Re: How to have a custom classloader outside Tomcat's own lib-dir?
Guten Tag Thorsten Schöning, am Montag, 17. April 2023 um 13:16 schrieben Sie: >> common.loader=[...],"${catalina.base}/lib_custom/*.jar" >> common.loader=[...],"${catalina.home}/lib_custom/*.jar" >> common.loader=[...],"${catalina.base}/lib_custom/custom.jar" >> common.loader=[...],"${catalina.home}/lib_custom/custom.jar" No idea what I did wrong before, but this works now as long as I have the correct path to the JAR. > common.loader="[...],"${catalina.base}/Tomcat_ClassLoader.jar" > common.loader="[...],"${catalina.base}/webapps/RIFF/WEB-INF/lib/Tomcat_ClassLoader.jar" Mit freundlichen Grüßen Thorsten Schöning -- AM-SoFT IT-Service - Bitstore Hameln GmbH Mitglied der Bitstore Gruppe - Ihr Full-Service-Dienstleister für IT und TK E-Mail: thorsten.schoen...@am-soft.de Web:http://www.AM-SoFT.de/ Tel: +49 5151- 9468- 0 Tel: +49 5151- 9468-55 Mobil: +49 178-8 9468-04 AM-SoFT IT-Service - Bitstore Hameln GmbH, Brandenburger Str. 7c, 31789 Hameln AG Hannover HRB 221853 - Geschäftsführer: Janine Galonska Für Rückfragen stehe ich Ihnen jederzeit zur Verfügung. Mit freundlichen Grüßen, Thorsten Schöning Telefon: +49 5151 9468-55 Fax: E-Mail: tschoen...@am-soft.de AM-Soft IT-Service - Bitstore Hameln GmbH Brandenburger Straße 7c 31789 Hameln Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen und ist ausschliesslich für den Adressaten bestimmt. Jeglicher Zugriff auf diese E-Mail durch andere Personen als den Adressaten ist untersagt. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese E-Mail. Sollten Sie nicht der für diese E-Mail bestimmte Adressat sein, ist Ihnen jede Veröffentlichung, Vervielfältigung oder Weitergabe wie auch das Ergreifen oder Unterlassen von Massnahmen im Vertrauen auf erlangte Information untersagt. This e-mail may contain confidential and/or privileged information and is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Hinweise zum Datenschutz: bitstore.group/datenschutz - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to have a custom classloader outside Tomcat's own lib-dir?
Guten Tag Mark Thomas, am Montag, 17. April 2023 um 12:13 schrieben Sie: > What are those reasons? I'm wondering if the reasons have any impact on the > answer. Unlikely, it's about business logic. The custom classloader uses some custom config file to maintain additional JARs for the classloader based on a custom feature system enabling/disabling things. For the time being that classloader is needed, but the interesting question is where the JAR file is stored and where the classloader is actually enabled/used. If it really needs to be in some Tomcat server side config or can be placed into a webapp. > That should have worked and is the approach I'd recommend. Exactly > what did you change when you tried this? Something along the following, don't have the exact lines anymore. Need to try again at some later time not that I know it's the correct approach at all in theory. > common.loader=[...],"${catalina.base}/lib_custom/*.jar" > common.loader=[...],"${catalina.home}/lib_custom/*.jar" > common.loader=[...],"${catalina.base}/lib_custom/custom.jar" > common.loader=[...],"${catalina.home}/lib_custom/custom.jar" > No. Tomcat needs to be able to load the custom class loader in order to > configure it. Just to be sure: I don't necessarily need Tomcat-level classloader, but webapp-specific might be sufficient. But on that level there's no way to use a custom classloader or is there? I'm e.g. using Axis2 as a webapp in Tomcat and that does support a custom classloader. But that is simply because it does so on its own, have nothign to do with Servlet standards? Mit freundlichen Grüßen Thorsten Schöning -- AM-SoFT IT-Service - Bitstore Hameln GmbH Mitglied der Bitstore Gruppe - Ihr Full-Service-Dienstleister für IT und TK E-Mail: thorsten.schoen...@am-soft.de Web:http://www.AM-SoFT.de/ Tel: +49 5151- 9468- 0 Tel: +49 5151- 9468-55 Mobil: +49 178-8 9468-04 AM-SoFT IT-Service - Bitstore Hameln GmbH, Brandenburger Str. 7c, 31789 Hameln AG Hannover HRB 221853 - Geschäftsführer: Janine Galonska Für Rückfragen stehe ich Ihnen jederzeit zur Verfügung. Mit freundlichen Grüßen, Thorsten Schöning Telefon: +49 5151 9468-55 Fax: E-Mail: tschoen...@am-soft.de AM-Soft IT-Service - Bitstore Hameln GmbH Brandenburger Straße 7c 31789 Hameln Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen und ist ausschliesslich für den Adressaten bestimmt. Jeglicher Zugriff auf diese E-Mail durch andere Personen als den Adressaten ist untersagt. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese E-Mail. Sollten Sie nicht der für diese E-Mail bestimmte Adressat sein, ist Ihnen jede Veröffentlichung, Vervielfältigung oder Weitergabe wie auch das Ergreifen oder Unterlassen von Massnahmen im Vertrauen auf erlangte Information untersagt. This e-mail may contain confidential and/or privileged information and is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Hinweise zum Datenschutz: bitstore.group/datenschutz - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
How to have a custom classloader outside Tomcat's own lib-dir?
Hi everyone, I have some app consisting of a directory layout with some bundled Tomcat, containing at least one exploded webapp. For various reasons, that webbapp needs its own classloader, which is currently configured in context.xml of Tomcat and stored in its own lib-dir. I don't like putting custom JARs into the default deployment of Tomcat too much. > > So, is there some way to put the JAR elsewhere? Whatever I tested didn't work, e.g. adding the JAR to "common.loader". But I must admit that I didn't fully understand if common.loader is used to load the custom loader at all or only afterwards and stuff. Or is there some way to not use Tomcat's "Loader" above and only maintain a custom, webapp-specific classloader in the one webapp needing it? I've searched for somethign like "setClassLoader" and found it for some servlet containers, but it doesn't seem to be standard and supported by Tomcat. Thanks for your input! Mit freundlichen Grüßen Thorsten Schöning -- AM-SoFT IT-Service - Bitstore Hameln GmbH Mitglied der Bitstore Gruppe - Ihr Full-Service-Dienstleister für IT und TK E-Mail: thorsten.schoen...@am-soft.de Web:http://www.AM-SoFT.de/ Tel: +49 5151- 9468- 0 Tel: +49 5151- 9468-55 Mobil: +49 178-8 9468-04 AM-SoFT IT-Service - Bitstore Hameln GmbH, Brandenburger Str. 7c, 31789 Hameln AG Hannover HRB 221853 - Geschäftsführer: Janine Galonska Für Rückfragen stehe ich Ihnen jederzeit zur Verfügung. Mit freundlichen Grüßen, Thorsten Schöning Telefon: +49 5151 9468-55 Fax: E-Mail: tschoen...@am-soft.de AM-Soft IT-Service - Bitstore Hameln GmbH Brandenburger Straße 7c 31789 Hameln Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen und ist ausschliesslich für den Adressaten bestimmt. Jeglicher Zugriff auf diese E-Mail durch andere Personen als den Adressaten ist untersagt. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese E-Mail. Sollten Sie nicht der für diese E-Mail bestimmte Adressat sein, ist Ihnen jede Veröffentlichung, Vervielfältigung oder Weitergabe wie auch das Ergreifen oder Unterlassen von Massnahmen im Vertrauen auf erlangte Information untersagt. This e-mail may contain confidential and/or privileged information and is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Hinweise zum Datenschutz: bitstore.group/datenschutz - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Why does LockOutRealm not support CredentialHandler?
Guten Tag Christopher Schultz, am Mittwoch, 16. November 2022 um 13:35 schrieben Sie: > I really don't know why you are seeing that warning. You aren't > explicitly-setting a CredentialHandler on your LockOutRealm and > that's the only time this warning should be shown.[...] Yes I did during tests when the credential handler didn't work as expected for the user database. I simply moved it up for test purposes, got the warning and thought there was some fundamental underluying problem. Mit freundlichen Grüßen Thorsten Schöning -- AM-SoFT IT-Service - Bitstore Hameln GmbH Mitglied der Bitstore Gruppe - Ihr Full-Service-Dienstleister für IT und TK E-Mail: thorsten.schoen...@am-soft.de Web:http://www.AM-SoFT.de/ Tel: +49 5151- 9468- 0 Tel: +49 5151- 9468-55 Mobil: +49 178-8 9468-04 AM-SoFT IT-Service - Bitstore Hameln GmbH, Brandenburger Str. 7c, 31789 Hameln AG Hannover HRB 221853 - Geschäftsführer: Janine Galonska Für Rückfragen stehe ich Ihnen jederzeit zur Verfügung. Mit freundlichen Grüßen, Thorsten Schöning Telefon: +49 5151 9468-55 Fax: E-Mail: tschoen...@am-soft.de AM-Soft IT-Service - Bitstore Hameln GmbH Brandenburger Straße 7c 31789 Hameln Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen und ist ausschliesslich für den Adressaten bestimmt. Jeglicher Zugriff auf diese E-Mail durch andere Personen als den Adressaten ist untersagt. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese E-Mail. Sollten Sie nicht der für diese E-Mail bestimmte Adressat sein, ist Ihnen jede Veröffentlichung, Vervielfältigung oder Weitergabe wie auch das Ergreifen oder Unterlassen von Massnahmen im Vertrauen auf erlangte Information untersagt. This e-mail may contain confidential and/or privileged information and is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Hinweise zum Datenschutz: bitstore.group/datenschutz - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Why does LockOutRealm not support CredentialHandler?
Guten Tag Christopher Schultz, am Mittwoch, 16. November 2022 um 04:50 schrieben Sie: > resourceName="UserDatabase"> > className="org.apache.catalina.realm.SecretKeyCredentialHandler" > algorithm="PBKDF2WithHmacSHA512" > iterations="10" > keyLength="256" > saltLength="16" > That worked right from the start, I had a DIGEST in tomcat-users.xml and was able to login with plain-text password provided to the browser. > > ... > Adding that didn't work, I was only able to login with providing the DIGEST of tomcat-users.xml as password to the browser, which actually made it a plain-text password at the server. The following fit as well to what I recognized: https://stackoverflow.com/questions/64733766/how-to-get-tomcat-credentialhandler-inside-java-when-nested-in-lockoutrealm BUT: I gave things an additional try now and especially after the discussion about auth-method BASIC vs. DIGEST and login DOES work now! I most likely not only added LockOutRealm at some point, but switched from BASIC auth to DIGEST as well, because I've read that in the CIS spec I worked with. That combination can't work and at some point I most likely became frustrated and changed DIGEST back to BASIC, while having changed other aspects of the realms already or might have simply forgotten to change passwords vs. digests in tomcat-users.xml or whatever. So, I guess the reason for the warnign about an ignored credential helper in LockOutRealm simply is because it doesn't handle credentials at all? And as LockOutRealm forwards actual login to its children THEIR assigned credential handlers are properly taken into account? So whatever the SO-guy sees, might have a different root cause, as it was the case for me. Thanks for triggering me to try again! Might have been to late already at Monday as well. :-) Mit freundlichen Grüßen Thorsten Schöning -- AM-SoFT IT-Service - Bitstore Hameln GmbH Mitglied der Bitstore Gruppe - Ihr Full-Service-Dienstleister für IT und TK E-Mail: thorsten.schoen...@am-soft.de Web:http://www.AM-SoFT.de/ Tel: +49 5151- 9468- 0 Tel: +49 5151- 9468-55 Mobil: +49 178-8 9468-04 AM-SoFT IT-Service - Bitstore Hameln GmbH, Brandenburger Str. 7c, 31789 Hameln AG Hannover HRB 221853 - Geschäftsführer: Janine Galonska Für Rückfragen stehe ich Ihnen jederzeit zur Verfügung. Mit freundlichen Grüßen, Thorsten Schöning Telefon: +49 5151 9468-55 Fax: E-Mail: tschoen...@am-soft.de AM-Soft IT-Service - Bitstore Hameln GmbH Brandenburger Straße 7c 31789 Hameln Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen und ist ausschliesslich für den Adressaten bestimmt. Jeglicher Zugriff auf diese E-Mail durch andere Personen als den Adressaten ist untersagt. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese E-Mail. Sollten Sie nicht der für diese E-Mail bestimmte Adressat sein, ist Ihnen jede Veröffentlichung, Vervielfältigung oder Weitergabe wie auch das Ergreifen oder Unterlassen von Massnahmen im Vertrauen auf erlangte Information untersagt. This e-mail may contain confidential and/or privileged information and is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Hinweise zum Datenschutz: bitstore.group/datenschutz - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How do auth-method BASIC and DIGEST play together with some credential helper?
Guten Tag Christopher Schultz, am Mittwoch, 16. November 2022 um 04:17 schrieben Sie: > You should double-check the definition of "compliant to CIS > benchmark spec" because there is no way in hell that HTTP DIGEST is > required.[...] The spec doesn't tell me exactly to use auth-method DIGEST, but their example configs and stuff use exactly that. > $ grep -i > [.\n]*DIGEST[.\n]* > UserDatabase[.\n]* > $CATALINA_HOME/webapps/manager/WEB-INF/web.xml And here it comes: > If a Realm exists without a digest attribute or without a value for > the digest attribute, this is a fail. That sentence is for Tomcat 9, in which that attribute has been removed as well already, didn't it? They don't even mention any credential handler possible in Tomcat at all, even those are superior than using the digest attribute. So this whole abstract seems broken in the CIS spec to me and I just needed to collect input how to deal with that. OTOH, thinking about it again, the customer says to run automatic CIS checks using some app and that didn't complain about auth-method BASIC yet. So using that with PBKDF2WithHmacSHA512 seems to be fine even more. Mit freundlichen Grüßen Thorsten Schöning -- AM-SoFT IT-Service - Bitstore Hameln GmbH Mitglied der Bitstore Gruppe - Ihr Full-Service-Dienstleister für IT und TK E-Mail: thorsten.schoen...@am-soft.de Web:http://www.AM-SoFT.de/ Tel: +49 5151- 9468- 0 Tel: +49 5151- 9468-55 Mobil: +49 178-8 9468-04 AM-SoFT IT-Service - Bitstore Hameln GmbH, Brandenburger Str. 7c, 31789 Hameln AG Hannover HRB 221853 - Geschäftsführer: Janine Galonska Für Rückfragen stehe ich Ihnen jederzeit zur Verfügung. Mit freundlichen Grüßen, Thorsten Schöning Telefon: +49 5151 9468-55 Fax: E-Mail: tschoen...@am-soft.de AM-Soft IT-Service - Bitstore Hameln GmbH Brandenburger Straße 7c 31789 Hameln Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen und ist ausschliesslich für den Adressaten bestimmt. Jeglicher Zugriff auf diese E-Mail durch andere Personen als den Adressaten ist untersagt. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese E-Mail. Sollten Sie nicht der für diese E-Mail bestimmte Adressat sein, ist Ihnen jede Veröffentlichung, Vervielfältigung oder Weitergabe wie auch das Ergreifen oder Unterlassen von Massnahmen im Vertrauen auf erlangte Information untersagt. This e-mail may contain confidential and/or privileged information and is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Hinweise zum Datenschutz: bitstore.group/datenschutz - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Why does LockOutRealm not support CredentialHandler?
Guten Tag Christopher Schultz, am Mittwoch, 16. November 2022 um 04:00 schrieben Sie: > Thorsten, what makes you say "it doesn't work" and "LockoutRealm > ignores any credential handler"? When you say "it doesn't work"... > what DOES it do? IGNORES because it logs a corresponding warning on explicitly configured credential handlers for the LockOutRealm itself and uses a hard-coded default handler, which only allows plain-text passwords in tomcat-users.xml. Or to be more specific, whatever is input intoc tomcat-users.xml is simply used as plain-text password, so adding a digest based on PBKDF2WithHmacSHA512 won't let you login with the real plain-text provided to the browser by the user. But it allow login when providing the digest as plain-text password. If credential handlers are configured for child realms, those are simply ignored as well, even without any warning this time. Which makes it additionally difficult to debug this whole setup. > In Tomcat 10 BTW, the "digest" attribute has been removed in favor > of a properly-configured . Note that you can't > use "digest" and also get acceptable security out of the Realm, anyway. Mit freundlichen Grüßen Thorsten Schöning -- AM-SoFT IT-Service - Bitstore Hameln GmbH Mitglied der Bitstore Gruppe - Ihr Full-Service-Dienstleister für IT und TK E-Mail: thorsten.schoen...@am-soft.de Web:http://www.AM-SoFT.de/ Tel: +49 5151- 9468- 0 Tel: +49 5151- 9468-55 Mobil: +49 178-8 9468-04 AM-SoFT IT-Service - Bitstore Hameln GmbH, Brandenburger Str. 7c, 31789 Hameln AG Hannover HRB 221853 - Geschäftsführer: Janine Galonska Für Rückfragen stehe ich Ihnen jederzeit zur Verfügung. Mit freundlichen Grüßen, Thorsten Schöning Telefon: +49 5151 9468-55 Fax: E-Mail: tschoen...@am-soft.de AM-Soft IT-Service - Bitstore Hameln GmbH Brandenburger Straße 7c 31789 Hameln Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen und ist ausschliesslich für den Adressaten bestimmt. Jeglicher Zugriff auf diese E-Mail durch andere Personen als den Adressaten ist untersagt. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese E-Mail. Sollten Sie nicht der für diese E-Mail bestimmte Adressat sein, ist Ihnen jede Veröffentlichung, Vervielfältigung oder Weitergabe wie auch das Ergreifen oder Unterlassen von Massnahmen im Vertrauen auf erlangte Information untersagt. This e-mail may contain confidential and/or privileged information and is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Hinweise zum Datenschutz: bitstore.group/datenschutz - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How do auth-method BASIC and DIGEST play together with some credential helper?
Guten Tag Mark Thomas, am Dienstag, 15. November 2022 um 20:44 schrieben Sie: > Assuming digesting passwords with one round of MD5 and no salt > isn't acceptable (I'd be surprised if it was) then you are probably > looking at HTTPS + BASIC + PBKDF2WithHmacSHA512. Thanks for that clarification, it's exactly what I expected. My major problem is that I have IT sec of some customer requiring me that the Tomcat is configured compliant to CIS benchmark spec. One requirement is to not have cleartext passwords in tomcat-users.xml, which is possible with your suggestion. But at the same time config examples of that spec use auth-method DIGEST and as we both seem to agree, that doesn't make too much sense. Other parts of the spec don't make sense in this special aspect as well and simply seem outdated and copied over from VERY old Tomcats. So, my approach will be to use HTTPS + BASIC + PBKDF2WithHmacSHA512 most likely and simply tell IT sec that CIS benchmark stuff doesn't work in that aspect and PBKDF2WithHmacSHA512 is superior. The used app doesn plain-text auth on it's own as well and they need to trust HTTPS as well, so no real problem, besided that vood spec. Thanks for input! Mit freundlichen Grüßen Thorsten Schöning -- AM-SoFT IT-Service - Bitstore Hameln GmbH Mitglied der Bitstore Gruppe - Ihr Full-Service-Dienstleister für IT und TK E-Mail: thorsten.schoen...@am-soft.de Web:http://www.AM-SoFT.de/ Tel: +49 5151- 9468- 0 Tel: +49 5151- 9468-55 Mobil: +49 178-8 9468-04 AM-SoFT IT-Service - Bitstore Hameln GmbH, Brandenburger Str. 7c, 31789 Hameln AG Hannover HRB 221853 - Geschäftsführer: Janine Galonska Für Rückfragen stehe ich Ihnen jederzeit zur Verfügung. Mit freundlichen Grüßen, Thorsten Schöning Telefon: +49 5151 9468-55 Fax: E-Mail: tschoen...@am-soft.de AM-Soft IT-Service - Bitstore Hameln GmbH Brandenburger Straße 7c 31789 Hameln Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen und ist ausschliesslich für den Adressaten bestimmt. Jeglicher Zugriff auf diese E-Mail durch andere Personen als den Adressaten ist untersagt. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese E-Mail. Sollten Sie nicht der für diese E-Mail bestimmte Adressat sein, ist Ihnen jede Veröffentlichung, Vervielfältigung oder Weitergabe wie auch das Ergreifen oder Unterlassen von Massnahmen im Vertrauen auf erlangte Information untersagt. This e-mail may contain confidential and/or privileged information and is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Hinweise zum Datenschutz: bitstore.group/datenschutz - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How do auth-method BASIC and DIGEST play together with some credential helper?
Guten Tag Mark Thomas, am Dienstag, 15. November 2022 um 18:36 schrieben Sie: > Please go and read my email - and the links I provided - again. I did, so feel free to tell me how I tell my browser to use my plain-text password as PBKDF2WithHmacSHA512 digest with 10 iterations, a key length of 256 bits and a salt of 16 bytes. Because my browser's dialog asking for username and password doesn't allow me to put any of these options in. Are you sure to have understood that I already know how to store a digest with those settings in tomcat-users.xml? That wasn't the question. The question was this aspect from your own link: > When the authenticate() method of the Realm is called, the > (cleartext) password specified by the user is itself digested by the > same algorithm[...] There is no cleartext password from the user from the browser if "DIGEST" is used. The cleartext password needs to be available in tomcat-users.xml, but isn't when using PBKDF2WithHmacSHA512. Mit freundlichen Grüßen Thorsten Schöning -- AM-SoFT IT-Service - Bitstore Hameln GmbH Mitglied der Bitstore Gruppe - Ihr Full-Service-Dienstleister für IT und TK E-Mail: thorsten.schoen...@am-soft.de Web:http://www.AM-SoFT.de/ Tel: +49 5151- 9468- 0 Tel: +49 5151- 9468-55 Mobil: +49 178-8 9468-04 AM-SoFT IT-Service - Bitstore Hameln GmbH, Brandenburger Str. 7c, 31789 Hameln AG Hannover HRB 221853 - Geschäftsführer: Janine Galonska Für Rückfragen stehe ich Ihnen jederzeit zur Verfügung. Mit freundlichen Grüßen, Thorsten Schöning Telefon: +49 5151 9468-55 Fax: E-Mail: tschoen...@am-soft.de AM-Soft IT-Service - Bitstore Hameln GmbH Brandenburger Straße 7c 31789 Hameln Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen und ist ausschliesslich für den Adressaten bestimmt. Jeglicher Zugriff auf diese E-Mail durch andere Personen als den Adressaten ist untersagt. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese E-Mail. Sollten Sie nicht der für diese E-Mail bestimmte Adressat sein, ist Ihnen jede Veröffentlichung, Vervielfältigung oder Weitergabe wie auch das Ergreifen oder Unterlassen von Massnahmen im Vertrauen auf erlangte Information untersagt. This e-mail may contain confidential and/or privileged information and is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Hinweise zum Datenschutz: bitstore.group/datenschutz - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Why does LockOutRealm not support CredentialHandler?
Guten Tag Rémy Maucherat, am Dienstag, 15. November 2022 um 12:59 schrieben Sie: > Maybe NestedCredentialHandler could be used to construct a > CredentialHandler that could be useful to the application, but this > needs more thought. That wouldn't change anything, as that handler would be ignored and/or warned about again. The problem is the strategy from which realm to get the handler and a depth-first approach seems to make most sense. I've created a bit now, this should at least be documented as widely as possible. In the best case even enhanced of course. https://bz.apache.org/bugzilla/show_bug.cgi?id=66349 Mit freundlichen Grüßen Thorsten Schöning -- AM-SoFT IT-Service - Bitstore Hameln GmbH Mitglied der Bitstore Gruppe - Ihr Full-Service-Dienstleister für IT und TK E-Mail: thorsten.schoen...@am-soft.de Web:http://www.AM-SoFT.de/ Tel: +49 5151- 9468- 0 Tel: +49 5151- 9468-55 Mobil: +49 178-8 9468-04 AM-SoFT IT-Service - Bitstore Hameln GmbH, Brandenburger Str. 7c, 31789 Hameln AG Hannover HRB 221853 - Geschäftsführer: Janine Galonska Für Rückfragen stehe ich Ihnen jederzeit zur Verfügung. Mit freundlichen Grüßen, Thorsten Schöning Telefon: +49 5151 9468-55 Fax: E-Mail: tschoen...@am-soft.de AM-Soft IT-Service - Bitstore Hameln GmbH Brandenburger Straße 7c 31789 Hameln Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen und ist ausschliesslich für den Adressaten bestimmt. Jeglicher Zugriff auf diese E-Mail durch andere Personen als den Adressaten ist untersagt. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese E-Mail. Sollten Sie nicht der für diese E-Mail bestimmte Adressat sein, ist Ihnen jede Veröffentlichung, Vervielfältigung oder Weitergabe wie auch das Ergreifen oder Unterlassen von Massnahmen im Vertrauen auf erlangte Information untersagt. This e-mail may contain confidential and/or privileged information and is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Hinweise zum Datenschutz: bitstore.group/datenschutz - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How do auth-method BASIC and DIGEST play together with some credential helper?
Guten Tag Mark Thomas, am Dienstag, 15. November 2022 um 12:51 schrieben Sie: > In short, the digested value you save as the user credential is one > of the inputs the client uses when calculating the value to use in > the authorization header.[...] My client is a browser and that asks me for plain-text passwords. There's no way I could provide a digest generated using PBKDF2WithHmacSHA512 with the settings mentioned in my former mail. And even if there was, that digest would be a plain-text password again. Mit freundlichen Grüßen Thorsten Schöning -- AM-SoFT IT-Service - Bitstore Hameln GmbH Mitglied der Bitstore Gruppe - Ihr Full-Service-Dienstleister für IT und TK E-Mail: thorsten.schoen...@am-soft.de Web:http://www.AM-SoFT.de/ Tel: +49 5151- 9468- 0 Tel: +49 5151- 9468-55 Mobil: +49 178-8 9468-04 AM-SoFT IT-Service - Bitstore Hameln GmbH, Brandenburger Str. 7c, 31789 Hameln AG Hannover HRB 221853 - Geschäftsführer: Janine Galonska Für Rückfragen stehe ich Ihnen jederzeit zur Verfügung. Mit freundlichen Grüßen, Thorsten Schöning Telefon: +49 5151 9468-55 Fax: E-Mail: tschoen...@am-soft.de AM-Soft IT-Service - Bitstore Hameln GmbH Brandenburger Straße 7c 31789 Hameln Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen und ist ausschliesslich für den Adressaten bestimmt. Jeglicher Zugriff auf diese E-Mail durch andere Personen als den Adressaten ist untersagt. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese E-Mail. Sollten Sie nicht der für diese E-Mail bestimmte Adressat sein, ist Ihnen jede Veröffentlichung, Vervielfältigung oder Weitergabe wie auch das Ergreifen oder Unterlassen von Massnahmen im Vertrauen auf erlangte Information untersagt. This e-mail may contain confidential and/or privileged information and is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Hinweise zum Datenschutz: bitstore.group/datenschutz - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
How do auth-method BASIC and DIGEST play together with some credential helper?
Hi everyone, I have some webapp hosted by Tomcat and need to restrict user access to some part of that. One additional requirement is that this app needs to be CIS benchmark compliant and that requires to not store plain-text passwords. So consider the following user database and credential helper being used to stored hashed passwords in "tomcat-users.xml". >resourceName="UserDatabase"> > className="org.apache.catalina.realm.SecretKeyCredentialHandler" > algorithm="PBKDF2WithHmacSHA512" > iterations="10" > keyLength="256" > saltLength="16" > /> > And here's where things become interesting, because the docs of the CIS benchmark PDF are using a DIGEST auth-method instead of my used BASIC one. > >BASIC >interner Bereich > From my understanding, the BASIC auth-method results in the browser sending plain-text passwords to the server, which can than be processed by some credential helper to compare the results to what is stored in tomcat-users.xml. OTOH, when using DIGEST, the browser won't ever send plain-text passwords and hashes already which needs to be compared by Tomcat. To be able to calculate the same hash, AFAIK Tomcat needs to plain-text password itself as well. But because of DIGEST auth-method and the already hashed password in tomcat-users.xml, it can't have access ot the plain-text password. That's the overall goal of using the credential helper in this case. Additionally, from my understanding DIGEST auth-method has nothing to do with any digest config of any realm or credential helper. It's really distinguishing on HTTP level how browser and Tomcat share credentials. So, is it even possible to use SecretKeyCredentialHandler and auth-method DIGEST together or am I required to use BASIC? If DIGEST is supported, how does that and credential helper work together without plain-text password available at the server at all? Of course there's TLS in place, it's really about to follow the CIS benchmark as much as possible for some customer requirements. But some parts of that CIS benchmark don't make too much sense to me. Thanks for your help! Mit freundlichen Grüßen Thorsten Schöning -- AM-SoFT IT-Service - Bitstore Hameln GmbH Mitglied der Bitstore Gruppe - Ihr Full-Service-Dienstleister für IT und TK E-Mail: thorsten.schoen...@am-soft.de Web:http://www.AM-SoFT.de/ Tel: +49 5151- 9468- 0 Tel: +49 5151- 9468-55 Mobil: +49 178-8 9468-04 AM-SoFT IT-Service - Bitstore Hameln GmbH, Brandenburger Str. 7c, 31789 Hameln AG Hannover HRB 221853 - Geschäftsführer: Janine Galonska Für Rückfragen stehe ich Ihnen jederzeit zur Verfügung. Mit freundlichen Grüßen, Thorsten Schöning Telefon: +49 5151 9468-55 Fax: E-Mail: tschoen...@am-soft.de AM-Soft IT-Service - Bitstore Hameln GmbH Brandenburger Straße 7c 31789 Hameln Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen und ist ausschliesslich für den Adressaten bestimmt. Jeglicher Zugriff auf diese E-Mail durch andere Personen als den Adressaten ist untersagt. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese E-Mail. Sollten Sie nicht der für diese E-Mail bestimmte Adressat sein, ist Ihnen jede Veröffentlichung, Vervielfältigung oder Weitergabe wie auch das Ergreifen oder Unterlassen von Massnahmen im Vertrauen auf erlangte Information untersagt. This e-mail may contain confidential and/or privileged information and is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Hinweise zum Datenschutz: bitstore.group/datenschutz - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Why does LockOutRealm not support CredentialHandler?
Hi everyone, I have some webapp hosted by Tomcat and need to restrict user access to some part of that. One additional requirement is that this app needs to be CIS benchmark compliant and that requires to use LockOutRealm and restricts to store plain-text passwords. Therefore, the ultimate solution in my case would be the following: > >resourceName="UserDatabase"> > className="org.apache.catalina.realm.SecretKeyCredentialHandler" > algorithm="PBKDF2WithHmacSHA512" > iterations="10" > keyLength="256" > saltLength="16" > /> > > But that doesn't work, because LockOutRealm ignores any credential handler. Additionally, with my used Tomcat 10, I'm unable to set any "digest" attribute on the realm itself anymore as well. The only way to fulfill both requirements is to implement a custom realm. > Nov 14, 2022 9:03:48 PM org.apache.catalina.realm.CombinedRealm > setCredentialHandler > WARNUNG: A CredentialHandler was set on an instance of the > CombinedRealm (or a sub-class of CombinedRealm). CombinedRealm > doesn't use a configured CredentialHandler. Is this a configuration > error? https://github.com/apache/tomcat/blob/1e8ed80849f2766d3c5b27e09ef53029e1a1a88e/java/org/apache/catalina/realm/LocalStrings.properties#L23 https://github.com/apache/tomcat/blob/1e8ed80849f2766d3c5b27e09ef53029e1a1a88e/java/org/apache/catalina/realm/CombinedRealm.java#L466 https://tomcat.apache.org/tomcat-9.0-doc/changelog.html https://stackoverflow.com/questions/64733766/how-to-get-tomcat-credentialhandler-inside-java-when-nested-in-lockoutrealm So, what's the reason of not supporting credential handlers for LockOutRealm? Doesn't make too much sense to me, especially as most docs I came across use LockOutRealm in combination with some other realm and there's no docs that a fundamental concept like credential helpers won't work at all in this setup. Additionally, when researching about that task, some people even claim that the above XML config works, but it simply can't. I don't see any code in LockOutRealm to ask other realms about their credential handlers. I've had a look at the bugtracker already and couldn't find this topic discussed or a reason for the implementation. OTOH, someone did add some code to explicitly log a warning message instead of fixing the underlying problem. Is the problem really to decide which of the child realms to choose for its credential handler to use? In the easiest case simply use the first credential handler found with a depth-first search, that should work for the majority of use-cases. Other aspects of the config like default assumed nesting level of realms and stuff seem hard-coded as well. Would be glad to read some thoughts, as I need to decide how to deal with this limitation right now. Thanks! Mit freundlichen Grüßen Thorsten Schöning -- AM-SoFT IT-Service - Bitstore Hameln GmbH Mitglied der Bitstore Gruppe - Ihr Full-Service-Dienstleister für IT und TK E-Mail: thorsten.schoen...@am-soft.de Web:http://www.AM-SoFT.de/ Tel: +49 5151- 9468- 0 Tel: +49 5151- 9468-55 Mobil: +49 178-8 9468-04 AM-SoFT IT-Service - Bitstore Hameln GmbH, Brandenburger Str. 7c, 31789 Hameln AG Hannover HRB 221853 - Geschäftsführer: Janine Galonska Für Rückfragen stehe ich Ihnen jederzeit zur Verfügung. Mit freundlichen Grüßen, Thorsten Schöning Telefon: +49 5151 9468-55 Fax: E-Mail: tschoen...@am-soft.de AM-Soft IT-Service - Bitstore Hameln GmbH Brandenburger Straße 7c 31789 Hameln Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen und ist ausschliesslich für den Adressaten bestimmt. Jeglicher Zugriff auf diese E-Mail durch andere Personen als den Adressaten ist untersagt. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese E-Mail. Sollten Sie nicht der für diese E-Mail bestimmte Adressat sein, ist Ihnen jede Veröffentlichung, Vervielfältigung oder Weitergabe wie auch das Ergreifen oder Unterlassen von Massnahmen im Vertrauen auf erlangte Information untersagt. This e-mail may contain confidential and/or privileged information and is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Hinweise zum Datenschutz: bitstore.group/datenschutz - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Experiences with Tomcat in some IoT-project?
Guten Tag Christopher Schultz, am Donnerstag, 17. Oktober 2019 um 18:48 schrieben Sie: > When you say that your desired 1GiB board doesn't "fit into > battery-operated mode", what do you mean?[...] Thanks for your valuable input, it's pretty in line with what I saw in my tests already. Regarding the battery-mode, customers want to operate the whole device only powered by some rechargeable battery in some use cases and a colleague calculated that power consumption of the AV96 is simply too high for that purpose. The CPU itself, refreshing RAM even with hibernate and stuff like that. Some different discussed board/CPU with far less power consumption only provides 128 MiB of RAM, hence the tests. Mit freundlichen Grüßen, Thorsten Schöning -- Thorsten Schöning E-Mail: thorsten.schoen...@am-soft.de AM-SoFT IT-Systeme http://www.AM-SoFT.de/ Telefon...05151- 9468- 55 Fax...05151- 9468- 88 Mobil..0178-8 9468- 04 AM-SoFT GmbH IT-Systeme, Brandenburger Str. 7c, 31789 Hameln AG Hannover HRB 207 694 - Geschäftsführer: Andreas Muchow - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Experiences with Tomcat in some IoT-project?
Hi all, TL;DR: Is someone hosting web interfaces, web services etc. in IoT-related projects using Tomcat? If so, under which hardware requirements, especially CPU and RAM and using which frameworks/... for the interface etc.? Did you do so in the past and might have failed terribly, for what reasons? The background: I'm working on some IoT-project creating some device(s) with currently only very few and vague requirements. Some of those requirements are providing a web interface and web services, but another one is that some variant of the device should be used in some battery-powered context as well. If that should provide a web interface/web services as well and how complex etc. still needs to be discussed. Additionally, there's some cloud-based software with its own frontend interacting with the predecessor of the newly created device. That whole stack is implemented using Apache Tomcat, Wicket and Axis 2 and because we are a pretty small company and stuff I would like to reuse as much of that stack as possible and somewhat reasonable. What we currently test is some Avenger96-Board with 1 GiB of RAM running some Yocto-Linux, but it already seems that this doesn't fit to a battery-powered mode. So some far less powerful hardware with e.g. only 128 MiB of RAM gets considered as well. https://www.96boards.org/product/avenger96/ The AV96 with 1 GiB of RAM runs my tested server-software pretty fine, but fails with 128 MiB. With some easy steps the image could be changed to make ~60 MiB of RAM free for my usage, but that simply wasn't enough to start my web-app at all. Tomcat itself ran fine even with only 15 MiB of RAM free, though, unless used with my app. :-) What I would like to get a feeling for is if that approach is even worth following or not. So thanks for everything you share! Mit freundlichen Grüßen, Thorsten Schöning -- Thorsten Schöning E-Mail: thorsten.schoen...@am-soft.de AM-SoFT IT-Systeme http://www.AM-SoFT.de/ Telefon...05151- 9468- 55 Fax...05151- 9468- 88 Mobil..0178-8 9468- 04 AM-SoFT GmbH IT-Systeme, Brandenburger Str. 7c, 31789 Hameln AG Hannover HRB 207 694 - Geschäftsführer: Andreas Muchow - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Character encoding problems using jsp:include with jsp:param in Tomcat 8.5 only.
Guten Tag Christopher Schultz, am Montag, 26. November 2018 um 16:07 schrieben Sie: > web.xml > - --- > > UTF-8 > Tested that with Tomcat 9 and this setting fixed my problem the same as using SetCharacterEncodingFilter. It doesn't work in Tomcat 8.5, I guess because that simply doesn't implement Servlet 4.0? Because I still need to support Tomcat 7 and 8.0 for some time, I'll keep SetCharacterEncodingFilter for now and just document the better solution. Thanks! P.S.: I've send you a private mail some days ago, unrelated to Tomcat. Did you get that? Just want to make sure that I'm not spam filtered. Mit freundlichen Grüßen, Thorsten Schöning -- Thorsten Schöning E-Mail: thorsten.schoen...@am-soft.de AM-SoFT IT-Systeme http://www.AM-SoFT.de/ Telefon...05151- 9468- 55 Fax...05151- 9468- 88 Mobil..0178-8 9468- 04 AM-SoFT GmbH IT-Systeme, Brandenburger Str. 7c, 31789 Hameln AG Hannover HRB 207 694 - Geschäftsführer: Andreas Muchow - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Character encoding problems using jsp:include with jsp:param in Tomcat 8.5 only.
Hi all, I'm currently testing migration of a legacy web app from Tomcat 7 to 8 to 8.5 and ran into problems regarding character encoding in 8.5 only. That app uses JSP pages and declares all of those to be stored in UTF-8, does really do so :-), and declares a HTTP-Content type of "text/html; charset=UTF-8" as well. Textual content at HTML-level is properly encoded using UTF-8 and looks properly in the browser etc. In Tomcat 8.5 the following is introducing encoding problems, though: > > value="Benutzer wählen" > /> > "search.jsp" simply outputs the value of the param as the "title" attribute of some HTML-link and the character "ä" is replaced somewhere with the Unicode character REPLACEMENT CHARACTER 0xFFFD. But really only in Tomcat 8.5, not in 8 and not in 7. I can fix that problem using either "SetCharacterEncodingFilter" or the following line, which simply results in the same I guess: > <% request.setCharacterEncoding("UTF-8"); %> Looking at the generated Java code for the JSP I get the following: > org.apache.jasper.runtime.JspRuntimeLibrary.include(request, response, > "/WEB-INF/jsp/includes/search.jsp" + "?" + > org.apache.jasper.runtime.JspRuntimeLibrary.URLEncode("chooseSearchInputTitle", > request.getCharacterEncoding())+ "=" + > org.apache.jasper.runtime.JspRuntimeLibrary.URLEncode("Benutzer wählen", > request.getCharacterEncoding()), out, false); The "ä" is properly encoded using UTF-8 in all versions of Tomcat and the generated code seems to be the same in all versions as well, especially regarding "request.getCharacterEncoding()". "getCharacterEncoding" in Tomcat 8.8 has changed, the former implementation didn't take the context into account: >@Override >public String getCharacterEncoding() { >String characterEncoding = coyoteRequest.getCharacterEncoding(); >if (characterEncoding != null) { >return characterEncoding; >} > >Context context = getContext(); >if (context != null) { >return context.getRequestCharacterEncoding(); >} > >return null; >} My connector in server.xml is configured to use "URIEncoding" as UTF-8 in all versions of Tomcat, but that doesn't make a difference to 8.5. So I understand that using "setCharacterEncoding", I set the value actually used in the generated Java now, even though the following is documented for character encoding filter: > Note that the encoding for GET requests is not set here, but on a Connector https://tomcat.apache.org/tomcat-8.5-doc/config/filter.html#Set_Character_Encoding_Filter/Introduction Now I'm wondering about multiple things... 1. Doesn't "getCharacterEncoding" provide the encoding of the HTTP-body? My JSP is called using GET and the Java quoted above seems to build a query string as well. So why does it depend on some body encoding instead of e.g. URIEncoding of the connector? 2. Is my former approach wrong or did changes in Tomcat 8.5 introduce some regression? There is some conversion somewhere which was not present in the past. 3. What is the correct fix I need now? The character encoding filter, even though it only applies to bodies per documentation? Thanks! Mit freundlichen Grüßen, Thorsten Schöning -- Thorsten Schöning E-Mail: thorsten.schoen...@am-soft.de AM-SoFT IT-Systeme http://www.AM-SoFT.de/ Telefon...05151- 9468- 55 Fax...05151- 9468- 88 Mobil..0178-8 9468- 04 AM-SoFT GmbH IT-Systeme, Brandenburger Str. 7c, 31789 Hameln AG Hannover HRB 207 694 - Geschäftsführer: Andreas Muchow - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: What is the correct place to specifiy SPI service files for Java?
Guten Tag Mark Thomas, am Mittwoch, 1. August 2018 um 21:12 schrieben Sie: > Service files are loaded by class loaders from the META-INF/services > directory. > *.jar!/META-INF/services > and > *.war/WEB-INF/classes/META-INF/services > are visible to class loaders > *.war!/META-INF/services > is not. I just came across another issue with using service files in my environment: "Something" works in Ubuntu 16.04 with Tomcat 7 and Java 8, while it doesn't in Windows 10 with the same version of Tomcat and Java. The important thing to note is that I'm using Axis 2 in this scenario and the service file is part of a service I'm hosting within Axis 2. This results in the following directory in both environments: > [...]\webapps\axis2\WEB-INF\services\de.am_soft.sm_mtg.backend\META-INF\services\SOME_FILE Using Process Monitor I can see that only the following directories are queried on Windows: > [...]\webapps\axis2\WEB-INF\classes\META-INF\services\SOME_FILE > [...]\lib\META-INF\services\SOME_FILE Querying the above two dirs looks like what you have written before and that explains why it fails on Windows. But it doesn't on Ubuntu, while it does fail if I remove the "services"-dir where it is currently. So querying this dir seems non-standard. But who is querying it most likely, Tomcat or Axis 2? I came across different classloaders in Axis 2 for different OS in the past already, so I guess it has to do with Axis 2. What do you think? I'm using ServiceLoader the following way: > ClassLoadercl = MdRecOmsEnc.class.getClassLoader(); > ServiceLoader sl = ServiceLoader.load(MdRecOmsEnc.class, cl); > Iterator it = sl.iterator(); Providing the classloader is needed for other issues in very specific environments, but in my opinion shouldn't be the root cause, as that is provided with Ubuntu as well. Mit freundlichen Grüßen, Thorsten Schöning -- Thorsten Schöning E-Mail: thorsten.schoen...@am-soft.de AM-SoFT IT-Systeme http://www.AM-SoFT.de/ Telefon...05151- 9468- 55 Fax...05151- 9468- 88 Mobil..0178-8 9468- 04 AM-SoFT GmbH IT-Systeme, Brandenburger Str. 7c, 31789 Hameln AG Hannover HRB 207 694 - Geschäftsführer: Andreas Muchow - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: What is the correct place to specifiy SPI service files for Java?
Guten Tag Mark Thomas, am Mittwoch, 1. August 2018 um 21:12 schrieben Sie: > The servlet expert group recently discussed WAR vs JAR[...] Thanks for the explanation, make things more clear tor me. I've added your answer to the SO-question, because it provides the missing background I wanted to read about, but if you want the credits, feel free to add it yourself and I will delete mine. Mit freundlichen Grüßen, Thorsten Schöning -- Thorsten Schöning E-Mail: thorsten.schoen...@am-soft.de AM-SoFT IT-Systeme http://www.AM-SoFT.de/ Telefon...05151- 9468- 55 Fax...05151- 9468- 88 Mobil..0178-8 9468- 04 AM-SoFT GmbH IT-Systeme, Brandenburger Str. 7c, 31789 Hameln AG Hannover HRB 207 694 - Geschäftsführer: Andreas Muchow - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: What is the correct place to specifiy SPI service files for Java?
Guten Tag Mark Thomas, am Mittwoch, 1. August 2018 um 17:34 schrieben Sie: > Nor should it. foo.war!/META-INF/services is not a valid location for an > SPI file. [...] > The correct locations are: > foo.war!/WEB-INF/lib/*.jar!/META-INF/services So your argument is that a WAR is not a JAR and only JARs can contain META-INF/services? Is there a reason for such decision, is it something Java demands? Regarding the SO-question, JBoss seems to work differently: > What I do find odd however is that JBoss does seem to work with my > setup and can discover services inside the Services folder even if > you don't have them wrapped in a Jar file... https://stackoverflow.com/questions/7692497/tomcat-wont-load-my-meta-inf-services-javax-servlet-servletcontainerinitializ#comment9883761_8057393 Which makes sense to me, reusing META-INF of the WAR is the first thing one most likely considers. The docs for ServiceLoader seem to at least not forbid this as well: > Service providers can be installed in an implementation of the Java > platform in the form of extensions, that is, jar files placed into > any of the usual extension directories. Providers can also be made > available by adding them to the application's class path or by some > other platform-specific means. https://docs.oracle.com/javase/7/docs/api/java/util/ServiceLoader.html So, Tomcat prefers Jars because only those are explicitly mentioned or what is the reason? Mit freundlichen Grüßen, Thorsten Schöning -- Thorsten Schöning E-Mail: thorsten.schoen...@am-soft.de AM-SoFT IT-Systeme http://www.AM-SoFT.de/ Telefon...05151- 9468- 55 Fax...05151- 9468- 88 Mobil..0178-8 9468- 04 AM-SoFT GmbH IT-Systeme, Brandenburger Str. 7c, 31789 Hameln AG Hannover HRB 207 694 - Geschäftsführer: Andreas Muchow - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: What is the correct place to specifiy SPI service files for Java?
Guten Tag Mark Thomas, am Dienstag, 31. Juli 2018 um 19:30 schrieben Sie: > Correct.[...] But as could have been read in the following paragraph of my mail and the SO-link, it doesn't work that way at least in Tomcat 7.0.90 even without absolute ordering in web.xml. > Enumeration resources; > if (loader == null) { > resources = ClassLoader.getSystemResources(configFile); > } else { >resources = loader.getResources(configFile); > } https://github.com/apache/tomcat/blob/trunk/java/org/apache/catalina/startup/WebappServiceLoader.java#L132 That code is NOT using "META-INF/services" at the top level of the web project, but "WEB-INF/classes/META-INF/services" instead. That can be clearly seen e.g. using Process Monitor. So is this a bug or needs some configuration or has changed in newer versions of Tomcat or whatever? Mit freundlichen Grüßen, Thorsten Schöning -- Thorsten Schöning E-Mail: thorsten.schoen...@am-soft.de AM-SoFT IT-Systeme http://www.AM-SoFT.de/ Telefon...05151- 9468- 55 Fax...05151- 9468- 88 Mobil..0178-8 9468- 04 AM-SoFT GmbH IT-Systeme, Brandenburger Str. 7c, 31789 Hameln AG Hannover HRB 207 694 - Geschäftsführer: Andreas Muchow - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
What is the correct place to specifiy SPI service files for Java?
Hi all, I would like to get some attention on some older SO-question[1] about where to place SPI-service files of Java. Following the docs, those should be placed in META-INF at the top level of some JAR and webapps designed to be used with Tomcat provide such a folder. But it seems to be ignored during search for SPI-service files, instead those seem to be assumed in WEB-INF/classes/META-INF/services. The can easily be seen e.g. using Process Monitor in Windows. As the SO-question lacks some official Tomcat-documentation or such, I am asking here: What is the correct place for such service files? Can this be configured somehow? Why is META-INF at the top level ignored? Is it used at all for anything or only WEB-INF/classes/META-INF for anything which is normally assumed to be in META-INF itself? Thanks! [1]: https://stackoverflow.com/questions/7692497/tomcat-wont-load-my-meta-inf-services-javax-servlet-servletcontainerinitializ Mit freundlichen Grüßen, Thorsten Schöning -- Thorsten Schöning E-Mail: thorsten.schoen...@am-soft.de AM-SoFT IT-Systeme http://www.AM-SoFT.de/ Telefon...05151- 9468- 55 Fax...05151- 9468- 88 Mobil..0178-8 9468- 04 AM-SoFT GmbH IT-Systeme, Brandenburger Str. 7c, 31789 Hameln AG Hannover HRB 207 694 - Geschäftsführer: Andreas Muchow - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
How to make Tomcat 7.0.52 and newer ones compatible regarding filter HttpHeaderSecurity?
Hi all, in production I'm still running Ubuntu 14.04 LTS Server which provides Tomcat 7.0.52, which doesn't contain the filter for HttpHeaderSecurity yet[1]. Some of my customers on the other hand use Windows and run newer versions of Tomcat which already support that filter. To not force customers to change global Tomcat settings and to document that my app is compatible, I would like to add HttpHeaderSecurity to the web.xml of my own app with the correct settings. That breaks in my own Ubuntus of course. So, is there some way to get old and new Tomcats together if my app's web.xml uses that filter? Frist thing I tried was simply providing the implementation in the classpath of my own app, which didn't work. Should that work in theory and I most likely did something wrong or are those filters only expected to be in the classpath of Tomcat itself? I'm using "UrlRewriteFilter"[2] bundled with my app, configured in my web.xml and that works. Else, is there some condition for filters to only apply those depending on e.g. the version of Tomcat or such? The only similar question I found were pretty old and maybe things have changed since then. https://mail-archives.apache.org/mod_mbox/tomcat-users/200808.mbox/<4893749f.3070...@ice-sa.com> Thanks for your input! [1]: https://stackoverflow.com/a/35795122/2055163 [2]: http://tuckey.org/urlrewrite/ Mit freundlichen Grüßen, Thorsten Schöning -- Thorsten Schöning E-Mail: thorsten.schoen...@am-soft.de AM-SoFT IT-Systeme http://www.AM-SoFT.de/ Telefon...05151- 9468- 55 Fax...05151- 9468- 88 Mobil..0178-8 9468- 04 AM-SoFT GmbH IT-Systeme, Brandenburger Str. 7c, 31789 Hameln AG Hannover HRB 207 694 - Geschäftsführer: Andreas Muchow - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org