Re: Jdbc drivers not found on Tomcat 10
HI Christopher, not sure we are on the same page. The problem I encountered was that a Spring 6 war app with pg driver(42.3.1) could not deploy on Tomcat 10, but worked well when downupgraded to Spring 5/Tomcat 9. But on the jetty 11 and WildFly preview 26, Spring 6/pg war package are also working. I checked the source code of Spring DriverMangerDataSource, it will search the drivers when calling getConnection at the first time, the work is delegated to the underlay DriverManager class. There is a security check wrapping the operations, not sure this affects the actions on Tomcat 10. Regards, *Hantsy Bai* Self-employed consultant, fullstack developer, agile coach GitHub: https://github.com/hantsy Twitter: https://twitter.com/@hantsy Medium: https://medium.com/@hantsy On Fri, Jan 7, 2022 at 12:42 AM Christopher Schultz < ch...@christopherschultz.net> wrote: > Hantsy, > > On 1/5/22 23:31, hantsy bai wrote: > > I finally resolved this issue. Exclude the pg driver from war, and copy > it > > to tomcat/lib, it works. > > > > I remember in the past years, I preferred tomcat for Java Web > applications > > because I did not need to register a Jdbc driver but it is tedious work > in > > Java EE application servers, such as Glassfish, etc. But since Java EE 7, > > it supports packaging Jdbc drivers into war and register it automatically > > when deploying the application to the application servers. > > > > What happened in the tomcat classloader and war application classloader > of > > Tomcat 10? > > They still exist. The detailed answer to your question is on Stack > Overflow. What about that answer do you not understand? It explains what > you would need to do in order to get the driver to work when placed in > your WAR bundle. > > The problem is not Tomcat; the problem is the way that DriverManager > works, and Tomcat has no control over that. > > -chris > > > On Mon, Jan 3, 2022 at 12:02 PM hantsy bai wrote: > > > >> I have tried to update myself Spring 6/Jakarta EE9/Java 17, etc, and > >> created a simple war application, when deployed to Tomcat 10, failed, > due > >> to the famous *no suitable drivers*. > >> > >> I have created a detailed post on stackoverflow: > >> > >> > >> > https://stackoverflow.com/questions/70554119/no-suitable-drivers-available-when-deploying-a-spring-6-war-to-tomcat-10 > >> > >> Any suggestion is welcome. > >> Thanks. > >> > >> *Hantsy Bai* > >> > >> Self-employed consultant, fullstack developer, agile coach > >> > >> GitHub: https://github.com/hantsy > >> > >> Twitter: https://twitter.com/@hantsy > >> Medium: https://medium.com/@hantsy > >> > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: How do I allow CORS from any domain but only specific ports?
Thanks for the input!! --blake On Thu, Jan 6, 2022 at 4:36 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > Blake, > > On 1/6/22 17:08, Blake McBride wrote: > > On Thu, Jan 6, 2022 at 3:42 PM Christopher Schultz < > > ch...@christopherschultz.net> wrote: > > > >> Blake, > >> > >> On 1/6/22 16:17, Blake McBride wrote: > >>> I think, for now, I'll just use * when developing and turned off when > in > >>> production. > >> > >> What's the point of that? The entire purpose of CORS is to protect users > >> from attackers while allowing legitimate uses of your own resources. > >> Running it in development-only protects nobody. > >> > > > > Did you read my entire sentence? > > Sorry, I read it like 50 more times before I finally understood. > > Some mail readers use "*" as a prefix for a quoted string, yadda yadda, > so for some reason I asssumed that "*" was either a typo or some kind of > MIME/whatever artifact and not a LITERAL ASTERISK. > > Oops. > > Makes *much* more sense when read properly. ;) > > -chris > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: How do I allow CORS from any domain but only specific ports?
Blake, On 1/6/22 17:08, Blake McBride wrote: On Thu, Jan 6, 2022 at 3:42 PM Christopher Schultz < ch...@christopherschultz.net> wrote: Blake, On 1/6/22 16:17, Blake McBride wrote: I think, for now, I'll just use * when developing and turned off when in production. What's the point of that? The entire purpose of CORS is to protect users from attackers while allowing legitimate uses of your own resources. Running it in development-only protects nobody. Did you read my entire sentence? Sorry, I read it like 50 more times before I finally understood. Some mail readers use "*" as a prefix for a quoted string, yadda yadda, so for some reason I asssumed that "*" was either a typo or some kind of MIME/whatever artifact and not a LITERAL ASTERISK. Oops. Makes *much* more sense when read properly. ;) -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How do I allow CORS from any domain but only specific ports?
On Thu, Jan 6, 2022 at 3:42 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > Blake, > > On 1/6/22 16:17, Blake McBride wrote: > > I think, for now, I'll just use * when developing and turned off when in > > production. > > What's the point of that? The entire purpose of CORS is to protect users > from attackers while allowing legitimate uses of your own resources. > Running it in development-only protects nobody. > Did you read my entire sentence?
Re: How do I allow CORS from any domain but only specific ports?
Blake, On 1/6/22 16:17, Blake McBride wrote: I think, for now, I'll just use * when developing and turned off when in production. What's the point of that? The entire purpose of CORS is to protect users from attackers while allowing legitimate uses of your own resources. Running it in development-only protects nobody. I wonder if changing that method to protected might be a potential security hole. Not really. I mean, if someone can inject code into your process, they can overwrite the whole CorsFilter class anyway and just allow everything. Or simply remove the CorsFilter from the filter chain entirely. Or just attack you directly, instead of allowing HTTP requests from other places. In production, we don't use the CorsFilter but instead implement CORS at the reverse-proxy level. We use Apache httpd as our reverse-proxy and you can devise pretty exotic rules for how to reply to CORS requests. -chris On Thu, Jan 6, 2022 at 10:34 AM Christopher Schultz < ch...@christopherschultz.net> wrote: Blake, On 1/6/22 10:29, Blake McBride wrote: Greetings, I have been using the following with success: CorsFilter org.apache.catalina.filters.CorsFilter cors.allowed.headers Content-Type,X-Requested-With,Accept,Accept-Encoding,Accept-Language,Cache-Control,Connection,Host,Pragma,Origin,Referer,User-Agent,Access-Control-Request-Method,Access-Control-Request-Headers cors.exposed.headers Access-Control-Allow-Origin,Content-Length,Content-Type,Date,Server,Access-Control-Allow-Credentials cors.allowed.origins http://localhost:63342 cors.allowed.methods GET, POST, HEAD, OPTIONS CorsFilter /* It allows me to allow CORS but only from http://localhost:63342. I'd like to change it to allow CORS from any IP but only ports 63342 and 8002. How can I specify that? I am using Tomcat 9.0.42 with JDK 8. I don't think you can do that with Tomcat's CORS filter. You can either "allow all" or you can list every origin. If you would like to hack on Tomcat, you could look at the private CorsFilter.isOriginAllowed method to see if you could come up with a more complicated way to evaluate the allowed-origins. Better yet, change the method to protected and then subclass the existing CorsFilter, adding whatever complexity you require. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How do I allow CORS from any domain but only specific ports?
Thanks, Christopher. I think, for now, I'll just use * when developing and turned off when in production. I wonder if changing that method to protected might be a potential security hole. Thanks! Blake McBride On Thu, Jan 6, 2022 at 10:34 AM Christopher Schultz < ch...@christopherschultz.net> wrote: > Blake, > > On 1/6/22 10:29, Blake McBride wrote: > > Greetings, > > > > I have been using the following with success: > > > > > > CorsFilter > > org.apache.catalina.filters.CorsFilter > > > >cors.allowed.headers > > > Content-Type,X-Requested-With,Accept,Accept-Encoding,Accept-Language,Cache-Control,Connection,Host,Pragma,Origin,Referer,User-Agent,Access-Control-Request-Method,Access-Control-Request-Headers > > > > > >cors.exposed.headers > > > Access-Control-Allow-Origin,Content-Length,Content-Type,Date,Server,Access-Control-Allow-Credentials > > > > > >cors.allowed.origins > >http://localhost:63342 > > > > > >cors.allowed.methods > >GET, POST, HEAD, OPTIONS > > > > > > > > CorsFilter > > /* > > > > > > > > It allows me to allow CORS but only from http://localhost:63342. I'd > like > > to change it to allow CORS from any IP but only ports 63342 and 8002. > How > > can I specify that? > > > > I am using Tomcat 9.0.42 with JDK 8. > > I don't think you can do that with Tomcat's CORS filter. You can either > "allow all" or you can list every origin. > > If you would like to hack on Tomcat, you could look at the private > CorsFilter.isOriginAllowed method to see if you could come up with a > more complicated way to evaluate the allowed-origins. > > Better yet, change the method to protected and then subclass the > existing CorsFilter, adding whatever complexity you require. > > -chris > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: Jdbc drivers not found on Tomcat 10
Hantsy, On 1/5/22 23:31, hantsy bai wrote: I finally resolved this issue. Exclude the pg driver from war, and copy it to tomcat/lib, it works. I remember in the past years, I preferred tomcat for Java Web applications because I did not need to register a Jdbc driver but it is tedious work in Java EE application servers, such as Glassfish, etc. But since Java EE 7, it supports packaging Jdbc drivers into war and register it automatically when deploying the application to the application servers. What happened in the tomcat classloader and war application classloader of Tomcat 10? They still exist. The detailed answer to your question is on Stack Overflow. What about that answer do you not understand? It explains what you would need to do in order to get the driver to work when placed in your WAR bundle. The problem is not Tomcat; the problem is the way that DriverManager works, and Tomcat has no control over that. -chris On Mon, Jan 3, 2022 at 12:02 PM hantsy bai wrote: I have tried to update myself Spring 6/Jakarta EE9/Java 17, etc, and created a simple war application, when deployed to Tomcat 10, failed, due to the famous *no suitable drivers*. I have created a detailed post on stackoverflow: https://stackoverflow.com/questions/70554119/no-suitable-drivers-available-when-deploying-a-spring-6-war-to-tomcat-10 Any suggestion is welcome. Thanks. *Hantsy Bai* Self-employed consultant, fullstack developer, agile coach GitHub: https://github.com/hantsy Twitter: https://twitter.com/@hantsy Medium: https://medium.com/@hantsy - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How do I allow CORS from any domain but only specific ports?
Blake, On 1/6/22 10:29, Blake McBride wrote: Greetings, I have been using the following with success: CorsFilter org.apache.catalina.filters.CorsFilter cors.allowed.headers Content-Type,X-Requested-With,Accept,Accept-Encoding,Accept-Language,Cache-Control,Connection,Host,Pragma,Origin,Referer,User-Agent,Access-Control-Request-Method,Access-Control-Request-Headers cors.exposed.headers Access-Control-Allow-Origin,Content-Length,Content-Type,Date,Server,Access-Control-Allow-Credentials cors.allowed.origins http://localhost:63342 cors.allowed.methods GET, POST, HEAD, OPTIONS CorsFilter /* It allows me to allow CORS but only from http://localhost:63342. I'd like to change it to allow CORS from any IP but only ports 63342 and 8002. How can I specify that? I am using Tomcat 9.0.42 with JDK 8. I don't think you can do that with Tomcat's CORS filter. You can either "allow all" or you can list every origin. If you would like to hack on Tomcat, you could look at the private CorsFilter.isOriginAllowed method to see if you could come up with a more complicated way to evaluate the allowed-origins. Better yet, change the method to protected and then subclass the existing CorsFilter, adding whatever complexity you require. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: How to do a catch-all Host?
Chris: I figured out the problem. I put quotes around the secret in workers.properties since I had copied and pasted it from server.xml. I removed them and everything worked. Thanks for your help! Thank you, Neil -- Neil Aggarwal, (972) 834-1565, http://www.propfinancing.com We offer 30 year loans on single family houses! - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
How do I allow CORS from any domain but only specific ports?
Greetings, I have been using the following with success: CorsFilter org.apache.catalina.filters.CorsFilter cors.allowed.headers Content-Type,X-Requested-With,Accept,Accept-Encoding,Accept-Language,Cache-Control,Connection,Host,Pragma,Origin,Referer,User-Agent,Access-Control-Request-Method,Access-Control-Request-Headers cors.exposed.headers Access-Control-Allow-Origin,Content-Length,Content-Type,Date,Server,Access-Control-Allow-Credentials cors.allowed.origins http://localhost:63342 cors.allowed.methods GET, POST, HEAD, OPTIONS CorsFilter /* It allows me to allow CORS but only from http://localhost:63342. I'd like to change it to allow CORS from any IP but only ports 63342 and 8002. How can I specify that? I am using Tomcat 9.0.42 with JDK 8. Thanks for the help! Blake McBride
Re: 回复: getServerPort always return 80
Hi Wang, I hope that this link will help you to solve the problem: https://stackoverflow.com/questions/19751313/forward-request-headers-from-nginx-proxy-server You may check the tomcat access log to see what kind of traffic it received from nginx to confirm that your issue is related to nginx (probably some configuration change will help you to solve the problem) Anyway, good that you did a test to verify that this issue is not related to Tomcat. If the link does not help you to solve the problem, you should put your question better in a nginx forum than in a tomcat forum. Good luck. Best regards, Hua On Thu, Jan 6, 2022 at 10:45 AM 王 静凯 wrote: > Hi Hua, > >You are right, when tomcat listening port 80, then getServerPort > return 10001. >So how to resolve this problem when I use nginx as a reverse-proxy? >I write in nginx config file: > “proxy_set_header Host$http_host;” or “proxy_set_header > Host$host:10001;” >Then I write in jsp: > var ProxyPort = "<%= request.getServerPort() %>" > var header1 = "<%= request.getHeader("host") %>" > When I visit the jsp it print: > > var ProxyPort = "80" > > var header1 = "xx.xxx.xx.xxx:10001" > > > > The definition of getServerPort() is to return the value after ‘:’ > in host header, > >so maybe some code in getServerPort method could not process the > host header correctly and getHeader method can get the correct header value > at the same time? > > > >Hi Wang, A second application (nginx) is involved here. > > > >The problem can be related to nginx, nginx received a http traffic on > 10001 > >in access log does not mean that if forwards exactly the same original > http > >request. Probably some configuration needs to be changed there. You should > >take a look in the nginx documentation about port forwarding. > > > >You may also skip using nginx and mapping port 10001 directly to tomcat > >port 8080. In your browser typing your http://domain:10001, to check the > >getServerPort() value. > > > >This will help you to investigate if it is a Tomcat issue or not. > > > > > >Best regards, > > > >Hua > > > On Thu, Jan 6, 2022 at 6:39 AM 王 静凯 wrote: > > > Sorry for my poor English. > > I re-explain the problem: > > > > I mean the nginx listening on port 80 and tomcat listening on 8080. > > So the visitors in the LAN can use 80 to visit my website. > > Then the port 80 make a port mapping to port 10001. > > So the visitors use 10001 to visit my website via internet. > > At this time the browser send the Host header with value ‘domain:10001’. > > The nginx print the correct value ‘domain:10001’ in nginx access log. > > The jsp print the correct value ‘domain:10001’ when I use > > httpServletRequest.getHeader(“Host”). > > According to the definition of ‘getServerPort()’, it should return 10001 > > but now it return 80. > > What’s more, the port 80 not relate to nginx, just bcz I am using the > http > > protocol. > > > > In another server I found one more situation. > > The server has an internet IP and Tomcat listening 8080 and nginx > > listening 81. > > So there are no port mapping. > > The visitors use ‘http://domain:81’ to visit the website. > > At this time getServerPort() still return 80. > > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > >
回复: 回复: getServerPort always return 80
Hi Hua, You are right, when tomcat listening port 80, then getServerPort return 10001. So how to resolve this problem when I use nginx as a reverse-proxy? I write in nginx config file: “proxy_set_header Host$http_host;” or “proxy_set_header Host $host:10001;” Then I write in jsp: var ProxyPort = "<%= request.getServerPort() %>" var header1 = "<%= request.getHeader("host") %>" When I visit the jsp it print: var ProxyPort = "80" var header1 = "xx.xxx.xx.xxx:10001" The definition of getServerPort() is to return the value after ‘:’ in host header, so maybe some code in getServerPort method could not process the host header correctly and getHeader method can get the correct header value at the same time? >Hi Wang, A second application (nginx) is involved here. > >The problem can be related to nginx, nginx received a http traffic on 10001 >in access log does not mean that if forwards exactly the same original http >request. Probably some configuration needs to be changed there. You should >take a look in the nginx documentation about port forwarding. > >You may also skip using nginx and mapping port 10001 directly to tomcat >port 8080. In your browser typing your http://domain:10001, to check the >getServerPort() value. > >This will help you to investigate if it is a Tomcat issue or not. > > >Best regards, > >Hua On Thu, Jan 6, 2022 at 6:39 AM 王 静凯 wrote: > Sorry for my poor English. > I re-explain the problem: > > I mean the nginx listening on port 80 and tomcat listening on 8080. > So the visitors in the LAN can use 80 to visit my website. > Then the port 80 make a port mapping to port 10001. > So the visitors use 10001 to visit my website via internet. > At this time the browser send the Host header with value ‘domain:10001’. > The nginx print the correct value ‘domain:10001’ in nginx access log. > The jsp print the correct value ‘domain:10001’ when I use > httpServletRequest.getHeader(“Host”). > According to the definition of ‘getServerPort()’, it should return 10001 > but now it return 80. > What’s more, the port 80 not relate to nginx, just bcz I am using the http > protocol. > > In another server I found one more situation. > The server has an internet IP and Tomcat listening 8080 and nginx > listening 81. > So there are no port mapping. > The visitors use ‘http://domain:81’ to visit the website. > At this time getServerPort() still return 80. > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: 回复: getServerPort always return 80
Hi Wang, A second application (nginx) is involved here. The problem can be related to nginx, nginx received a http traffic on 10001 in access log does not mean that if forwards exactly the same original http request. Probably some configuration needs to be changed there. You should take a look in the nginx documentation about port forwarding. You may also skip using nginx and mapping port 10001 directly to tomcat port 8080. In your browser typing your http://domain:10001, to check the getServerPort() value. This will help you to investigate if it is a Tomcat issue or not. Best regards, Hua On Thu, Jan 6, 2022 at 6:39 AM 王 静凯 wrote: > Sorry for my poor English. > I re-explain the problem: > > I mean the nginx listening on port 80 and tomcat listening on 8080. > So the visitors in the LAN can use 80 to visit my website. > Then the port 80 make a port mapping to port 10001. > So the visitors use 10001 to visit my website via internet. > At this time the browser send the Host header with value ‘domain:10001’. > The nginx print the correct value ‘domain:10001’ in nginx access log. > The jsp print the correct value ‘domain:10001’ when I use > httpServletRequest.getHeader(“Host”). > According to the definition of ‘getServerPort()’, it should return 10001 > but now it return 80. > What’s more, the port 80 not relate to nginx, just bcz I am using the http > protocol. > > In another server I found one more situation. > The server has an internet IP and Tomcat listening 8080 and nginx > listening 81. > So there are no port mapping. > The visitors use ‘http://domain:81’ to visit the website. > At this time getServerPort() still return 80. > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >