Re: Mixed User Session

[juan]

Hi,

Below is the connector definition, we had 1 case reported that we know of
but during the reported incident couldn't find anything in the logs during
the transactions.  We haven't been able to reproduce the issue.  We do have
another environment that was added into the mix and handles the
authentication piece. So we receive information back from them which
provides the necessary data to CAS SSO to send to the client app that
initiated the request.  We did have conversations with them and they did
mention the possibility of session information for another user being
provided back.  We installed haveged to help us have sufficient entropy.
When we first encountered something like we handled authentication locally
on the environment and we saw errors in the tomcat logs, this time
authentication is handled externally and there are no errors found in the
log.








Thanks!

On Fri, Jan 15, 2021 at 11:05 AM Olaf Kock  wrote:

>
> On 15.01.21 15:57, juan wrote:
> > Hi,
> >
> > We were running tomcat 8.5.57 on CentOS 7 and together with CAS SSO, we
> > have multiple servers behind an AWS load balancer setup with sticky
> > sessions. We encountered a weird situation where a user who logged into
> > their application was presented with another users profile after login.
> Has
> > anyone encountered something similar to this? Both users hit the same
> > tomcat server seconds apart and the user was on his personal computer and
> > doesn't know the first user.
>
> I've seen stuff like this happening when a reverse proxy was over-eager
> in caching stuff that it saw. 100% of cases where I've seen this
> behavior had this as a root cause.
>
> "over-eager" might mean that Tomcat (e.g. your app) doesn't signal the
> upstream proxy that the content is private, or the upstream proxy
> ignoring such signals.
>
>
> It's been a long time since I last saw it (and back then I didn't
> fix it myself - just provided information like the above) so I barely
> remember the key points to configure or look after. Maybe it helps
> already, otherwise we'll have to wait for someone to point to the usual
> suspects in the individual configurations.
>
> Olaf
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Mixed User Session

[Olaf Kock]

On 15.01.21 15:57, juan wrote:
> Hi,
>
> We were running tomcat 8.5.57 on CentOS 7 and together with CAS SSO, we
> have multiple servers behind an AWS load balancer setup with sticky
> sessions. We encountered a weird situation where a user who logged into
> their application was presented with another users profile after login. Has
> anyone encountered something similar to this? Both users hit the same
> tomcat server seconds apart and the user was on his personal computer and
> doesn't know the first user.

I've seen stuff like this happening when a reverse proxy was over-eager
in caching stuff that it saw. 100% of cases where I've seen this
behavior had this as a root cause.

"over-eager" might mean that Tomcat (e.g. your app) doesn't signal the
upstream proxy that the content is private, or the upstream proxy
ignoring such signals.


It's been a long time since I last saw it (and back then I didn't
fix it myself - just provided information like the above) so I barely
remember the key points to configure or look after. Maybe it helps
already, otherwise we'll have to wait for someone to point to the usual
suspects in the individual configurations.

Olaf


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Mixed User Session

[Christopher Schultz]

Juan,

On 1/15/21 10:58, Christopher Schultz wrote:

Juan,

On 1/15/21 09:57, juan wrote:

We were running tomcat 8.5.57 on CentOS 7 and together with CAS SSO, we
have multiple servers behind an AWS load balancer setup with sticky
sessions. We encountered a weird situation where a user who logged into
their application was presented with another users profile after 
login. Has

anyone encountered something similar to this? Both users hit the same
tomcat server seconds apart and the user was on his personal computer and
doesn't know the first user.


I forgot to ask a few things about this:

1. Is this reproducible? How many cases of this have you encountered?

2. Is your application holding on to references to request/response 
beyond the end of a request?


Usually this kind of thing happens when applications are misusing those 
objects by retaining references.



We have async-supported set to true for both default and jsp servlets and
using the http11.Http11NioProtocol connector with
sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation" 

and />.


Are you actually using servlet-async features? They are very tricky use 
correctly without any mistakes.


-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

what is the exact order of filters?

[Johan Compagner]

Hi
here we have a case: 51754 – Tomcat7 filters from conf/web.xml are applied
after filters defined in WEB-INF/web.xml (apache.org)


that already says that the conf/web.xml are later then WEB-INF/web.xml

is it so that the order is something like


WEB-INF/web.xml
annotations based once
conf/web.xml

?

I am also not sure what the spec says about this mix

-- 
Johan Compagner
Servoy

Re: Mixed User Session

[Christopher Schultz]

Juan,

On 1/15/21 09:57, juan wrote:

We were running tomcat 8.5.57 on CentOS 7 and together with CAS SSO, we
have multiple servers behind an AWS load balancer setup with sticky
sessions. We encountered a weird situation where a user who logged into
their application was presented with another users profile after login. Has
anyone encountered something similar to this? Both users hit the same
tomcat server seconds apart and the user was on his personal computer and
doesn't know the first user.

We have async-supported set to true for both default and jsp servlets and
using the http11.Http11NioProtocol connector with
sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"
and .
Unfortunately we could not find any errors in the logs.


Are you using h2 as a protocol between the AWS lb and Tomcat, or are you 
using HTTP? Or, are you using a network load balancer which just allows 
bytes to flow back and forth without actually proxying HTTP(2)?


I'm assuming you have:

HTTP(2) -> ELB/ALB -> HTTP -> Tomcat

I just want to check to see if h2 is actually being used by Tomcat.

If h2 is being used as a proxy protocol, do you know if you are using h2 
or h2c (non-encrypted)?


Just trying to narrow things down.


We encountered something similar in the past when running on tomcat 8.0 and
it was related to low entropy on the environment and tomcat not able to
generate a session for the incoming user and reusing the jsessionid for a
previous user.  We did see errors for this in the logs. This was fixed by
adding service to increase entropy and upgrading to a later version of
tomcat 8.5.


That sounds suspicious to me. If you don't have sufficient entropy, you 
should get very slow response times, but no re-use of session identifiers.



Any suggestions or help is much appreciated regarding logging that might
help shed some light on this. We have also patched tomcat to that lastest
release 8.5.61 to see if it helps.


Can you please post your entire  element from 
conf/server.xml? Remove any sensitive information that may be present.


-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Mixed User Session

[juan]

Hi,

We were running tomcat 8.5.57 on CentOS 7 and together with CAS SSO, we
have multiple servers behind an AWS load balancer setup with sticky
sessions. We encountered a weird situation where a user who logged into
their application was presented with another users profile after login. Has
anyone encountered something similar to this? Both users hit the same
tomcat server seconds apart and the user was on his personal computer and
doesn't know the first user.

We have async-supported set to true for both default and jsp servlets and
using the http11.Http11NioProtocol connector with
sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"
and .
Unfortunately we could not find any errors in the logs.

We encountered something similar in the past when running on tomcat 8.0 and
it was related to low entropy on the environment and tomcat not able to
generate a session for the incoming user and reusing the jsessionid for a
previous user.  We did see errors for this in the logs. This was fixed by
adding service to increase entropy and upgrading to a later version of
tomcat 8.5.

Any suggestions or help is much appreciated regarding logging that might
help shed some light on this. We have also patched tomcat to that lastest
release 8.5.61 to see if it helps.

Thanks!

Juan Q.

Re: TomCat 9 service failed to start on Windows after TomCat 9 update

[Christopher Schultz]

Igor,

On 1/15/21 08:23, Igor Sluge wrote:

I updated TomCat for my app to the latest TomCat 9.0.41 and after update TomCat 
service failed to start successfully as Windows service. I just see 404 error when 
trying to open the TomCat app. Also there are no logs at all in the log directory! 
If I start TomCat locally by the command   tomcat9.exe" //TS//MyApp   it 
started successfully.
OS: Windows 7 and Server 2012
Does anybody have any ideas of how to troubleshoot this issue?


What did you upgrade *from*?

When you upgraded, did you reinstall or otherwise update the Windows 
Service definition?


-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat server not considering Mime Type - Request urgent help!!

[Christopher Schultz]

Swathi,

On 1/15/21 08:41, Jonnalagadda, Swathi (External) wrote:

My web application is trying to open the xls file by passing the file
to request.getDispatcher method. It is supposed open up download
dialogue box but it is not doing.

After you get a request dispatcher, what are you doing with it?


If I set the content-type explicitly to response it is showing up the box.


Please post actual code.


With Tomcat 7 it was never an issue and it used to consider mimetype
that is defined in web.xml but in Tomcat 9 not sure why it is not
considering mime-type.


Something seems odd, here. Post your sample code.

-chris


-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: Friday, January 15, 2021 3:25 AM
To: users@tomcat.apache.org
Subject: Re: Tomcat server not considering Mime Type - Request urgent help!!

CAUTION:   This email originated from outside the organization. Do not click 
links or open attachments unless you recognize the sender and know the content 
is safe.

Swathi,

On 1/13/21 03:27, Jonnalagadda, Swathi (External) wrote:

We could see that when we try to open the xls file separately the
browser shows dialogue box to save it so it is nothing to do with
browser settings

What is the difference between "open[ing] the XLS file separately" and ... 
whatever your application is doing instead?

If you want to force a download, you need to add some response headers 
otherwise a normal browser will usually try to render the file in the browser 
window instead of initiating a download.

The response header you need is "Content-Disposition" and its value can be 
complex. Here is what I usually do:

Content-Disposition: attachment; filename="[filename]"; 
filename*=utf-8''[filename in UTF-8 encoding]

Note that the above is all on one line and the two single-quotes are not a typo. You will 
also need to escape any double-quotes in the "filename"
and escape any semicolons in the utf8-filename.

You can find more information here as well as other places online:
https://www.geeksforgeeks.org/http-headers-content-disposition/

The above reference happens to be particularly thorough, even moreso than 
Mozilla's (typically very good and complete) documentation for 
Content-Disposition.

If your application is not being hosted within a web browser (e.g. it's a 
mobile application, or an Electron (etc.) application, etc.) then it's entirely 
up to you to trigger the display of a download dialog when this kind of thing 
needs to happen.

-chris


-Original Message-
From: Mounika Reddy [mailto:spidermai...@gmail.com]
Sent: Wednesday, January 13, 2021 3:48 AM
To: Tomcat Users List
Cc: Mark Thomas
Subject: Re: Tomcat server not considering Mime Type - Request urgent help!!

CAUTION:   This email originated from outside the organization. Do not click 
links or open attachments unless you recognize the sender and know the content 
is safe.

Pls check http response headers for the request to confirm if it's returning 
proper headers.

Once they are in place then it may be to do with browser settings not 
processing headers.



On Tue, Jan 12, 2021, 2:48 PM Jonnalagadda, Swathi (External) < 
swathi.jonnalaga...@xerox.com> wrote:


Hi Team

We have an application deployed in tomcat9.0.38 server which
generates an xls file dynamically and saves at server end. When we
try to access the file using application frontend, it is neither
showing up in excel format nor showing up pop up to save the file
instead it is showing the content of xls file in xml format directly on the 
browser.

Below mime type is set both at web.xml of webapplicatio end and as
well as Tomcat9038/conf/web.xml


  xls
  application/vnd.ms-excel
  

Could you please help in resolving the issue ASAP


Thanks
Swathi



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat server not considering Mime Type - Request urgent help!!

[Mounika Reddy]

As Niranjan said, pls validate the headers first and it may be not the case
in Tomcat7 but there are multiple points which must have updated probably
triggering it. Only way to verify is set Content-Disposition header
accurately and verify if browser can see it

On Fri, Jan 15, 2021, 8:41 AM Jonnalagadda, Swathi (External) <
swathi.jonnalaga...@xerox.com> wrote:

> Hi Chris
>
> My web application is trying to open the xls file by passing the file to
> request.getDispatcher method. It is supposed open up download dialogue box
> but it is not doing.
>
> If I set the content-type explicitly to response it is showing up the box.
>
> With Tomcat 7 it was never an issue and it used to consider mimetype that
> is defined in web.xml but in Tomcat 9 not sure why it is not considering
> mime-type.
>
> Thanks
> Swathi
>
> -Original Message-
> From: Christopher Schultz [mailto:ch...@christopherschultz.net]
> Sent: Friday, January 15, 2021 3:25 AM
> To: users@tomcat.apache.org
> Subject: Re: Tomcat server not considering Mime Type - Request urgent
> help!!
>
> CAUTION:   This email originated from outside the organization. Do not
> click links or open attachments unless you recognize the sender and know
> the content is safe.
>
> Swathi,
>
> On 1/13/21 03:27, Jonnalagadda, Swathi (External) wrote:
> > We could see that when we try to open the xls file separately the
> > browser shows dialogue box to save it so it is nothing to do with
> > browser settings
> What is the difference between "open[ing] the XLS file separately" and ...
> whatever your application is doing instead?
>
> If you want to force a download, you need to add some response headers
> otherwise a normal browser will usually try to render the file in the
> browser window instead of initiating a download.
>
> The response header you need is "Content-Disposition" and its value can be
> complex. Here is what I usually do:
>
> Content-Disposition: attachment; filename="[filename]";
> filename*=utf-8''[filename in UTF-8 encoding]
>
> Note that the above is all on one line and the two single-quotes are not a
> typo. You will also need to escape any double-quotes in the "filename"
> and escape any semicolons in the utf8-filename.
>
> You can find more information here as well as other places online:
> https://www.geeksforgeeks.org/http-headers-content-disposition/
>
> The above reference happens to be particularly thorough, even moreso than
> Mozilla's (typically very good and complete) documentation for
> Content-Disposition.
>
> If your application is not being hosted within a web browser (e.g. it's a
> mobile application, or an Electron (etc.) application, etc.) then it's
> entirely up to you to trigger the display of a download dialog when this
> kind of thing needs to happen.
>
> -chris
>
> > -Original Message-
> > From: Mounika Reddy [mailto:spidermai...@gmail.com]
> > Sent: Wednesday, January 13, 2021 3:48 AM
> > To: Tomcat Users List
> > Cc: Mark Thomas
> > Subject: Re: Tomcat server not considering Mime Type - Request urgent
> help!!
> >
> > CAUTION:   This email originated from outside the organization. Do not
> click links or open attachments unless you recognize the sender and know
> the content is safe.
> >
> > Pls check http response headers for the request to confirm if it's
> returning proper headers.
> >
> > Once they are in place then it may be to do with browser settings not
> processing headers.
> >
> >
> >
> > On Tue, Jan 12, 2021, 2:48 PM Jonnalagadda, Swathi (External) <
> swathi.jonnalaga...@xerox.com> wrote:
> >
> >> Hi Team
> >>
> >> We have an application deployed in tomcat9.0.38 server which
> >> generates an xls file dynamically and saves at server end. When we
> >> try to access the file using application frontend, it is neither
> >> showing up in excel format nor showing up pop up to save the file
> >> instead it is showing the content of xls file in xml format directly on
> the browser.
> >>
> >> Below mime type is set both at web.xml of webapplicatio end and as
> >> well as Tomcat9038/conf/web.xml
> >>
> >> 
> >>  xls
> >>  application/vnd.ms-excel
> >>  
> >>
> >> Could you please help in resolving the issue ASAP
> >>
> >>
> >> Thanks
> >> Swathi
> >>
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

RE: Tomcat server not considering Mime Type - Request urgent help!!

[Jonnalagadda, Swathi (External)]

Hi Chris

My web application is trying to open the xls file by passing the file to 
request.getDispatcher method. It is supposed open up download dialogue box but 
it is not doing.

If I set the content-type explicitly to response it is showing up the box.

With Tomcat 7 it was never an issue and it used to consider mimetype that is 
defined in web.xml but in Tomcat 9 not sure why it is not considering mime-type.

Thanks
Swathi 

-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net] 
Sent: Friday, January 15, 2021 3:25 AM
To: users@tomcat.apache.org
Subject: Re: Tomcat server not considering Mime Type - Request urgent help!!

CAUTION:   This email originated from outside the organization. Do not click 
links or open attachments unless you recognize the sender and know the content 
is safe.

Swathi,

On 1/13/21 03:27, Jonnalagadda, Swathi (External) wrote:
> We could see that when we try to open the xls file separately the 
> browser shows dialogue box to save it so it is nothing to do with 
> browser settings
What is the difference between "open[ing] the XLS file separately" and ... 
whatever your application is doing instead?

If you want to force a download, you need to add some response headers 
otherwise a normal browser will usually try to render the file in the browser 
window instead of initiating a download.

The response header you need is "Content-Disposition" and its value can be 
complex. Here is what I usually do:

Content-Disposition: attachment; filename="[filename]"; 
filename*=utf-8''[filename in UTF-8 encoding]

Note that the above is all on one line and the two single-quotes are not a 
typo. You will also need to escape any double-quotes in the "filename" 
and escape any semicolons in the utf8-filename.

You can find more information here as well as other places online:
https://www.geeksforgeeks.org/http-headers-content-disposition/

The above reference happens to be particularly thorough, even moreso than 
Mozilla's (typically very good and complete) documentation for 
Content-Disposition.

If your application is not being hosted within a web browser (e.g. it's a 
mobile application, or an Electron (etc.) application, etc.) then it's entirely 
up to you to trigger the display of a download dialog when this kind of thing 
needs to happen.

-chris

> -Original Message-
> From: Mounika Reddy [mailto:spidermai...@gmail.com]
> Sent: Wednesday, January 13, 2021 3:48 AM
> To: Tomcat Users List
> Cc: Mark Thomas
> Subject: Re: Tomcat server not considering Mime Type - Request urgent help!!
> 
> CAUTION:   This email originated from outside the organization. Do not click 
> links or open attachments unless you recognize the sender and know the 
> content is safe.
> 
> Pls check http response headers for the request to confirm if it's returning 
> proper headers.
> 
> Once they are in place then it may be to do with browser settings not 
> processing headers.
> 
> 
> 
> On Tue, Jan 12, 2021, 2:48 PM Jonnalagadda, Swathi (External) < 
> swathi.jonnalaga...@xerox.com> wrote:
> 
>> Hi Team
>>
>> We have an application deployed in tomcat9.0.38 server which 
>> generates an xls file dynamically and saves at server end. When we 
>> try to access the file using application frontend, it is neither 
>> showing up in excel format nor showing up pop up to save the file 
>> instead it is showing the content of xls file in xml format directly on the 
>> browser.
>>
>> Below mime type is set both at web.xml of webapplicatio end and as 
>> well as Tomcat9038/conf/web.xml
>>
>> 
>>  xls
>>  application/vnd.ms-excel
>>  
>>
>> Could you please help in resolving the issue ASAP
>>
>>
>> Thanks
>> Swathi
>>
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: TomCat 9 service failed to start on Windows after TomCat 9 update

[Robert Turner]

I would check permissions on the folders/files. The account running the
windows service may not have permissions to execute the programs or maybe
access the directories. That's the first thing I would check. (Also check
Event Viewer for any related messages).

On Fri, Jan 15, 2021 at 8:24 AM Igor Sluge  wrote:

>
>
> Hello,
> I updated TomCat for my app to the latest TomCat 9.0.41 and after update
> TomCat service failed to start successfully as Windows service. I just see
> 404 error when trying to open the TomCat app. Also there are no logs at all
> in the log directory! If I start TomCat locally by the command
> tomcat9.exe" //TS//MyApp   it started successfully.
> OS: Windows 7 and Server 2012
> Does anybody have any ideas of how to troubleshoot this issue?
>
>

TomCat 9 service failed to start on Windows after TomCat 9 update

[Igor Sluge]

 
Hello,
I updated TomCat for my app to the latest TomCat 9.0.41 and after update TomCat 
service failed to start successfully as Windows service. I just see 404 error 
when trying to open the TomCat app. Also there are no logs at all in the log 
directory! If I start TomCat locally by the command   tomcat9.exe" //TS//MyApp  
 it started successfully.
OS: Windows 7 and Server 2012
Does anybody have any ideas of how to troubleshoot this issue?
 
 

Re: Tomcat server not considering Mime Type - Request urgent help!!

[tomcat/perl]

Hi again.
Sorry for the noise.
The page which you quoted 
(https://www.geeksforgeeks.org/http-headers-content-disposition/), itself contains a 
formal reference to
RFC 5987 (https://tools.ietf.org/html/rfc5987), which formally defines the extended 
"filename*" header parameter below.


On 15.01.2021 11:48, André Warnier (tomcat/perl) wrote:

On 14.01.2021 22:55, Christopher Schultz wrote:
Content-Disposition: attachment; filename="[filename]"; filename*=utf-8''[filename in 
UTF-8 encoding]


Hi Chris.
Do you have any reference for the above ?
(the "utf8''" part is new to me)


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat server not considering Mime Type - Request urgent help!!

[tomcat/perl]

On 14.01.2021 22:55, Christopher Schultz wrote:
Content-Disposition: attachment; filename="[filename]"; filename*=utf-8''[filename in 
UTF-8 encoding]


Hi Chris.
Do you have any reference for the above ?
(the "utf8''" part is new to me)


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org