Re: Tomcat MySQL Connection Pooling JNDI lookup

[Felix Schumacher]

Am 17. Juni 2024 22:18:53 MESZ schrieb Daniel Schwartz 
:
>Hello,
>
> 
>
>I'm trying to set up MySQL 8.0.11 database connection pooling in Tomcat
>10.1.24 on Windows 10.  The MySQL database is "holidays" with user name
>"root" and password "rootpwd". I've tried to follow the examples at
>https://tomcat.apache.org/tomcat-9.0-doc/jndi-datasource-examples-howto.html
>#MySQL_DBCP_2_Example. 
>
> 
>
>Attached are my files context.xml, which I put in the Tomcat conf directory,
>and web.xml, which I put in my project WEB-INF directory.  Also attached is
>my file DataSourceSingleton.java, which is the program file that crashes on
>the line
>
> 
>
>dataSource = (DataSource) ctx.lookup("jdbc/holidays");
>
> 
>
>producing the error message
>
> 
>
>javax.naming.NameNotFoundException: Name [jdbc/holidays] is not bound in
>this Context. Unable to find [jdbc].
>
> 
>
>in the Command Prompt where Tomcat is running.  I must be missing some
>little thing.  Can anyone help?

Have you added the MySQL jar to your installation? Where did you place it? 

Are there any error messages in catalina.out and/or localhost_.log files? 

Felix

>
> 
>
>Dan Schwartz
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

FW: Tomcat MySQL Connection Pooling JNDI lookup

[Daniel Schwartz]

Hello again

 

I sent the following message yesterday.  Is anyone going to reply?  I'm
totally stuck.  If no one can help, then I will have no alternative but to
abandon Tomcat and try some alternative.

 

Dan Schwartz

 

From: Daniel Schwartz  
Sent: Monday, June 17, 2024 4:19 PM
To: users@tomcat.apache.org
Subject: Tomcat MySQL Connection Pooling JNDI lookup

 

Hello,

 

I'm trying to set up MySQL 8.0.11 database connection pooling in Tomcat
10.1.24 on Windows 10.  The MySQL database is "holidays" with user name
"root" and password "rootpwd". I've tried to follow the examples at
https://tomcat.apache.org/tomcat-9.0-doc/jndi-datasource-examples-howto.html
#MySQL_DBCP_2_Example. 

 

Attached are my files context.xml, which I put in the Tomcat conf directory,
and web.xml, which I put in my project WEB-INF directory.  Also attached is
my file DataSourceSingleton.java, which is the program file that crashes on
the line

 

dataSource = (DataSource) ctx.lookup("jdbc/holidays");

 

producing the error message

 

javax.naming.NameNotFoundException: Name [jdbc/holidays] is not bound in
this Context. Unable to find [jdbc].

 

in the Command Prompt where Tomcat is running.  I must be missing some
little thing.  Can anyone help?

 

Dan Schwartz

<>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Configuration of Certificate Verification on Tomcat 10

[Christopher Schultz]

Izek,

On 6/18/24 13:49, Izek Hornbeck wrote:

I am creating a Java web app (Java v17, 2021-09-14) that runs on a Tomcat
10.1.23 server. I need to authenticate users by verifying their certificate
from a smart card. (This Stack Overflow question I posted gives some good
context: "
https://stackoverflow.com/questions/78387597/what-is-the-standard-modern-way-to-use-cac-piv-card-authentication-in-java-tomca
".)

Through all the research I have done, the best way to solve this is by
using the server configuration in "server.xml". I am very new to Tomcat,
but I will try to explain everything as best as I can.

This authentication must occur after the user has entered their
credentials, so I'm thinking the best way is to redirect the user to a new
port (e.g., from 8443 to 8444) with the appropriate settings. And some
users will not be required to authenticate with a smart card certificate. I
asked another question on Stack Overflow ("
https://stackoverflow.com/questions/78624062/how-to-get-the-popup-menu-to-select-user-certificate-in-tomcat-10-server;)
that describes more of the things that I have tried specific to the server
config.

I added the command "-Djavax.net.debug=ssl" to see more details about what
was happening during the SSL handshake; I get the following:
  - javax.net.ssl|ALL|F3|https-jsse-nio-8444-exec-6|2024-06-18 10:25:02.564
MDT|X509Authentication.java:304|No X.509 cert selected for EC (and also
for EdDSA, RSA, and RSASSA-PSS)
  - javax.net.ssl|ERROR|E3|https-jsse-nio-8444-exec-5|2024-06-18
10:25:02.524 MDT|TransportContext.java:363|Fatal (BAD_CERTIFICATE): Empty
client certificate chain
  - javax.net.ssl|ERROR|E2|https-jsse-nio-8443-exec-1|2024-06-18
10:25:02.532 MDT|TransportContext.java:363|Fatal (BAD_CERTIFICATE):
Received fatal alert: bad_certificate

According to some sources (like "
https://stackoverflow.com/a/11803823/1587;) this happens because some
certificates have not yet been added to the keystore/truststore. I have
ensured that the test client certificates and the server certificate have
been successfully added to the stores.

The two major questions I have are these:
  1) How can I get the popup menu for the user to select their certificate
and enter the smart cards pin? (Both to set up their account and for later
logins.)
  2) How do I configure my server to accept the clients' certificates?

Let me know what more information would be useful.


Starting from your SO post:

>  protocol="org.apache.coyote.http11.Http11NioProtocol"
> port="8444" maxThreads="150" SSLEnabled="true"
> maxParameterCount="1000" secure="true" scheme="https" >
>
>  sslProtocol="TLSv1.2"
> certificateVerification="true"

You don't actually want certificateVerification="true" here, unless you 
want every single connection to require a certificate to be presented. 
Since you mentioned you need to be able to support "sign up" and also 
first request some other kind of authentication (username/password?) and 
also some resources without client-certs, this setting *must* be set to 
something else.


I suspect you want clientAuth="false" which is counterintuitive, but it 
means that the web application gets to set the policy for if/when client 
certs are requested.


That means that your WEB-INF/web.xml file needs to declare one or more 
web-resource-collection elements as requiring CLIENT-CERT authentication.


I *think* that if you have clientAuth="false" you will get the behavior 
you want, but you are going to have to set up some places in your 
application where client certs are required versus not-required. Since 
you are building a new application and not trying to retrofit an old 
one, this may be relatively easy. Here's my recommendation:


1. Unauthenticated web-resource-collection

This basically has your login informational resources that never require 
any authentication in order to view. That includes images, CSS, etc. No 
need to define any authentication constraints.


2. Semi-authenticated web-resource-collection

This is only accessible to users who have successfully logged-in using 
your "easy" criteria such as username+password. Probably also any pages 
you need to display that say "okay, now you need to register your client 
certificate with your account" or whatever.


For this, you must set the user-roles you will allow to view these 
resources. You can use any combination of roles (I recommend "*"), 
because unauthenticated users have no roles. You can probably use "FORM" 
as the authentication type if you are using e.g. username+password.


3. Fully-protected web-resource-collection

These resources are only accessible using a client certificate. After 
registration, or after you have determined that a user must use a 
client-cert after successful "simple" authentication, just forward a 
user to a resource in this URL space.


You just set the authentication type to CLIENT-CERT, here.

Note that Tomcat uses one of several means of user-identification 

Configuration of Certificate Verification on Tomcat 10

[Izek Hornbeck]

I am creating a Java web app (Java v17, 2021-09-14) that runs on a Tomcat
10.1.23 server. I need to authenticate users by verifying their certificate
from a smart card. (This Stack Overflow question I posted gives some good
context: "
https://stackoverflow.com/questions/78387597/what-is-the-standard-modern-way-to-use-cac-piv-card-authentication-in-java-tomca
".)

Through all the research I have done, the best way to solve this is by
using the server configuration in "server.xml". I am very new to Tomcat,
but I will try to explain everything as best as I can.

This authentication must occur after the user has entered their
credentials, so I'm thinking the best way is to redirect the user to a new
port (e.g., from 8443 to 8444) with the appropriate settings. And some
users will not be required to authenticate with a smart card certificate. I
asked another question on Stack Overflow ("
https://stackoverflow.com/questions/78624062/how-to-get-the-popup-menu-to-select-user-certificate-in-tomcat-10-server;)
that describes more of the things that I have tried specific to the server
config.

I added the command "-Djavax.net.debug=ssl" to see more details about what
was happening during the SSL handshake; I get the following:
 - javax.net.ssl|ALL|F3|https-jsse-nio-8444-exec-6|2024-06-18 10:25:02.564
MDT|X509Authentication.java:304|No X.509 cert selected for EC (and also
for EdDSA, RSA, and RSASSA-PSS)
 - javax.net.ssl|ERROR|E3|https-jsse-nio-8444-exec-5|2024-06-18
10:25:02.524 MDT|TransportContext.java:363|Fatal (BAD_CERTIFICATE): Empty
client certificate chain
 - javax.net.ssl|ERROR|E2|https-jsse-nio-8443-exec-1|2024-06-18
10:25:02.532 MDT|TransportContext.java:363|Fatal (BAD_CERTIFICATE):
Received fatal alert: bad_certificate

According to some sources (like "
https://stackoverflow.com/a/11803823/1587;) this happens because some
certificates have not yet been added to the keystore/truststore. I have
ensured that the test client certificates and the server certificate have
been successfully added to the stores.

The two major questions I have are these:
 1) How can I get the popup menu for the user to select their certificate
and enter the smart cards pin? (Both to set up their account and for later
logins.)
 2) How do I configure my server to accept the clients' certificates?

Let me know what more information would be useful.

Thanks,
Izek Hornbeck

RE: Not able to start WebApp on JDK 11

[Ed Rouse]

Update on shared

From: Shivaanand Verma 
Sent: Tuesday, June 18, 2024 1:30 PM
To: users@tomcat.apache.org
Subject: Not able to start WebApp on JDK 11

[External email: Use caution! Do not open attachments or click on links from 
unknown senders or unexpected emails.]
Hi All,

We are having a Jersey Servlet application running on the 9.0.80 version of
Apache Tomcat. Recently we've been trying to migrate our application from
JDK 8 to JDK 11.

The application used to run smoothly on JDK 8, but when compiled against
JDK 11, it does not start up. The tomcat webapps directory expands the
application.war file into its directory but the control never reaches
initialising classes. We are not able to understand what is blocking the
application from running since catalina.out and juli.log are not showing
any exceptions or error traces.

We've enabled debug logging using the 
logging.properties
 file too, but
still we don't see any logs in catalina.out. Is there a way to determine
why is tomcat not able to start the application or what classes it is
trying to load and is failing to do so?

Any help would be appreciated.

Thanks
Shivanand Verma

Not able to start WebApp on JDK 11

[Shivaanand Verma]

Hi All,

We are having a Jersey Servlet application running on the 9.0.80 version of
Apache Tomcat. Recently we've been trying to migrate our application from
JDK 8 to JDK 11.

The application used to run smoothly on JDK 8, but when compiled against
JDK 11, it does not start up. The tomcat webapps directory expands the
application.war file into its directory but the control never reaches
initialising classes. We are not able to understand what is blocking the
application from running since catalina.out and juli.log are not showing
any exceptions or error traces.

We've enabled debug logging using the logging.properties file too, but
still we don't see any logs in catalina.out. Is there a way to determine
why is tomcat not able to start the application or what classes it is
trying to load and is failing to do so?

Any help would be appreciated.

Thanks
Shivanand Verma

[ANN] Apache Tomcat 11.0.0-M21 (beta) available

[Mark Thomas]

The Apache Tomcat team announces the immediate availability of Apache
Tomcat 11.0.0-M21 (beta).

Apache Tomcat 11 is an open source software implementation of the
Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language,
Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations
specifications.

Users of Tomcat 10 onwards should be aware that, as a result of the move
from Java EE to Jakarta EE as part of the transfer of Java EE to the
Eclipse Foundation, the primary package for all implemented APIs has
changed from javax.* to jakarta.*. This will almost certainly require
code changes to enable applications to migrate from Tomcat 9 and earlier
to Tomcat 10 and later. A migration tool is available to aid this process.

Apache Tomcat 11.0.0-M21 is a milestone release of the 11.0.x branch and
has been made to provide users with early access to the new features in
Apache Tomcat 11.0.x so that they may provide feedback. The notable
changes compared to 11.0.0-M20 include:

- Ensure that static resources deployed via a JAR file remain accessible
  when the context is configured to use a bloom filter. Based on a pull
  request provided by bergander.

- Add task queue size configuration on the Connector element, similar to
  the Executor element, for consistency.

- Update to Commons Daemon 1.4.0

Please refer to the change log for the complete list of changes:
http://tomcat.apache.org/tomcat-11.0-doc/changelog.html

Downloads:
http://tomcat.apache.org/download-11.cgi

Migration guides from Apache Tomcat 8.5.x, 9.0.x and 10.1.x:
http://tomcat.apache.org/migration.html

Enjoy!

- The Apache Tomcat team

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org