Hello Gary, I would recommend you to add some debug to your JNDIReam [1]. For debugging your ldap search filters ldapsearch can be your friend [2] :)
Hope it helps, Luis [1] https://stackoverflow.com/questions/12311496/how-to-debug-realm-feature-in-tomcat [2] https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Examples-of-common-ldapsearches.html El vie., 12 abr. 2019 a las 0:23, Hua, Gary - Saint Louis, MO - Contractor (<gang....@usps.gov.invalid>) escribió: > All: > > > > Sorry on my previous email I have some graphic contents that can not > be displayed. Now I change it to texts so you can see them > > > > *From:* Hua, Gary - Saint Louis, MO - Contractor [ > mailto:gang....@usps.gov.INVALID <gang....@usps.gov.INVALID>] > *Sent:* Thursday, April 11, 2019 4:29 PM > *To:* users@tomcat.apache.org > *Subject:* [EXTERNAL] Tomcat(9.0.13) Error in DEV Server > > > > Tomcat Experts: > > > > The Tomcat server works fine in my local computer with > application “TOPS“ in Eclipse. I deployed the TOPS application to our DEV > web server eagnmnmed1f45 under webapps. > > > > After I started the Tomcat server (9.0.13) in DEV server > and entered the TOPS home page URL > http://eagnmnmed1f45:9080/TOPS-WEB/Welcome.do (It is > http://localhost:8080/TOPS-WEB/Welcome.do in my local computer) in the > browser, it was re-directed to > https://eagnmnmed1f45:9443/TOPS-WEB/Welcome.do. and following error: > > > > > > *The website cannot display the page* > > HTTP 500 > > > > *Most likely causes:* > > - The website is under maintenance. > - The website has a programming error. > > > > *What you can try:* > > > > [image: res://\\ieframe.dll/bullet.png] > > Refresh the page.Refresh the page. > > > > [image: res://\\ieframe.dll/bullet.png] > > Go back to the previous page.Go back to the previous page. > > > > [image: More information] > > More information > > > > > > atadmin@eagnmnmed1f45:/opt/TomCat/apache-tomcat-9.0.13/logs>tail -f > catalina.out > > 5307 [main] WARN org.hibernate.cache.EhCacheProvider - Could not find > configuration [LegDistanceImpl]; using defaults. > > 5764 [main] INFO org.hibernate.impl.SessionFactoryObjectFactory - Not > binding factory to JNDI, no JNDI name configured > > 0 [main] INFO filter.ResponseOverrideFilter - Filter initialized. > Response buffering is enabled > > 1648 [main] INFO tiles.TilesPlugin - Tiles definition factory loaded for > module ''. > > 1652 [main] INFO validator.ValidatorPlugIn - Loading validation rules > file from '/WEB-INF/validator-rules.xml' > > 1652 [main] INFO validator.ValidatorPlugIn - Loading validation rules > file from '/WEB-INF/validation.xml' > > 1738 [main] INFO tiles.TilesPlugin - Factory already exists for module > ''. The factory found is from module ''. No new creation. > > 05-Apr-2019 11:18:01.913 INFO [main] > org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler > ["http-nio-9080"] > > 05-Apr-2019 11:18:01.928 INFO [main] > org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler > ["https-jsse-nio-9443"] > > 05-Apr-2019 11:18:01.932 INFO [main] > org.apache.catalina.startup.Catalina.start Server startup in 12256 ms > > 53654 [https-jsse-nio-9443-exec-5] INFO tiles.TilesRequestProcessor - > Tiles definition factory found for request processor ''. > > Error connecting to LDAP server. > > java.lang.NullPointerException > > at > com.usps.nom.tops.web.struts.action.WelcomeAction.getInfo(WelcomeAction.java:120) > > at > com.usps.nom.tops.web.struts.action.WelcomeAction.welcome(WelcomeAction.java:61) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:498) > > at > com.usps.ibm.core.servlet.struts.AbstractDispatchAction.dispatchMethod(AbstractDispatchAction.java:136) > > at > com.usps.ibm.core.servlet.struts.AbstractDispatchAction.execute(AbstractDispatchAction.java:84) > > at > com.usps.nom.tops.web.struts.action.AbstractTOPSDispatchAction.execute(AbstractTOPSDispatchAction.java:258) > > at > org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:419) > > at > org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:224) > > at > org.apache.struts.action.ActionServlet.process(ActionServlet.java:1194) > > at > org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414) > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:634) > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:741) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:498) > > at > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) > > at > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) > > at java.security.AccessController.doPrivileged(Native Method) > > at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) > > at > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) > > at > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170) > > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:225) > > at > org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47) > > at > org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149) > > at > org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145) > > at java.security.AccessController.doPrivileged(Native Method) > > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) > > at > org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:498) > > at > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) > > at > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) > > at java.security.AccessController.doPrivileged(Native Method) > > at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) > > at > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) > > at > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253) > > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191) > > at > org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47) > > at > org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149) > > at > org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145) > > at java.security.AccessController.doPrivileged(Native Method) > > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) > > at > org.displaytag.filter.ResponseOverrideFilter.doFilter(ResponseOverrideFilter.java:125) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:498) > > at > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) > > at > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) > > at java.security.AccessController.doPrivileged(Native Method) > > at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) > > at > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) > > at > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253) > > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191) > > at > org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47) > > at > org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149) > > at > org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145) > > at java.security.AccessController.doPrivileged(Native Method) > > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) > > at > com.usps.nom.tops.web.TOPSDebugFilter.doFilter(TOPSDebugFilter.java:49) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:498) > > at > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) > > at > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) > > at java.security.AccessController.doPrivileged(Native Method) > > at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) > > at > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) > > at > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253) > > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191) > > at > org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47) > > at > org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149) > > at > org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145) > > at java.security.AccessController.doPrivileged(Native Method) > > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) > > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199) > > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) > > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:607) > > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) > > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) > > at > org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:668) > > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) > > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) > > at > org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408) > > at > org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) > > at > org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:791) > > at > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1417) > > at > org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) > > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > > at > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > > at java.lang.Thread.run(Thread.java:748) > > > > > > > > If I only entered “http://eagnmnmed1f45:9080/TOPS-WEB/”, the > login screen showed up. > > After I entered topsadmin/@88Topstopstops as id/pd and clicked > Login button on the login screen, I got the following error: > > > > > > *Error* > > Error Message: You've entered an invalid Logon ID or Password. Please > check that your Logon ID and Password are correct and try again. > > > > > > > > > > I know the topsadmin/@88Topstopstops is the correct id/pd. > > > > Any idea what happens here? Any input is appreciated. Following is > the contents of server.xml and LDAP_realm.xml > > > > > > atadmin@eagnmnmed1f45:/opt/TomCat/tomcat/conf>more server.xml > > <?xml version='1.0' encoding='utf-8'?> > > <!DOCTYPE server-xml [ > > <!ENTITY LDAP_realm SYSTEM "LDAP_realm.xml"> > > ]> > > <!-- > > Licensed to the Apache Software Foundation (ASF) under one or more > > contributor license agreements. See the NOTICE file distributed with > > this work for additional information regarding copyright ownership. > > The ASF licenses this file to You under the Apache License, Version 2.0 > > (the "License"); you may not use this file except in compliance with > > the License. You may obtain a copy of the License at > > > > http://www.apache.org/licenses/LICENSE-2.0 > > > > Unless required by applicable law or agreed to in writing, software > > distributed under the License is distributed on an "AS IS" BASIS, > > WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. > > See the License for the specific language governing permissions and > > limitations under the License. > > --> > > <!-- Note: A "Server" is not itself a "Container", so you may not > > define subcomponents such as "Valves" at this level. > > Documentation at /docs/config/server.html > > --> > > <Server port="-1" shutdown="j55Rn3Q5wUrs9CtFlbXz"> > > <Listener className="org.apache.catalina.startup.VersionLoggerListener" > /> > > > > <!-- Security listener. Documentation at /docs/config/listeners.html --> > > <Listener className="org.apache.catalina.security.SecurityListener" > checkedOsUsers="root" minimumUmask="0007"/> > > > > <!--APR library loader. Documentation at /docs/apr.html --> > > <Listener className="org.apache.catalina.core.AprLifecycleListener" > SSLEngine="on" /> > > <!-- Prevent memory leaks due to use of particular java/javax APIs--> > > <Listener > className="org.apache.catalina.core.JreMemoryLeakPreventionListener" /> > > <Listener > className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> > > <Listener > className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" /> > > > > <!-- Global JNDI resources Documentation at > /docs/jndi-resources-howto.html --> > > <GlobalNamingResources> > > <!-- Editable user database that can also be used by UserDatabaseRealm > to authenticate users --> > > <!-- *** Not needed, because we use JNDI Realm *** --> > > <!-- <Resource name="UserDatabase" auth="Container" > > type="org.apache.catalina.UserDatabase" > > description="User database that can be updated and saved" > > factory="org.apache.catalina.users.MemoryUserDatabaseFactory" > > pathname="tomcat-users.xml" /> > > --> > > </GlobalNamingResources> > > > > <!-- A "Service" is a collection of one or more "Connectors" that share > > a single "Container" Note: A "Service" is not itself a "Container", > > so you may not define subcomponents such as "Valves" at this level. > > Documentation at /docs/config/service.html > > --> > > <Service name="Catalina"> > > > > <!--The connectors can use a shared executor, you can define one or > more named thread pools--> > > <!-- <Executor name="tomcatThreadPool" namePrefix="catalina-exec-" > maxThreads="150" minSpareThreads="4"/> --> > > > > <!-- A "Connector" represents an endpoint by which requests are > received > > and responses are returned. Documentation at : > > Java HTTP Connector: /docs/config/http.html (blocking & > non-blocking) > > Java AJP Connector: /docs/config/ajp.html > > APR (HTTP/AJP) Connector: /docs/apr.html > > Define a non-SSL/TLS HTTP/1.1 Connector on port 9080 > > --> > > <Connector port="9080" > > protocol="HTTP/1.1" > > connectionTimeout="20000" > > redirectPort="9443" > > maxHttpHeaderSize="8192" > > allowTrace="false" > > xpoweredBy="false" > > enableLookups="false" /> > > <!-- A "Connector" using the shared thread pool--> > > <!-- > > <Connector executor="tomcatThreadPool" > > port="9080" protocol="HTTP/1.1" > > connectionTimeout="20000" > > redirectPort="9443" > > allowTrace="false" > > xpoweredBy="false" > > server="USPS" > > enableLookups="false" /> > > --> > > <!-- Define a SSL/TLS HTTP/1.1 Connector on port 9443 > > This connector uses the NIO implementation that requires the JSSE > > style configuration. When using the APR/native implementation, the > > OpenSSL style configuration is required as described in the > APR/native > > documentation --> > > <Connector port="9443" > > protocol="org.apache.coyote.http11.Http11NioProtocol" > > connectionTimeout="60000" > > maxThreads="150" > > SSLEnabled="true" > > scheme="https" > > secure="true" > > keystoreFile="/opt/TomCat/tomcat/conf/ssl/tc_keystore.jks" > > keystorePass="4bidden!" > > clientAuth="want" > > ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, > > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, > > TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, > > TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, > > TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, > > TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, > > TLS_RSA_WITH_AES_256_CBC_SHA256, > > TLS_RSA_WITH_AES_256_GCM_SHA384" > > maxHttpHeaderSize="8192" > > allowTrace="false" > > xpoweredBy="false" > > server="USPS" > > enableLookups="false" /> > > > > <!-- Define an AJP 1.3 Connector on port 8009 --> > > <!-- > > <Connector port="8009" protocol="AJP/1.3" > > connectionTimeout="20000" > > protocol="AJP/1.3" > > redirectPort="9443" > > allowTrace="false" > > xpoweredBy="false" > > enableLookups="false" /> > > --> > > > > <!-- An Engine represents the entry point (within Catalina) that > processes > > every request. The Engine implementation for Tomcat stand alone > > analyzes the HTTP headers included with the request, and passes > them > > on to the appropriate Host (virtual host). > > Documentation at /docs/config/engine.html --> > > > > <!-- You should set jvmRoute to support load-balancing via AJP ie : > > <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1"> > > --> > > <Engine name="Catalina" defaultHost="localhost"> > > > > <!--For clustering, please take a look at documentation at: > > /docs/cluster-howto.html (simple how to) > > /docs/config/cluster.html (reference documentation) --> > > <!-- > > <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/> > --> > > > > <!-- Use the LockOutRealm to prevent attempts to guess user passwords > > via a brute-force attack --> > > <Realm className="org.apache.catalina.realm.LockOutRealm"> > > > > <!-- This Realm uses the UserDatabase configured in the global JNDI > > resources under the key "UserDatabase". Any edits > > that are performed against this UserDatabase are immediately > > available for use by the Realm. --> > > <!-- > > <Realm className="org.apache.catalina.realm.UserDatabaseRealm" > > resourceName="UserDatabase"/> > > --> > > &LDAP_realm; > > </Realm> > > > > <Host name="localhost" > > appBase="webapps" > > unpackWARs="true" > > deployOnStartup="false" > > autoDeploy="false"> > > > > <Context path="" > > docBase="/opt/TomCat/tomcat/webapps/ROOT" > > debug="0" > > privileged="true"> > > </Context> > > > > <Context path="/TOPS-WEB" > > docBase="/opt/TomCat/tomcat/webapps/TOPS-WEB" > > debug="0" > > privileged="true"> > > <Resource name="jdbc/TOPSDB" > > auth="Container" > > type="javax.sql.DataSource" > > driverClassName="oracle.jdbc.OracleDriver" > > inactiveConnectionTimeout="120" > > maxPoolSize="20" > > minPoolSize="1" > > password="g3td0wn" > > url="jdbc:oracle:thin:@ > (DESCRIPTION=(LOAD_BALANCE=on)(FAILOVER=on)(ADDRESS_LIST=(LOAD_BALANCE=ON)(ADDRESS=(PROTOCOL=tcp)(HOST=eag > > > nmnmed4c2)(PORT=1521))(ADDRESS=(PROTOCOL=tcp)(HOST=eagnmnmed4c3)(PORT=1521)))(CONNECT_DATA=(SERVICE_NAME= > dtops.usps.gov)))" > > username="TOPS_ADMIN" > > validateConnectionOnBorrow="true"/> > > </Context> > > > > <!-- SingleSignOn valve, share authentication between web applications > > Documentation at: /docs/config/valve.html --> > > <!-- > > <Valve className="org.apache.catalina.authenticator.SingleSignOn" > /> > > --> > > > > <!-- Access log processes all example. > > Documentation at: /docs/config/valve.html > > Note: The pattern used is equivalent to using > pattern="common" --> > > <Valve className="org.apache.catalina.valves.AccessLogValve" > directory="logs" > > prefix="localhost_access_log" suffix=".txt" > > pattern="%h %l %u %t "%r" %s %b" /> > > > > </Host> > > </Engine> > > </Service> > > </Server> > > > > > > > > atadmin@eagnmnmed1f45:/opt/TomCat/tomcat/conf>more LDAP_realm.xml > > <Realm className="org.apache.catalina.realm.JNDIRealm" > > connectionURL="ldaps://eagandcs-dev-sha2.usps.gov:636" > > connectionName="wasd...@devsub.dev.dce.usps.gov" > > connectionPassword="F0rkedup" > > authentication="simple" > > referrals="ignore" > > userSearch="(sAMAccountName={0})" > > userBase="DC=devsub,DC=dev,DC=dce,DC=usps,DC=gov" > > userSubtree="true" > > roleSearch="(member={0})" > > roleName="cn" > > roleSubtree="true" > > roleBase="DC=devsub,DC=dev,DC=dce,DC=usps,DC=gov" > > adCompat="true" > > /> > > > > > > Thanks > > Gary > > > > > > > > > -- "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." - Samuel Beckett
