Re: Tomcat 9.0 async read becomes blocking with chunked transfer-encoding

2021-10-07 Thread Javateck 
Hi Mark,

Just wondering whether we have a radar to track this, will it be in release 
notes for next release?

Thanks,
Andrew

> On Sep 27, 2021, at 8:54 AM, Mark Thomas  wrote:
> 
> On 27/09/2021 15:55, Mark Thomas wrote:
>>> On 27/09/2021 09:08, Goldengate liu wrote:
>>> Hi Mark,
>>> 
>>>I’m uploading some test files
>> Thanks for the test case. I'm looking at this now.
> 
> Bug found and fixed.
> 
> One thing to note is that with chunked encoding it is possible for you to see 
> isReady() return true only for the subsequent read to return 0 bytes. This 
> happens when just (or only part of) the chunked header is available.
> 
> The sample code you provided handled this correctly.
> 
> The fix will be in the October release round. The release process for that 
> should hopefully start later today.
> 
> Mark
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Interesting log capability request

2021-10-07 Thread jonmcalexander 
> -Original Message-
> From: Robert Hicks 
> Sent: Thursday, October 7, 2021 2:23 PM
> To: Tomcat Users List 
> Subject: Re: Interesting log capability request
> 
> The catalina.out log should capture that information already, right?
> 
> This is what I see when I shutdown my barebones Tomcat:
> 
> 07-Oct-2021 15:19:03.276 INFO [main]
> org.apache.catalina.core.StandardServer.await A valid shutdown command
> was received via the shutdown port. Stopping the Server instance.
> 07-Oct-2021 15:19:03.277 INFO [main]
> org.apache.coyote.AbstractProtocol.pause Pausing ProtocolHandler ["http-
> nio-8080"]
> 07-Oct-2021 15:19:03.546 INFO [main]
> org.apache.catalina.core.StandardService.stopInternal Stopping service
> [Catalina]
> 07-Oct-2021 15:19:03.599 INFO [main]
> org.apache.coyote.AbstractProtocol.stop Stopping ProtocolHandler ["http-
> nio-8080"]
> 07-Oct-2021 15:19:03.647 INFO [main]
> org.apache.coyote.AbstractProtocol.destroy Destroying ProtocolHandler
> ["http-nio-8080"]
> 
> If you have webapps going it should take a little longer of course.
> 
> --
> Bob
> 
> On Thu, Oct 7, 2021 at 3:05 PM 
> wrote:
> 
> > I have an app team that wants to know if it's possible to capture how
> > long the Tomcat Shutdown takes? I don't think there is without
> > modifying something in the Catalina.sh under the Stop section, but
> > wondering if there is something already built in.
> >
> > Thanks,
> >
> > Dream * Excel * Explore * Inspire
> > Jon McAlexander
> > Infrastructure Engineer
> > Asst Vice President
> >
> > Middleware Product Engineering
> > Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >
> > 8080 Cobblestone Rd | Urbandale, IA 50322
> > MAC: F4469-010
> > Tel 515-988-2508 | Cell 515-988-2508
> >
> >
> jonmcalexan...@wellsfargo.com
> > This message may contain confidential and/or privileged information.
> > If you are not the addressee or authorized to receive this for the
> > addressee, you must not use, copy, disclose, or take any action based
> > on this message or any information herein. If you have received this
> > message in error, please advise the sender immediately by reply e-mail
> > and delete this message. Thank you for your cooperation.
> >
> >


I think they are looking for something similar to this:

Oct 07, 2021 3:21:13 AM org.apache.catalina.startup.Catalina start
INFO: Server startup in [54655] milliseconds

But for shutdown instead. :-)

Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

Re: Interesting log capability request

2021-10-07 Thread Robert Hicks 
The catalina.out log should capture that information already, right?

This is what I see when I shutdown my barebones Tomcat:

07-Oct-2021 15:19:03.276 INFO [main]
org.apache.catalina.core.StandardServer.await A valid shutdown command was
received via the shutdown port. Stopping the Server instance.
07-Oct-2021 15:19:03.277 INFO [main]
org.apache.coyote.AbstractProtocol.pause Pausing ProtocolHandler
["http-nio-8080"]
07-Oct-2021 15:19:03.546 INFO [main]
org.apache.catalina.core.StandardService.stopInternal Stopping service
[Catalina]
07-Oct-2021 15:19:03.599 INFO [main]
org.apache.coyote.AbstractProtocol.stop Stopping ProtocolHandler
["http-nio-8080"]
07-Oct-2021 15:19:03.647 INFO [main]
org.apache.coyote.AbstractProtocol.destroy Destroying ProtocolHandler
["http-nio-8080"]

If you have webapps going it should take a little longer of course.

--
Bob

On Thu, Oct 7, 2021 at 3:05 PM 
wrote:

> I have an app team that wants to know if it's possible to capture how long
> the Tomcat Shutdown takes? I don't think there is without modifying
> something in the Catalina.sh under the Stop section, but wondering if there
> is something already built in.
>
> Thanks,
>
> Dream * Excel * Explore * Inspire
> Jon McAlexander
> Infrastructure Engineer
> Asst Vice President
>
> Middleware Product Engineering
> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
>
> 8080 Cobblestone Rd | Urbandale, IA 50322
> MAC: F4469-010
> Tel 515-988-2508 | Cell 515-988-2508
>
> jonmcalexan...@wellsfargo.com
> This message may contain confidential and/or privileged information. If
> you are not the addressee or authorized to receive this for the addressee,
> you must not use, copy, disclose, or take any action based on this message
> or any information herein. If you have received this message in error,
> please advise the sender immediately by reply e-mail and delete this
> message. Thank you for your cooperation.
>
>

Interesting log capability request

2021-10-07 Thread jonmcalexander 
I have an app team that wants to know if it's possible to capture how long the 
Tomcat Shutdown takes? I don't think there is without modifying something in 
the Catalina.sh under the Stop section, but wondering if there is something 
already built in.

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

JASPIC Plugin for OIDC/JWT/OAuth

2021-10-07 Thread Michael Kolenda 
Hey Tomcat Users,

I've run into an interesting behavior with a custom JASPIC provider. When
there is an existing session i.e. JSESSIONID cookie, It appears the
groups/roles are not checked again... even when the new groups are provided
in the client Subject (JASPIC's validate() ). When attempting stateless
authentication via JWT/OAuth how can I ignore a previously set session for
an individual request?

It appears to be based around equals() on my Principal object. I can make
it so Principal's generated via stateless authentication protocols are
never equal, but then I get a new session id in the response. I don't want
a session id at all for this request

Any ideas?

Thanks,
Mike

Re: [OT] Specifying a Custom Authenticator Class

2021-10-07 Thread Christopher Schultz 

Jerry,

On 10/6/21 15:09, Jerry Malcolm wrote:
Chris, thanks so much.  But please bear with me.  I'm in the slow 
group I think I have a pretty good handle on creating the 
authenticator.  But take me from the top, using manager as an example. 
In the web.xml file it has login auth-method set to BASIC.  I'm assuming 
that invokes BasicAuthenticator.  But I don't see a value configured in 
any  context file for BasicAuthenticator unless I'm just missing it.


You didn't miss it. If there are no Valves configured for the 
application (in META-INF/context.xml), then Tomcat will use the 
 from WEB-INF/web.xml to choose the right one to use. Since 
you have BASIC in there, Tomcat automatically (and silently) adds 
BasicAuthentiator to the Manager web application.



If I wanted to change manager to use my authenticator, would I need
to change web.xml's auth-method to "malcolm"?
No, you can leave this BASIC, or remove it entirely. It doesn't really 
matter.


I figured I would change the 
web.xml auth-method and then change the default BasicAuthenicator value 
to my own authenticator valve.  But I can't find it.  Do I add this 
context/valve to the host definition in server.xml, to the 
/conf/context.xml, to the Catalina default-context.xml or does it 
matter?  Sorry I'm not getting it.  I've been with TC for many years. 
But this is an area I've never dealt with until now.


Yep, just add a  to your META-INF/context.xml which specifies 
your custom authenticator as the class name.


Hope that helps,
-chris


On 10/5/2021 1:54 PM, Christopher Schultz wrote:

Jerry,

On 10/5/21 12:23, Jerry Malcolm wrote:

hi Chris, thanks for the feedback.

I'm not using JWTs.  I'm just sending a base64 token made up of 
"a:b:c:d:e".   I don't mind cloning the BasicAuthenticator if that's 
what's required.  I'm still not understanding how TC will handle my 
modified header.


It won't. You'll have to do that yourself.

I assume that if TC finds an Authorization header with the word 
Basic, it will route to the standard BasicAuthenticator class. 


If that's been configured, yes.

What would I do in order to tell TC if it finds an auth header with 
the word "Malcolm" as the prefix instead of "Basic" that it should 
route to my custom Authenticator class?


You'd have to install your own Authenticator (a Valve) in your 
. markt posted how to do this on 10/2 in this thread.


You can look at how the BasicAuthenticator does things to orient 
yourself. Feel free to extend BasicAuthenticator and override whatever 
you need. Ultimately, it will need to do whatever you need it to do 
and then set a Principal on the request (and/or session). Again, 
looking at the BasicAuthenticator source will help a lot.


-chris


On 10/5/2021 9:50 AM, Christopher Schultz wrote:

Jerry,

On 10/4/21 22:40, Jerry Malcolm wrote:
I really don't care whether it's called Basic, Malcolm, 
RollYourOwn, or whatever.  I was just emulating techniques I've had 
to implement as a client for credit card gateways and other 
services in the past that all use BASIC prefix with their own token 
definition.  I can easily rename the Authorization  header prefix 
or not even call the header "Authorization".  The main thing is 
there is a base64 token associated with it.  Our application has a 
mobile app with a rather large REST api.  The security requirements 
of this product far exceed id:pw authentication.  We have 
additional pre-shared keys, timestamps, and other undisclosed data 
built into the raw token that is converted to base64 and added to 
the header. This REST api authentication is implemented and working 
without problems.


Here's the situation.  There is a certain amount of user data that 
is not yet displayable in the current version of the mobile app. We 
have a couple of links to the main web site where the user can view 
the remainder of their data.  I don't want to throw up a login 
screen when a user, who is already logged into the app, clicks the 
link to view the data that is on the web site.  But I also want to 
maintain the same level of security as we have with REST to 
establish the session.  The server already knows how to 
authenticate from the REST api tokens.  I simply want to use the 
same token and the same auth code to "login" the user and create a 
session just like I can do with request.login( id, pw ), but using 
my own authentication code from the auth header token.


Sounds like you are using JWTs.

Something that Tomcat doesn't currently allow you to do (because 
it's not supported by the Servlet Spec) is just shove a Principal 
into the container and say "here you go".


This would be immensely helpful for any kind of SSO mechanism. I 
have build 3 different SSO mechanisms into my product, and I can do 
it because I'm not using Tomcat's container-provided authentication. 
I would really REALLY like to get away from what I'm using and back 
into more "mainstream" principal management.


I think I'll bring this onto the dev@