Re: Tomcat Console - 401 Unauthorized

2024-05-22 Thread Chuck Caldarale 

> On May 22, 2024, at 13:31, Garber, Frank 
>  wrote:
> 
> Not knowing how it’s supposed to behave, here’s another clue. When I click on 
> the “Server Status” button, I never get prompted for credentials.


This sounds like a browser configuration problem. On the first attempt to 
access a protected resource, the server will return a 401 status with a 
WWW-Authenticate header listing the acceptable authentication mechanisms; for 
Tomcat, "Basic" is the default. The browser is then supposed to take the 
specified action to determine the credentials - for Basic, that’s the typical 
dialog box prompt.

If you’re using Edge (my condolences if so), go to edge://policy and look at 
the AuthSchemes entry; if it doesn’t include “basic”, you’ll never get the 
prompt.

Can you correct the Edge config or try a different browser?

  - Chuck

RE: Re: Tomcat Console - 401 Unauthorized

2024-05-22 Thread Garber, Frank 
Not knowing how it’s supposed to behave, here’s another clue. When I click on 
the “Server Status” button, I never get prompted for credentials. Is it a 
permissions problem on the server itself. Like the server doesn’t have rights 
to the HTML pages?

Thanks in advance,

From: Garber, Frank
Sent: Wednesday, May 22, 2024 2:26 PM
To: Tomcat Users List 
Subject: RE: {EXTERNAL} Re: Tomcat Console - 401 Unauthorized

I’m not sure how the URLs got munged up.

What I have on my side is valid XML, so I’m not worried about that. I’m really 
just concerned that the following isn’t working:

  
  
  

   


Thanks in advance,

From: Chuck Caldarale mailto:n82...@gmail.com>>
Sent: Wednesday, May 22, 2024 2:16 PM
To: Tomcat Users List mailto:users@tomcat.apache.org>>
Subject: {EXTERNAL} Re: Tomcat Console - 401 Unauthorized

> On May 22, 2024, at 10: 51, Garber, Frank  com. INVALID> wrote: > > I've just installed Tomcat 9. 0. 89.  > 
> Tomcat runs, and I can get to the console at https: //urldefense. 
> com/v3/__http: //localhost: 
> 8080/__;!!IZ3lH8c!yts7ZdG2lLWkLHZXnQFxUeyJeHbX_NxqieI-zv0Ui8nBlMzfnQ_mbT_M5evoEof6o-OZ5azA1nAyFvzyQAcQ$




> On May 22, 2024, at 10:51, Garber, Frank 
> mailto:francis.gar...@elevancehealth.com.INVALID>>
>  wrote:

>

> I've just installed Tomcat 9.0.89.











> Tomcat runs, and I can get to the console at 
> https://urldefense.com/v3/__http://localhost:8080/__;!!IZ3lH8c!yts7ZdG2lLWkLHZXnQFxUeyJeHbX_NxqieI-zv0Ui8nBlMzfnQ_mbT_M5evoEof6o-OZ5azA1nAyFvzyQAcQ$
>  but, when I click on "Server Status" I get the 401 Unauthorized page.











> I've been editing the conf\tomcat-users.xml file and have tried MANY 
> different combinations of entries but, can't get past the 401 problem.











> Here's my current file contents:

>

> 

>

>  xmlns=https://urldefense.com/v3/__http://tomcat.apache.org/xml__;!!IZ3lH8c!yts7ZdG2lLWkLHZXnQFxUeyJeHbX_NxqieI-zv0Ui8nBlMzfnQ_mbT_M5evoEof6o-OZ5azA1nAyFqswncMY$

>  xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance

>  xsi:schemaLocation=http://tomcat.apache.org/xml 
> tomcat-users.xsd>

>  version="1.0">





If the above is what you actually have in the .xml file, you should also be 
seeing parsing errors in the catalina.out log file, since it’s not valid XML. 
Once corrected to the following, access to the server status pages worked 
properly.



https://urldefense.com/v3/__http://tomcat.apache.org/xml__;!!IZ3lH8c!yts7ZdG2lLWkLHZXnQFxUeyJeHbX_NxqieI-zv0Ui8nBlMzfnQ_mbT_M5evoEof6o-OZ5azA1nAyFqswncMY$"

  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;

  xsi:schemaLocation="http://tomcat.apache.org/xml 
tomcat-users.xsd"

  version="1.0">



Note the missing quotes and seriously munged-up xsi:schemaLocation attribute in 
your posting.



If you’re using an editor that thinks it’s clever to convert http:// references 
into HTML, get a better editor.



  - Chuck



CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information or may otherwise be protected by law. Any
unauthorized review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply e-mail
and destroy all copies of the original message and any attachment thereto.

RE: Re: Tomcat Console - 401 Unauthorized

2024-05-22 Thread Garber, Frank 
I’m not sure how the URLs got munged up.

What I have on my side is valid XML, so I’m not worried about that. I’m really 
just concerned that the following isn’t working:

  
  
  

   


Thanks in advance,

From: Chuck Caldarale 
Sent: Wednesday, May 22, 2024 2:16 PM
To: Tomcat Users List 
Subject: {EXTERNAL} Re: Tomcat Console - 401 Unauthorized

> On May 22, 2024, at 10: 51, Garber, Frank  com. INVALID> wrote: > > I've just installed Tomcat 9. 0. 89.  > 
> Tomcat runs, and I can get to the console at https: //urldefense. 
> com/v3/__http: //localhost: 
> 8080/__;!!IZ3lH8c!yts7ZdG2lLWkLHZXnQFxUeyJeHbX_NxqieI-zv0Ui8nBlMzfnQ_mbT_M5evoEof6o-OZ5azA1nAyFvzyQAcQ$




> On May 22, 2024, at 10:51, Garber, Frank 
> mailto:francis.gar...@elevancehealth.com.INVALID>>
>  wrote:

>

> I've just installed Tomcat 9.0.89.











> Tomcat runs, and I can get to the console at 
> https://urldefense.com/v3/__http://localhost:8080/__;!!IZ3lH8c!yts7ZdG2lLWkLHZXnQFxUeyJeHbX_NxqieI-zv0Ui8nBlMzfnQ_mbT_M5evoEof6o-OZ5azA1nAyFvzyQAcQ$
>  but, when I click on "Server Status" I get the 401 Unauthorized page.











> I've been editing the conf\tomcat-users.xml file and have tried MANY 
> different combinations of entries but, can't get past the 401 problem.











> Here's my current file contents:

>

> 

>

>  xmlns=https://urldefense.com/v3/__http://tomcat.apache.org/xml__;!!IZ3lH8c!yts7ZdG2lLWkLHZXnQFxUeyJeHbX_NxqieI-zv0Ui8nBlMzfnQ_mbT_M5evoEof6o-OZ5azA1nAyFqswncMY$

>  xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance

>  xsi:schemaLocation=http://tomcat.apache.org/xml 
> tomcat-users.xsd>

>  version="1.0">





If the above is what you actually have in the .xml file, you should also be 
seeing parsing errors in the catalina.out log file, since it’s not valid XML. 
Once corrected to the following, access to the server status pages worked 
properly.



https://urldefense.com/v3/__http://tomcat.apache.org/xml__;!!IZ3lH8c!yts7ZdG2lLWkLHZXnQFxUeyJeHbX_NxqieI-zv0Ui8nBlMzfnQ_mbT_M5evoEof6o-OZ5azA1nAyFqswncMY$"

  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;

  xsi:schemaLocation="http://tomcat.apache.org/xml 
tomcat-users.xsd"

  version="1.0">



Note the missing quotes and seriously munged-up xsi:schemaLocation attribute in 
your posting.



If you’re using an editor that thinks it’s clever to convert http:// references 
into HTML, get a better editor.



  - Chuck



CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information or may otherwise be protected by law. Any
unauthorized review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply e-mail
and destroy all copies of the original message and any attachment thereto.

Re: Tomcat Console - 401 Unauthorized

2024-05-22 Thread Chuck Caldarale 

> On May 22, 2024, at 10:51, Garber, Frank 
>  wrote:
> 
> I've just installed Tomcat 9.0.89.





> Tomcat runs, and I can get to the console at http://localhost:8080/ but, when 
> I click on "Server Status" I get the 401 Unauthorized page.





> I've been editing the conf\tomcat-users.xml file and have tried MANY 
> different combinations of entries but, can't get past the 401 problem.





> Here's my current file contents:
> 
> 
> 
> http://tomcat.apache.org/xml
>  xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance
>  xsi:schemaLocation=http://tomcat.apache.org/xml 
> tomcat-users.xsd
>  version="1.0">


If the above is what you actually have in the .xml file, you should also be 
seeing parsing errors in the catalina.out log file, since it’s not valid XML. 
Once corrected to the following, access to the server status pages worked 
properly.

http://tomcat.apache.org/xml;
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
  xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
  version="1.0">

Note the missing quotes and seriously munged-up xsi:schemaLocation attribute in 
your posting.

If you’re using an editor that thinks it’s clever to convert http:// references 
into HTML, get a better editor.

  - Chuck

Tomcat Console - 401 Unauthorized

2024-05-22 Thread Garber, Frank 
Hello Group,

I've just installed Tomcat 9.0.89.

First a the first few lines on the Catalina log:
NOTE: Picked up JDK_JAVA_OPTIONS:  --add-opens=java.base/java.lang=ALL-UNNAMED 
--add-opens=java.base/java.io=ALL-UNNAMED 
--add-opens=java.base/java.util=ALL-UNNAMED 
--add-opens=java.base/java.util.concurrent=ALL-UNNAMED 
--add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
usage: java org.apache.catalina.startup.Catalina [ -config {pathname} ] [ 
-nonaming ] [ -generateCode [ {pathname} ] ] [ -useGeneratedCode ] { -help | 
start | stop }
22-May-2024 11:16:47.794 INFO [main] 
org.apache.catalina.startup.VersionLoggerListener.log Server version name:   
Apache Tomcat/9.0.89

Tomcat runs, and I can get to the console at http://localhost:8080/ but, when I 
click on "Server Status" I get the 401 Unauthorized page.

I've been editing the conf\tomcat-users.xml file and have tried MANY different 
combinations of entries but, can't get past the 401 problem. I know editing the 
correct file as I see Tomcat logging:
22-May-2024 11:30:00.479 INFO [Catalina-utility-1] 
org.apache.catalina.users.MemoryUserDatabase.backgroundProcess Reloading memory 
user database [UserDatabase] from updated source 
[file:/C:/myProgs/apache-tomcat-9.0.89/conf/tomcat-users.xml]

Regardless, I stop and restart Tomcat to make sure it's picking up the changes.

Here's my current file contents:



http://tomcat.apache.org/xml
  xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance
  xsi:schemaLocation=http://tomcat.apache.org/xml 
tomcat-users.xsd
  version="1.0">

  
  

   




Thanks in advance,
F

CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information or may otherwise be protected by law. Any
unauthorized review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply e-mail
and destroy all copies of the original message and any attachment thereto.

Re: Regarding Tomcat url redirection

2024-05-22 Thread lavanya tech 
Hello Chris,
Separate server.xml files means that you have to have two separate
Tomcat processes.
 --> ofcourse, we defined two seperate processes for it but still there was
some bug with Tomcat as the webpage is fluctuatiting.

The best fix is to deploy the two applications normally without any
funny business. Put both applications into webapps/ with no 
elements in server.xml and let them deploy. Use the correct URLs to
access them. It's obviously some internal thing to your company because
nobody is going to use :8443 in the real world.
- Definitely, its an internal thing and thats the reason I have posted here
for suggestions and I always tried the things that were suggested by you.
I'm sorry, but it seems like you are being given arbitrary and weird
requirements almost as a game
- I have not given requirements as a game, please understand that those are
the requirements that one needed to achieve with tomcat.I understood with
Tomcat its getting complicated and hence solved it by installing an reverse
proxy where my requirements are fulfilled.

Thanks for your support.

Thanks,
Lavanya


On Thu, May 16, 2024 at 11:52 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> Lavanya,
>
> On 5/15/24 09:09, lavanya tech wrote:
> > Hi Chris,
> >
> >> 
> >
> > If i remove this from server.xml file i have the below error.
> >
> > Message java.lang.NoClassDefFoundError: org/towl/indexer/web/Prefix
> >
> > Description The server encountered an unexpected condition that prevented
> > it from fulfilling the request.
> >
> > Exception
> >
> > jakarta.servlet.ServletException: java.lang.NoClassDefFoundError:
> > org/towl/indexer/web/Prefix
> > org.apache.jasper.servlet.JspServlet.service(JspServlet.java:333)
> > jakarta.servlet.http.HttpServlet.service(HttpServlet.java:658)
> > org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)
>
> That smells like a CLASSPATH problem where your application is not
> actually packaged properly. It could be something else, but it looks
> suspicious.
>
> > The "aliasing" will always be weird. IMO it's better to redirect. If you
> > change to redirect, does everything *work*, even if you don't like how
> > the browser's URL bar displays?
> >--> I tried but it didnot work
> > ok apart from this tpic , we have one more issue found.
> >
> >
> > Actually application team, they are deploying two applications one with
> > towl (which you are already aware) the other one is (towl-app) they have
> > defined seperate server.xml for both.
>
> Separate server.xml files means that you have to have two separate
> Tomcat processes.
>
> > Name:server.lbg.com
> > Address:  192.168.200.120
> > Aliases:  example.lbg.com
> >
> >
> > Name:server.lbg.com
> > Address:  192.168.200.120
> > Aliases:  example-app.lbg.com
> >
> > which means we have two aliases for server.lbg.com , earlier we were
> > concentrating only on one example.lbg.com , now i wanted to somehow
> enable
> > access as the same for the other one also
> > https://example-app.lbg.com --> https://server.lbg.com:8444/towl-app
> >
> > So i created iptable rule in the sameway as before redirect 443 to 8444
> and
> > i have the urls working same as example.lbg.com
> >
> > Both the server.xml files are here
> >
> > /git/towl/apachetomcat/conf/server.xml
> > /git/towl-app/apachetomcat/conf/server.xml --> I changed the port of
> > connectors and everything
> >
> > But now when i try to access https://example.lbg.com --> I get webpage
> of
> > https://example-app.lbg.com and sometimes i get webpage of
> > https://example.lbg.com after refresh itself which is wierd
> >
> > May i know why this is happening. If we fix this then I am thinking to
> > disable the unwated urls leaving the required ones. for example the below
> > ones. I think that would be easier ? rather than redirecting or
> aliasing-->
> > Because we noticed that towl application is already pointing with
> > https://example.lbg.com
> >
> > https://server.lbg.com:8443
> >https://example-lbg.com:8443
> >
> > 
> > https://server.lbg.com:8444
> >https://example-lbg.com:8444
> >
> > 
> >
> > kindly suggest us a fix.
>
> The best fix is to deploy the two applications normally without any
> funny business. Put both applications into webapps/ with no 
> elements in server.xml and let them deploy. Use the correct URLs to
> access them. It's obviously some internal thing to your company because
> nobody is going to use :8443 in the real world.
>
> I'm sorry, but it seems like you are being given arbitrary and weird
> requirements almost as a game.
>
> I'm not sure I can help you any further at this point.
>
> -chris
>
> > On Wed, May 15, 2024 at 2:16 PM Christopher Schultz <
> > ch...@christopherschultz.net> wrote:
> >
> >> Lavanya,
> >>
> >> On 5/15/24 04:43, lavanya

Re: JVM crashing with caCertificatePath in server.xml

2024-05-22 Thread Michael Osipov 
On 2024/05/22 00:05:18 Andy Arismendi wrote:
> Hi Micheal, you had asked to try these - 
> http://home.apache.org/~michaelo/issues/tomcat/openssl-crash/. I replaced my 
> files with these but Tomcat failed to start at this point with this message -
> 
> 22-May-2024 00:02:30.808 INFO [main] org.apache.coyote.AbstractProtocol.init 
> Initializing ProtocolHandler ["https-openssl-nio2-10.232.115.117-443"]
> OPENSSL_Uplink(7FFEEBF10C88,08): no OPENSSL_Applink

Copied and compiled applnk.c into the library, and updated at the given 
location. Please try again.

M

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: JVM crashing with caCertificatePath in server.xml

2024-05-22 Thread Andy Arismendi 
Michael, good news, it’s working now. Issue was on my end, was using a custom 
OpenSSL installer that was built with FIPS and it had also put the two openssl 
lib DLLs in Window System32, after fixing that Tomcat started without JVM crash 
with caCertificatePath set in server.xml.

Thanks!
-Andy

Re: JVM crashing with caCertificatePath in server.xml

2024-05-22 Thread Michael Osipov 
On 2024/05/22 00:05:18 Andy Arismendi wrote:
> Hi Micheal, you had asked to try these - 
> http://home.apache.org/~michaelo/issues/tomcat/openssl-crash/. I replaced my 
> files with these but Tomcat failed to start at this point with this message -
> 
> 22-May-2024 00:02:30.808 INFO [main] org.apache.coyote.AbstractProtocol.init 
> Initializing ProtocolHandler ["https-openssl-nio2-10.232.115.117-443"]
> OPENSSL_Uplink(7FFEEBF10C88,08): no OPENSSL_Applink

Darn, the dreaded applink.c. Though, I do not understand why it works for me, 
but not for you. I need to see how to add the object into tcnative's build. 
Give me some time.

M

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: JVM crashing with caCertificatePath in server.xml

2024-05-22 Thread Michael Osipov 
On 2024/05/21 18:04:18 Christopher Schultz wrote:
> Michael,
> 
> On 5/21/24 03:32, Michael Osipov wrote:
> > On 2024/05/20 13:30:43 Christopher Schultz wrote:
> >> Michael,
> >>
> >> On 5/20/24 06:52, Michael Osipov wrote:
> >>> On 2024/05/17 15:11:58 Christopher Schultz wrote:
>  Michael,
> 
>  On 5/17/24 03:42, Michael Osipov wrote:
> > On 2024/05/16 21:37:34 Christopher Schultz wrote:
> >> Michael,
> >>
> >> On 5/16/24 12:00, Michael Osipov wrote:
> >>> On 2024/05/16 15:55:04 Andy Arismendi wrote:
>  Ok great! Thank you for taking the time and making the effort to 
>  look into this Michael, much appreciated!
> >>>
> >>> Here is a dynamically linked, patched version until there is an 
> >>> official release: 
> >>> http://home.apache.org/~michaelo/issues/tomcat/openssl-crash/
> >>>
> >>> Please give it a try.
> >>
> >> Since you have produced a debug build of tcnative (and other
> >> components?) could you post the debug trace of the native stack?
> >
> > Unfortunately I can't. While I have the files with debug symbols I am 
> > limited by https://github.com/mturk/cmsc?tab=readme-ov-file#warning. I 
> > don't have a full blown Visual Studio installed.
> 
>  Okay. If you did build with VS, can you get a debug build with a 
>  backtrace?
> >>>
> >>> Unfortunately not. Currently, I don't have the capacity to do so.
> >>>
>  I guess you already tracked the crash to openssl_fopen. When I did a
>  decompile of the official binary, I can see the code but it's very
>  difficult to read:
> 
>  void FUN_1800cccd0(char *param_1,char *param_2)
> 
>  {
>  
>  }
> 
>  Thanks for helping to at least link it to this openssl source:
> 
>  https://github.com/openssl/openssl/blob/45f5d51b72a262bf85c4461fbded91485ce6b9da/crypto/o_fopen.c#L38
> 
>  Since libtcnative.dll is statically-linked, it doesn't even need a
>  symbol table for internal calls so the openssl_fopen token is completely
>  lost. Also, libtcnative contains all of TCN, APR, and OpenSSL. TCN
>  doesn't make direct Win32 calls so that leaves ... all of APR and
>  OpenSSL to search for this pattern of calls.
> 
>  Since you know where the fault is occurring, do you know the native
>  call-trace being performed? I'd love to know which component along the
>  way is not properly checking for NULL.
> >>>
> >>> Yes, sure:
> >>> * 
> >>> https://github.com/apache/tomcat-native/blob/6a6a6b2395036c6a6cabb2b8af22aa329e438436/native/src/sslcontext.c#L711
> >>
> >> So, 'file' is null on this line? If so, I guess the bug is in tcnative.
> > 
> > Yes, it is NULL. I don't think that the bug in necessarily in tcnative 
> > because othe functions in OpenSSL do support NULL and fail appropriately. I 
> > consider this either bad documenation or missing input validation.
> > 
> >>> * 
> >>> https://github.com/openssl/openssl/blob/45f5d51b72a262bf85c4461fbded91485ce6b9da/ssl/ssl_cert.c#L834
> >>> * 
> >>> https://github.com/openssl/openssl/blob/45f5d51b72a262bf85c4461fbded91485ce6b9da/crypto/o_fopen.c#L42
> >>
> >> Where does the call go from BIO_read_filename to openssl_fopen?
> > 
> > Here: 
> > https://github.com/openssl/openssl/blob/45f5d51b72a262bf85c4461fbded91485ce6b9da/crypto/bio/bss_file.c#L267-L295
> 
> That's in file_ctrl(). What's the full call trace from tcnative's 
> setCACertificate through to openssl_fopen?

BIO_read_filename() is a macro, if you trace down the resolution manually you 
will end up in the resources I have provided you. Took me some time.

M

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org