycleException: Der Start des 
Protokoll-Handlers ist fehlgeschlagen
at 
org.apache.catalina.connector.Connector.startInternal(Connector.java:1057)
at 
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at 
org.apache.catalina.core.StandardService.startInternal(StandardService.java:440)
at 
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at 
org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:766)
at 
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at org.apache.catalina.startup.Catalina.start(Catalina.java:688)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at 
org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343)
at 
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474)
Caused by: java.lang.IllegalArgumentException: The AJP Connector is 
configured with secretRequired="true" but the secret attribute is either null 
or "". This combination is not valid.
at 
org.apache.coyote.ajp.AbstractAjpProtocol.start(AbstractAjpProtocol.java:274)
at 
org.apache.catalina.connector.Connector.startInternal(Connector.java:1055)
... 12 more

This new "secretRequired" attribute prevents the Tomcat from starting 
flawlessly. It was first introduced with the Ghostcat release.
So this is a wish from me to the Tomcat developers: Please set this new 
attribute not mandatory but optional. So that I can run the newest Tomcat 
without this attribute which I do now with the pre-Ghostcat releases.

Have a nice weekend
Florian Fritze

--
Florian Fritze M.A.
Fraunhofer-Informationszentrum Raum und Bau IRB
Competence Center Research Services & Open Science
Nobelstr. 12, 70569 Stuttgart, Germany
Telefon +49 711 970-2713
florian.fri...@irb.fraunhofer.de | www.irb.fraunhofer.de


-Ursprüngliche Nachricht-
Von: André Warnier (tomcat/perl)  
Gesendet: Freitag, 20. März 2020 13:34
An: users@tomcat.apache.org
Betreff: Re: AW: AW: AJP Connector issue

Ok, so it looks like :
- the request is effectively reaching tomcat, and that it is tomcat sending 
back the 403 response.
- the URL is "/", so presumably it is "well-formed" etc.

Furthermore, according to something you wrote below, both Apache httpd and 
tomcat are running on the same Linux host.

This reminds me vaguely of some issue previously (and recently) discussed on 
the list, with some request attributes which tomcat did not like..
But I do not remember ptecisely what the issue was, and it also seems to me 
that this concerned an IIS front-end, not Apache httpd.

Perhaps someone else on the list has a better idea.


Incidentally, it also seems that you are, in httpd, proxying *all* requests to 
tomcat.
Which raises the question of why you have a httpd front-end in the first place.
(But that's a later discussion maybe, let's first see why "/" doesn't work)


On 20.03.2020 11:07, Fritze, Florian wrote:
> Here is the additional information:
> 
> The error page looks like Tomcat:
> 
> HTTP Status 403 – Forbidden
> 
>_
> 
> Type Status Report
> 
> Beschreibung Der Server hat die Anfrage verstanden, verbietet aber eine 
> Autorisierung.
> 
>_
> 
> Apache Tomcat/8.5.53
> 
> The Apache HTTPD log file says:
> 
> - "" [20/Mar/2020:10:56:24 +0100] "GET / HTTP/1.1" 403 1042 "-" "Mozilla/5.0 
> (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) 
> Chrome/80.0.3987.149 Safari/537.36 Edg/80.0.361.69"
> 
> - "" [20/Mar/2020:10:56:24 +0100] "GET /favicon.ico HTTP/1.1" 403 885 
> "https://dev-fordatis.fraunhofer.de/; "Mozilla/5.0 (Windows NT 10.0; Win64; 
> x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 
> Safari/537.36 Edg/80.0.361.69"
> 
> 
> 
> The Tomcat says:
> 
> - - [20/Mar/2020:10:56:24 +0100] "GET / HTTP/1.1" 403 630
> 
> - - [20/Mar/2020:10:56:24 +0100] "GET /favicon.ico HTTP/1.1" 403 630
> 
> 
> 
> The server on which all is running is:
> 
> Linux 5.3.0-42-generic #34~18.04.1-Ubuntu SMP Fri Feb 28 13:42:26 UTC 
> 2020 x86_64 x86_64 x86_64 GNU/Linux
> 
> 
> 
> There is no new entry in the Apache HTTPD error.log concering these requests.
> 
> 
> 
> Help is appreciated
> 
> Florian Fritze
> 
> --
> 
> Florian Fritze M.A.
> 
> Fraunhofer-Informationszentrum Raum und Bau IRB
> 
> Competence Center Research Services & Open Science

Re: AW: AW: AJP Connector issue

2020-03-20 Thread tomcat/perl 

Ok, so it looks like :
- the request is effectively reaching tomcat, and that it is tomcat sending back the 403 
response.

- the URL is "/", so presumably it is "well-formed" etc.

Furthermore, according to something you wrote below, both Apache httpd and tomcat are 
running on the same Linux host.


This reminds me vaguely of some issue previously (and recently) discussed on the list, 
with some request attributes which tomcat did not like..
But I do not remember ptecisely what the issue was, and it also seems to me that this 
concerned an IIS front-end, not Apache httpd.


Perhaps someone else on the list has a better idea.


Incidentally, it also seems that you are, in httpd, proxying *all* requests to 
tomcat.
Which raises the question of why you have a httpd front-end in the first place.
(But that's a later discussion maybe, let's first see why "/" doesn't work)


On 20.03.2020 11:07, Fritze, Florian wrote:

Here is the additional information:

The error page looks like Tomcat:

HTTP Status 403 – Forbidden

   _

Type Status Report

Beschreibung Der Server hat die Anfrage verstanden, verbietet aber eine 
Autorisierung.

   _

Apache Tomcat/8.5.53

The Apache HTTPD log file says:

- "" [20/Mar/2020:10:56:24 +0100] "GET / HTTP/1.1" 403 1042 "-" "Mozilla/5.0 
(Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 
Edg/80.0.361.69"

- "" [20/Mar/2020:10:56:24 +0100] "GET /favicon.ico HTTP/1.1" 403 885 
"https://dev-fordatis.fraunhofer.de/; "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 Edg/80.0.361.69"



The Tomcat says:

- - [20/Mar/2020:10:56:24 +0100] "GET / HTTP/1.1" 403 630

- - [20/Mar/2020:10:56:24 +0100] "GET /favicon.ico HTTP/1.1" 403 630



The server on which all is running is:

Linux 5.3.0-42-generic #34~18.04.1-Ubuntu SMP Fri Feb 28 13:42:26 UTC 2020 
x86_64 x86_64 x86_64 GNU/Linux



There is no new entry in the Apache HTTPD error.log concering these requests.



Help is appreciated

Florian Fritze

--

Florian Fritze M.A.

Fraunhofer-Informationszentrum Raum und Bau IRB

Competence Center Research Services & Open Science

Nobelstr. 12, 70569 Stuttgart, Germany

Telefon +49 711 970-2713

florian.fri...@irb.fraunhofer.de | www.irb.fraunhofer.de





-Ursprüngliche Nachricht-
Von: André Warnier (tomcat/perl) 
Gesendet: Freitag, 20. März 2020 10:14
An: users@tomcat.apache.org
Betreff: Re: AW: AJP Connector issue



On 20.03.2020 08:23, Fritze, Florian wrote:


Hello Chris,







thanks for the reply. Maybe I am doing something wrong, but setting



secretRequired="false" does not solve my issue. Let me show you what I



did and experience: I added 


redirectPort="8443" secretRequired="false" /> to the Tomcat



configuration and the ajp connector on the Apache HTTPD side connects



to 8011. When I now visit my website I got HTTP Status 403 – Forbidden




And just to make diagnosis a bit quicker : does that 403 error page look like 
an Apache httpd page, or a tomcat page ? (they look quite differemt in style).



Also, can you check both the httpd logs, and the tomcat logs for that request, 
and check what they say ?  (compare by timestamnp and URI)



Also, under what OS does your front-end httpd run ?








I attached also the error page as a screenshot to this mail. This



behaviour exists only sice the Ghostcat fix release (I know that this



has nothing to do with security fix but probably with the release itself).







Thanks in advance



Florian







--



Florian Fritze M.A.



Fraunhofer-Informationszentrum Raum und Bau IRB Competence Center



Research Services & Open Science Nobelstr. 12, 70569 Stuttgart,



Germany Telefon +49 711 970-2713 
florian.fri...@irb.fraunhofer.de |



www.irb.fraunhofer.de







-Ursprüngliche Nachricht-



Von: Christopher Schultz 
mailto:ch...@christopherschultz.net>>



Gesendet: Donnerstag, 19. März 2020 20:14



An: users@tomcat.apache.org



Betreff: Re: AJP Connector issue







-BEGIN PGP SIGNED MESSAGE-



Hash: SHA256







Florian,







On 3/19/20 07:43, Fritze, Florian wrote:



since the Tomcat release with the Ghostcat security fix (Tomcat



8.5.51) me as an admin have the problem using the



https://httpd.apache.org/docs/2.4/mod/mod_proxy_ajp.html module to



connect the Apache HTTPD with the Tomcat running on localhost. The



attribute secretRequired must be set to „true“ or „false“ with



„false“ set the connection is not possible between Tomcat and Apache HTTPD.







When you have set secretRequired="false", it's not possible to



connect? When you try to connect, what DOES happen?







With „true“ the Apache development is not ready in the current



version to work with the „secret“ attribute. Only the next version of



Apache



2.4 supports this

AW: AW: AJP Connector issue

2020-03-20 Thread Fritze, Florian 
Here is the additional information:

The error page looks like Tomcat:

HTTP Status 403 – Forbidden

  _

Type Status Report

Beschreibung Der Server hat die Anfrage verstanden, verbietet aber eine 
Autorisierung.

  _

Apache Tomcat/8.5.53

The Apache HTTPD log file says:

- "" [20/Mar/2020:10:56:24 +0100] "GET / HTTP/1.1" 403 1042 "-" "Mozilla/5.0 
(Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) 
Chrome/80.0.3987.149 Safari/537.36 Edg/80.0.361.69"

- "" [20/Mar/2020:10:56:24 +0100] "GET /favicon.ico HTTP/1.1" 403 885 
"https://dev-fordatis.fraunhofer.de/; "Mozilla/5.0 (Windows NT 10.0; Win64; 
x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 
Edg/80.0.361.69"



The Tomcat says:

- - [20/Mar/2020:10:56:24 +0100] "GET / HTTP/1.1" 403 630

- - [20/Mar/2020:10:56:24 +0100] "GET /favicon.ico HTTP/1.1" 403 630



The server on which all is running is:

Linux 5.3.0-42-generic #34~18.04.1-Ubuntu SMP Fri Feb 28 13:42:26 UTC 2020 
x86_64 x86_64 x86_64 GNU/Linux



There is no new entry in the Apache HTTPD error.log concering these requests.



Help is appreciated

Florian Fritze

--

Florian Fritze M.A.

Fraunhofer-Informationszentrum Raum und Bau IRB

Competence Center Research Services & Open Science

Nobelstr. 12, 70569 Stuttgart, Germany

Telefon +49 711 970-2713

florian.fri...@irb.fraunhofer.de | www.irb.fraunhofer.de





-Ursprüngliche Nachricht-
Von: André Warnier (tomcat/perl) 
Gesendet: Freitag, 20. März 2020 10:14
An: users@tomcat.apache.org
Betreff: Re: AW: AJP Connector issue



On 20.03.2020 08:23, Fritze, Florian wrote:

> Hello Chris,

>

> thanks for the reply. Maybe I am doing something wrong, but setting

> secretRequired="false" does not solve my issue. Let me show you what I

> did and experience: I added  redirectPort="8443" secretRequired="false" /> to the Tomcat

> configuration and the ajp connector on the Apache HTTPD side connects

> to 8011. When I now visit my website I got HTTP Status 403 – Forbidden



And just to make diagnosis a bit quicker : does that 403 error page look like 
an Apache httpd page, or a tomcat page ? (they look quite differemt in style).



Also, can you check both the httpd logs, and the tomcat logs for that request, 
and check what they say ?  (compare by timestamnp and URI)



Also, under what OS does your front-end httpd run ?



>

> I attached also the error page as a screenshot to this mail. This

> behaviour exists only sice the Ghostcat fix release (I know that this

> has nothing to do with security fix but probably with the release itself).

>

> Thanks in advance

> Florian

>

> --

> Florian Fritze M.A.

> Fraunhofer-Informationszentrum Raum und Bau IRB Competence Center

> Research Services & Open Science Nobelstr. 12, 70569 Stuttgart,

> Germany Telefon +49 711 970-2713 
> florian.fri...@irb.fraunhofer.de |

> www.irb.fraunhofer.de

>

> -Ursprüngliche Nachricht-

> Von: Christopher Schultz 
> mailto:ch...@christopherschultz.net>>

> Gesendet: Donnerstag, 19. März 2020 20:14

> An: users@tomcat.apache.org

> Betreff: Re: AJP Connector issue

>

> -BEGIN PGP SIGNED MESSAGE-

> Hash: SHA256

>

> Florian,

>

> On 3/19/20 07:43, Fritze, Florian wrote:

>> since the Tomcat release with the Ghostcat security fix (Tomcat

>> 8.5.51) me as an admin have the problem using the

>> https://httpd.apache.org/docs/2.4/mod/mod_proxy_ajp.html module to

>> connect the Apache HTTPD with the Tomcat running on localhost. The

>> attribute secretRequired must be set to „true“ or „false“ with

>> „false“ set the connection is not possible between Tomcat and Apache HTTPD.

>

> When you have set secretRequired="false", it's not possible to

> connect? When you try to connect, what DOES happen?

>

>> With „true“ the Apache development is not ready in the current

>> version to work with the „secret“ attribute. Only the next version of

>> Apache

>> 2.4 supports this attribute.

> Correct. Support for secret= in mod_proxy_ajp was evidently never

> really a priority for anybody until now.

>

>> So I want to use the newest Tomcat version and an AJP connector but

>> after the Ghostcat fix release there is this attribute which does not

>> work in my configuration.

>>

>> Are there any suggestions or solutions available that you can deliver

>> me (links or documentation, etc.)

>

> secretRequired="false" should be all you need.

>

> Of course, to be truly secure, you need to make sure that not just

> anybody can make requests through your AJP interface. Have you secured

> that interface from potential evildoers?

>

> - -chris

> -BEGIN PGP SIGNATURE-

> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

>

> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5zxHsACgkQHPApP6U8

> pFjf7Q/+Ixbc10KYI07Wb1pdzQajVtw88BcfSZ3dfam2Q9aj2IhZJD5GUTzszAGC

>

[ANN] Apache Tomcat 7.0.103 released

2020-03-20 Thread Violeta Georgieva 
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 7.0.103.

Apache Tomcat is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Expression Language and Java
WebSocket technologies.

This release contains a number of bug fixes and improvements compared to
version 7.0.100. The notable changes since 7.0.100 include:


- Add new attribute persistAuthentication to both StandardManager and
  PersistentManager to support authentication persistence.
  Patch provided by Carsten Klein

- A zero length AJP secret will now behave as if it has not been
  specified.

- Add the TLS request attributes used by IIS to the attributes that
  an AJP Connector will always accept.


Please refer to the change log for the complete list of changes:
http://tomcat.apache.org/tomcat-7.0-doc/changelog.html

Apache Tomcat website:
http://tomcat.apache.org

Downloads:
http://tomcat.apache.org/download-70.cgi

Migration guides from Apache Tomcat 5.5.x and 6.0.x:
http://tomcat.apache.org/migration.html

Enjoy

The Apache Tomcat team

Re: AW: AJP Connector issue

2020-03-20 Thread tomcat/perl 

On 20.03.2020 08:23, Fritze, Florian wrote:

Hello Chris,

thanks for the reply. Maybe I am doing something wrong, but setting
secretRequired="false" does not solve my issue. Let me show you what I did
and experience: I added  to the Tomcat configuration
and the ajp connector on the Apache HTTPD side connects to 8011. When I now
visit my website I got HTTP Status 403 – Forbidden


And just to make diagnosis a bit quicker : does that 403 error page look like an Apache 
httpd page, or a tomcat page ? (they look quite differemt in style).


Also, can you check both the httpd logs, and the tomcat logs for that request, and check 
what they say ?  (compare by timestamnp and URI)


Also, under what OS does your front-end httpd run ?



I attached also the error page as a screenshot to this mail. This behaviour
exists only sice the Ghostcat fix release (I know that this has nothing to
do with security fix but probably with the release itself).

Thanks in advance
Florian

--
Florian Fritze M.A.
Fraunhofer-Informationszentrum Raum und Bau IRB
Competence Center Research Services & Open Science
Nobelstr. 12, 70569 Stuttgart, Germany
Telefon +49 711 970-2713
florian.fri...@irb.fraunhofer.de | www.irb.fraunhofer.de

-Ursprüngliche Nachricht-
Von: Christopher Schultz 
Gesendet: Donnerstag, 19. März 2020 20:14
An: users@tomcat.apache.org
Betreff: Re: AJP Connector issue

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Florian,

On 3/19/20 07:43, Fritze, Florian wrote:

since the Tomcat release with the Ghostcat security fix (Tomcat
8.5.51) me as an admin have the problem using the
https://httpd.apache.org/docs/2.4/mod/mod_proxy_ajp.html module to
connect the Apache HTTPD with the Tomcat running on localhost. The
attribute secretRequired must be set to „true“ or „false“ with „false“
set the connection is not possible between Tomcat and Apache HTTPD.


When you have set secretRequired="false", it's not possible to connect? When
you try to connect, what DOES happen?


With „true“ the Apache development is not ready in the current version
to work with the „secret“ attribute. Only the next version of Apache
2.4 supports this attribute.

Correct. Support for secret= in mod_proxy_ajp was evidently never really a
priority for anybody until now.


So I want to use the newest Tomcat version and an AJP connector but
after the Ghostcat fix release there is this attribute which does not
work in my configuration.

Are there any suggestions or solutions available that you can deliver
me (links or documentation, etc.)


secretRequired="false" should be all you need.

Of course, to be truly secure, you need to make sure that not just anybody
can make requests through your AJP interface. Have you secured that
interface from potential evildoers?

- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5zxHsACgkQHPApP6U8
pFjf7Q/+Ixbc10KYI07Wb1pdzQajVtw88BcfSZ3dfam2Q9aj2IhZJD5GUTzszAGC
bs6eySKEh5vqaHq+oy2ZOuv2f1xxukPQ3/XfmIEUb83G7QScwlMf0r5dth9uslcq
cUgHFkpGhSQghB2yhZSzKMzF7gjRY9QI0S5EpEHTQ45CUvREWr4GRyLndkjTbu2C
rhdB+8ud4iErWJe1Er0NEqOgoVL8Ceed4BGRYzoT7+lN1dRE4MFIn8ALdVzAvo4L
9ZIm+zawSkx7jUTAGDi4wHd2KrewR9kqJybovZaACx/yc6IF1Sv+DaWlTUDdabE2
qrSl45mA4EdLCeH1wfbZ62IhErbxvLahygAwgYSeMfhv02vzBbmn8bXY4yg359ln
aO2AV3xNbxFrF56XatRGIJ+3/ETh2oIv0PLnJEr8xc3CcwdJ+rn8c9i84ZZLnHb6
iTl+Gx9pCUbtH0qCILzLzj7Js9yl13o9AVu3UQ9UxY9BNxkFiKKBe4YfGUev2iiB
Vx1Zw6S6/ByjhUpzaSEciSYCkr+pR61iOJpCN9B3tnpv4cRgkqwPWEPgMFDtvFT9
ciwpDuN+O2YPPE0Z39tSy64Ge2QWyPkvb8hVZUEZGVMRmQ1W5LhDJhNxECklxKOh
sZPFkji5aVOxj6TT5vwqQDov+FyU2pV5/HRD4fe/vr8vdKj+vec=
=CYi0
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

AW: AJP Connector issue

2020-03-20 Thread Fritze, Florian 
Hello Chris,

thanks for the reply. Maybe I am doing something wrong, but setting
secretRequired="false" does not solve my issue. Let me show you what I did
and experience: I added  to the Tomcat configuration
and the ajp connector on the Apache HTTPD side connects to 8011. When I now
visit my website I got HTTP Status 403 – Forbidden

I attached also the error page as a screenshot to this mail. This behaviour
exists only sice the Ghostcat fix release (I know that this has nothing to
do with security fix but probably with the release itself).

Thanks in advance
Florian

--
Florian Fritze M.A.
Fraunhofer-Informationszentrum Raum und Bau IRB
Competence Center Research Services & Open Science
Nobelstr. 12, 70569 Stuttgart, Germany
Telefon +49 711 970-2713
florian.fri...@irb.fraunhofer.de | www.irb.fraunhofer.de

-Ursprüngliche Nachricht-
Von: Christopher Schultz  
Gesendet: Donnerstag, 19. März 2020 20:14
An: users@tomcat.apache.org
Betreff: Re: AJP Connector issue

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Florian,

On 3/19/20 07:43, Fritze, Florian wrote:
> since the Tomcat release with the Ghostcat security fix (Tomcat
> 8.5.51) me as an admin have the problem using the 
> https://httpd.apache.org/docs/2.4/mod/mod_proxy_ajp.html module to 
> connect the Apache HTTPD with the Tomcat running on localhost. The 
> attribute secretRequired must be set to „true“ or „false“ with „false“ 
> set the connection is not possible between Tomcat and Apache HTTPD.

When you have set secretRequired="false", it's not possible to connect? When
you try to connect, what DOES happen?

> With „true“ the Apache development is not ready in the current version 
> to work with the „secret“ attribute. Only the next version of Apache 
> 2.4 supports this attribute.
Correct. Support for secret= in mod_proxy_ajp was evidently never really a
priority for anybody until now.

> So I want to use the newest Tomcat version and an AJP connector but 
> after the Ghostcat fix release there is this attribute which does not 
> work in my configuration.
>
> Are there any suggestions or solutions available that you can deliver 
> me (links or documentation, etc.)

secretRequired="false" should be all you need.

Of course, to be truly secure, you need to make sure that not just anybody
can make requests through your AJP interface. Have you secured that
interface from potential evildoers?

- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5zxHsACgkQHPApP6U8
pFjf7Q/+Ixbc10KYI07Wb1pdzQajVtw88BcfSZ3dfam2Q9aj2IhZJD5GUTzszAGC
bs6eySKEh5vqaHq+oy2ZOuv2f1xxukPQ3/XfmIEUb83G7QScwlMf0r5dth9uslcq
cUgHFkpGhSQghB2yhZSzKMzF7gjRY9QI0S5EpEHTQ45CUvREWr4GRyLndkjTbu2C
rhdB+8ud4iErWJe1Er0NEqOgoVL8Ceed4BGRYzoT7+lN1dRE4MFIn8ALdVzAvo4L
9ZIm+zawSkx7jUTAGDi4wHd2KrewR9kqJybovZaACx/yc6IF1Sv+DaWlTUDdabE2
qrSl45mA4EdLCeH1wfbZ62IhErbxvLahygAwgYSeMfhv02vzBbmn8bXY4yg359ln
aO2AV3xNbxFrF56XatRGIJ+3/ETh2oIv0PLnJEr8xc3CcwdJ+rn8c9i84ZZLnHb6
iTl+Gx9pCUbtH0qCILzLzj7Js9yl13o9AVu3UQ9UxY9BNxkFiKKBe4YfGUev2iiB
Vx1Zw6S6/ByjhUpzaSEciSYCkr+pR61iOJpCN9B3tnpv4cRgkqwPWEPgMFDtvFT9
ciwpDuN+O2YPPE0Z39tSy64Ge2QWyPkvb8hVZUEZGVMRmQ1W5LhDJhNxECklxKOh
sZPFkji5aVOxj6TT5vwqQDov+FyU2pV5/HRD4fe/vr8vdKj+vec=
=CYi0
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



smime.p7s
Description: S/MIME cryptographic signature