Luis:
Thanks for your input. I put the following into
conf/logging.properties and add debug="99" in the Realm definition so I can
see more Realm logging information:
org.apache.catalina.realm.level = ALL
org.apache.catalina.realm.useParentHandlers = true
org.apache.catalina.authenticator.level = ALL
org.apache.catalina.authenticator.useParentHandlers = true
After the first login attempt in the application TOPS login screen,
the URL was redirected to https://eagnmnmed1f45:9443/TOPS-WEB/j_security_check
with invalid UID/PW message. Then I entered topsadmin/@88Topstopstops as
id/pd and clicked the Login button again, I got the following message in the
catalina.out:
15-Apr-2019 17:08:17.690 FINE [https-jsse-nio-9443-exec-7]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking
request POST /TOPS-WEB/j_security_check
15-Apr-2019 17:08:17.690 FINE [https-jsse-nio-9443-exec-7]
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
constraint 'SecurityConstraint[Entire Application]' against POST
/j_security_check --> true
15-Apr-2019 17:08:17.690 FINE [https-jsse-nio-9443-exec-7]
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
constraint 'SecurityConstraint[Secure area's for TOPS_ADMIN user]' against POST
/j_security_check --> false
15-Apr-2019 17:08:17.690 FINE [https-jsse-nio-9443-exec-7]
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
constraint 'SecurityConstraint[SecuredResource]' against POST /j_security_check
--> false
15-Apr-2019 17:08:17.690 FINE [https-jsse-nio-9443-exec-7]
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
constraint 'SecurityConstraint[Entire Application]' against POST
/j_security_check --> true
15-Apr-2019 17:08:17.690 FINE [https-jsse-nio-9443-exec-7]
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
constraint 'SecurityConstraint[Secure area's for TOPS_ADMIN user]' against POST
/j_security_check --> false
15-Apr-2019 17:08:17.691 FINE [https-jsse-nio-9443-exec-7]
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
constraint 'SecurityConstraint[SecuredResource]' against POST /j_security_check
--> false
15-Apr-2019 17:08:17.691 FINE [https-jsse-nio-9443-exec-7]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
hasUserDataPermission()
15-Apr-2019 17:08:17.691 FINE [https-jsse-nio-9443-exec-7]
org.apache.catalina.realm.RealmBase.hasUserDataPermission User data
constraint already satisfied
15-Apr-2019 17:08:17.691 FINE [https-jsse-nio-9443-exec-7]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
authenticate()
15-Apr-2019 17:08:17.691 FINE [https-jsse-nio-9443-exec-7]
org.apache.catalina.authenticator.FormAuthenticator.doAuthenticate
Authenticating username 'topsadmin'
15-Apr-2019 17:08:17.691 FINE [https-jsse-nio-9443-exec-7]
org.apache.catalina.realm.CombinedRealm.authenticate Attempting to authenticate
user [topsadmin] with realm [org.apache.catalina.realm.JNDIRealm]
15-Apr-2019 17:08:17.694 INFO [https-jsse-nio-9443-exec-7]
org.apache.catalina.realm.JNDIRealm.authenticate Exception performing
authentication. Retrying...
javax.naming.CommunicationException: Connection reset [Root exception is
java.net.SocketException: Connection reset]; remaining name
'DC=devsub,DC=dev,DC=dce,DC=usps,DC=gov'
at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:2002)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1844)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1769)
at
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:341)
at
javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267)
at
org.apache.catalina.realm.JNDIRealm.getUserBySearch(JNDIRealm.java:1675)
at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:1510)
at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:1458)
at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1403)
at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1285)
at
org.apache.catalina.realm.CombinedRealm.authenticate(CombinedRealm.java:188)
at
org.apache.catalina.realm.LockOutRealm.authenticate(LockOutRealm.java:153)
at
org.apache.catalina.authenticator.FormAuthenticator.doAuthenticate(FormAuthenticator.java:264)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:572)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
at
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:668)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
at
org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408)
at
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:791)
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1417)
at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.net.SocketException: Connection reset
at java.net.SocketInputStream.read(SocketInputStream.java:210)
at java.net.SocketInputStream.read(SocketInputStream.java:141)
at sun.security.ssl.InputRecord.readFully(InputRecord.java:465)
at sun.security.ssl.InputRecord.read(InputRecord.java:503)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:975)
at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:933)
at sun.security.ssl.AppInputStream.read(AppInputStream.java:105)
at java.io.BufferedInputStream.fill(BufferedInputStream.java:246)
at java.io.BufferedInputStream.read1(BufferedInputStream.java:286)
at java.io.BufferedInputStream.read(BufferedInputStream.java:345)
at com.sun.jndi.ldap.Connection.run(Connection.java:877)
... 1 more
15-Apr-2019 17:08:17.727 FINE [https-jsse-nio-9443-exec-7]
org.apache.catalina.realm.CombinedRealm.authenticate Authenticated user
[topsadmin] with realm [org.apache.catalina.realm.JNDIRealm]
15-Apr-2019 17:08:17.727 FINE [https-jsse-nio-9443-exec-7]
org.apache.catalina.authenticator.FormAuthenticator.doAuthenticate
Authentication of 'topsadmin' was successful
15-Apr-2019 17:08:17.728 FINE [https-jsse-nio-9443-exec-7]
org.apache.catalina.authenticator.FormAuthenticator.doAuthenticate Redirecting
to original '/TOPS-WEB/'
15-Apr-2019 17:08:17.728 FINE [https-jsse-nio-9443-exec-7]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Failed
authenticate() test
15-Apr-2019 17:08:17.765 FINE [https-jsse-nio-9443-exec-8]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking
request GET /TOPS-WEB/
15-Apr-2019 17:08:17.765 FINE [https-jsse-nio-9443-exec-8]
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
constraint 'SecurityConstraint[Entire Application]' against GET /index.jsp -->
true
15-Apr-2019 17:08:17.765 FINE [https-jsse-nio-9443-exec-8]
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
constraint 'SecurityConstraint[Secure area's for TOPS_ADMIN user]' against GET
/index.jsp --> false
15-Apr-2019 17:08:17.765 FINE [https-jsse-nio-9443-exec-8]
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
constraint 'SecurityConstraint[SecuredResource]' against GET /index.jsp --> true
15-Apr-2019 17:08:17.765 FINE [https-jsse-nio-9443-exec-8]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
hasUserDataPermission()
15-Apr-2019 17:08:17.765 FINE [https-jsse-nio-9443-exec-8]
org.apache.catalina.realm.RealmBase.hasUserDataPermission User data
constraint has no restrictions
15-Apr-2019 17:08:17.765 FINE [https-jsse-nio-9443-exec-8]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
authenticate()
15-Apr-2019 17:08:17.765 FINE [https-jsse-nio-9443-exec-8]
org.apache.catalina.authenticator.FormAuthenticator.doAuthenticate Restore
request from session '9F9F67A0434576D7C0FD0BB63C15F567'
15-Apr-2019 17:08:17.766 FINE [https-jsse-nio-9443-exec-8]
org.apache.catalina.authenticator.AuthenticatorBase.register Authenticated
'topsadmin' with type 'FORM'
15-Apr-2019 17:08:17.766 FINE [https-jsse-nio-9443-exec-8]
org.apache.catalina.authenticator.AuthenticatorBase.register Session ID changed
on authentication from [9F9F67A0434576D7C0FD0BB63C15F567] to
[811799F279932B4B67D44931980994A7]
15-Apr-2019 17:08:17.766 FINE [https-jsse-nio-9443-exec-8]
org.apache.catalina.authenticator.FormAuthenticator.doAuthenticate Proceed to
restored request
15-Apr-2019 17:08:17.766 FINE [https-jsse-nio-9443-exec-8]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
accessControl()
15-Apr-2019 17:08:17.767 FINE [https-jsse-nio-9443-exec-8]
org.apache.catalina.realm.RealmBase.hasResourcePermission Checking roles
GenericPrincipal[topsadmin(NAT_TOPS_ADMIN,)]
15-Apr-2019 17:08:17.767 FINE [https-jsse-nio-9443-exec-8]
org.apache.catalina.realm.RealmBase.hasRole Username [topsadmin] does NOT have
role [TOPS_INTL_INQUIRY]
15-Apr-2019 17:08:17.767 FINE [https-jsse-nio-9443-exec-8]
org.apache.catalina.realm.RealmBase.hasResourcePermission No role found:
TOPS_INTL_INQUIRY
15-Apr-2019 17:08:17.767 FINE [https-jsse-nio-9443-exec-8]
org.apache.catalina.realm.RealmBase.hasRole Username [topsadmin] does NOT have
role [TOPS_ADMIN]
15-Apr-2019 17:08:17.767 FINE [https-jsse-nio-9443-exec-8]
org.apache.catalina.realm.RealmBase.hasResourcePermission No role found:
TOPS_ADMIN
15-Apr-2019 17:08:17.767 FINE [https-jsse-nio-9443-exec-8]
org.apache.catalina.realm.RealmBase.hasRole Username [topsadmin] does NOT have
role [TOPS_INTL_FIELD_USER_SFO]
15-Apr-2019 17:08:17.767 FINE [https-jsse-nio-9443-exec-8]
org.apache.catalina.realm.RealmBase.hasResourcePermission No role found:
TOPS_INTL_FIELD_USER_SFO
15-Apr-2019 17:08:17.767 FINE [https-jsse-nio-9443-exec-8]
org.apache.catalina.realm.RealmBase.hasRole Username [topsadmin] does NOT have
role [TOPS_MODELING]
15-Apr-2019 17:08:17.767 FINE [https-jsse-nio-9443-exec-8]
org.apache.catalina.realm.RealmBase.hasResourcePermission No role found:
TOPS_MODELING
15-Apr-2019 17:08:17.767 FINE [https-jsse-nio-9443-exec-8]
org.apache.catalina.realm.RealmBase.hasRole Username [topsadmin] does NOT have
role [TOPS_INQUIRY]
15-Apr-2019 17:08:17.767 FINE [https-jsse-nio-9443-exec-8]
org.apache.catalina.realm.RealmBase.hasResourcePermission No role found:
TOPS_INQUIRY
15-Apr-2019 17:08:17.768 FINE [https-jsse-nio-9443-exec-8]
org.apache.catalina.realm.RealmBase.hasRole Username [topsadmin] does NOT have
role [TOPS_EDITOR]
15-Apr-2019 17:08:17.768 FINE [https-jsse-nio-9443-exec-8]
org.apache.catalina.realm.RealmBase.hasResourcePermission No role found:
TOPS_EDITOR
15-Apr-2019 17:08:17.768 FINE [https-jsse-nio-9443-exec-8]
org.apache.catalina.realm.RealmBase.hasRole Username [topsadmin] does NOT have
role [TOPS_INTL_FIELD_USER_JFK]
15-Apr-2019 17:08:17.768 FINE [https-jsse-nio-9443-exec-8]
org.apache.catalina.realm.RealmBase.hasResourcePermission No role found:
TOPS_INTL_FIELD_USER_JFK
15-Apr-2019 17:08:17.768 FINE [https-jsse-nio-9443-exec-8]
org.apache.catalina.realm.RealmBase.hasRole Username [topsadmin] does NOT have
role [TOPS_INTL_FIELD_USER_JECEWR]
15-Apr-2019 17:08:17.768 FINE [https-jsse-nio-9443-exec-8]
org.apache.catalina.realm.RealmBase.hasResourcePermission No role found:
TOPS_INTL_FIELD_USER_JECEWR
15-Apr-2019 17:08:17.768 FINE [https-jsse-nio-9443-exec-8]
org.apache.catalina.realm.RealmBase.hasRole Username [topsadmin] does NOT have
role [TOPS_INTL_FIELD_USER_ORD]
15-Apr-2019 17:08:17.768 FINE [https-jsse-nio-9443-exec-8]
org.apache.catalina.realm.RealmBase.hasResourcePermission No role found:
TOPS_INTL_FIELD_USER_ORD
15-Apr-2019 17:08:17.768 FINE [https-jsse-nio-9443-exec-8]
org.apache.catalina.realm.RealmBase.hasRole Username [topsadmin] does NOT have
role [TOPS_INTERNATIONAL]
15-Apr-2019 17:08:17.768 FINE [https-jsse-nio-9443-exec-8]
org.apache.catalina.realm.RealmBase.hasResourcePermission No role found:
TOPS_INTERNATIONAL
15-Apr-2019 17:08:17.769 FINE [https-jsse-nio-9443-exec-8]
org.apache.catalina.realm.RealmBase.hasRole Username [topsadmin] does NOT have
role [TOPS_INTL_FIELD_USER_LAX]
15-Apr-2019 17:08:17.769 FINE [https-jsse-nio-9443-exec-8]
org.apache.catalina.realm.RealmBase.hasResourcePermission No role found:
TOPS_INTL_FIELD_USER_LAX
15-Apr-2019 17:08:17.769 FINE [https-jsse-nio-9443-exec-8]
org.apache.catalina.realm.RealmBase.hasRole Username [topsadmin] does NOT have
role [TOPS_INTL_FIELD_USER_MIA]
15-Apr-2019 17:08:17.769 FINE [https-jsse-nio-9443-exec-8]
org.apache.catalina.realm.RealmBase.hasResourcePermission No role found:
TOPS_INTL_FIELD_USER_MIA
15-Apr-2019 17:08:17.769 FINE [https-jsse-nio-9443-exec-8]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Failed
accessControl() test
The error messages on the screen looks like below:
HTTP Status 403 – Forbidden
Type Status Report
Message Access to the requested resource has been denied
Description The server understood the request but refuses to authorize it.
USPS_restricted
Any idea what is that about? Again the Ream definition is:
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
connectionURL="ldaps://eagandcs-dev-sha2.usps.gov:636"
connectionName="wasd...@devsub.dev.dce.usps.gov"
connectionPassword="F0rkedup"
authentication="simple"
referrals="ignore"
userSearch="(sAMAccountName={0})"
userBase="DC=devsub,DC=dev,DC=dce,DC=usps,DC=gov"
userSubtree="true"
roleSearch="(member={0})"
roleName="cn"
roleSubtree="true"
roleBase="DC=devsub,DC=dev,DC=dce,DC=usps,DC=gov"
adCompat="true"
/>
Thanks
Gary
-----Original Message-----
From: Luis Rodríguez Fernández [mailto:uo67...@gmail.com]
Sent: Monday, April 15, 2019 3:47 AM
To: Tomcat Users List <users@tomcat.apache.org>
Subject: [EXTERNAL] Re: Tomcat(9.0.13) Error in DEV Server
Hello Gary,
I would recommend you to add some debug to your JNDIReam [1]. For debugging
your ldap search filters ldapsearch can be your friend [2] :)
Hope it helps,
Luis
[1]
https://stackoverflow.com/questions/12311496/how-to-debug-realm-feature-in-tomcat
[2]
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Examples-of-common-ldapsearches.html
El vie., 12 abr. 2019 a las 0:23, Hua, Gary - Saint Louis, MO - Contractor
(<gang....@usps.gov.invalid>) escribió:
> All:
>
>
>
> Sorry on my previous email I have some graphic contents that can not
> be displayed. Now I change it to texts so you can see them
>
>
>
> *From:* Hua, Gary - Saint Louis, MO - Contractor [
> mailto:gang....@usps.gov.INVALID <gang....@usps.gov.INVALID>]
> *Sent:* Thursday, April 11, 2019 4:29 PM
> *To:* users@tomcat.apache.org
> *Subject:* [EXTERNAL] Tomcat(9.0.13) Error in DEV Server
>
>
>
> Tomcat Experts:
>
>
>
> The Tomcat server works fine in my local computer with
> application “TOPS“ in Eclipse. I deployed the TOPS application to our
> DEV web server eagnmnmed1f45 under webapps.
>
>
>
> After I started the Tomcat server (9.0.13) in DEV
> server and entered the TOPS home page URL
> http://eagnmnmed1f45:9080/TOPS-WEB/Welcome.do (It is
> http://localhost:8080/TOPS-WEB/Welcome.do in my local computer) in the
> browser, it was re-directed to
> https://eagnmnmed1f45:9443/TOPS-WEB/Welcome.do. and following error:
>
>
>
>
>
> *The website cannot display the page*
>
> HTTP 500
>
>
>
> *Most likely causes:*
>
> - The website is under maintenance.
> - The website has a programming error.
>
>
>
> *What you can try:*
>
>
>
> [image: res://\\ieframe.dll/bullet.png]
>
> Refresh the page.Refresh the page.
>
>
>
> [image: res://\\ieframe.dll/bullet.png]
>
> Go back to the previous page.Go back to the previous page.
>
>
>
> [image: More information]
>
> More information
>
>
>
>
>
> atadmin@eagnmnmed1f45:/opt/TomCat/apache-tomcat-9.0.13/logs>tail -f
> catalina.out
>
> 5307 [main] WARN org.hibernate.cache.EhCacheProvider - Could not find
> configuration [LegDistanceImpl]; using defaults.
>
> 5764 [main] INFO org.hibernate.impl.SessionFactoryObjectFactory - Not
> binding factory to JNDI, no JNDI name configured
>
> 0 [main] INFO filter.ResponseOverrideFilter - Filter initialized.
> Response buffering is enabled
>
> 1648 [main] INFO tiles.TilesPlugin - Tiles definition factory loaded
> for module ''.
>
> 1652 [main] INFO validator.ValidatorPlugIn - Loading validation rules
> file from '/WEB-INF/validator-rules.xml'
>
> 1652 [main] INFO validator.ValidatorPlugIn - Loading validation rules
> file from '/WEB-INF/validation.xml'
>
> 1738 [main] INFO tiles.TilesPlugin - Factory already exists for
> module ''. The factory found is from module ''. No new creation.
>
> 05-Apr-2019 11:18:01.913 INFO [main]
> org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler
> ["http-nio-9080"]
>
> 05-Apr-2019 11:18:01.928 INFO [main]
> org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler
> ["https-jsse-nio-9443"]
>
> 05-Apr-2019 11:18:01.932 INFO [main]
> org.apache.catalina.startup.Catalina.start Server startup in 12256 ms
>
> 53654 [https-jsse-nio-9443-exec-5] INFO tiles.TilesRequestProcessor -
> Tiles definition factory found for request processor ''.
>
> Error connecting to LDAP server.
>
> java.lang.NullPointerException
>
> at
> com.usps.nom.tops.web.struts.action.WelcomeAction.getInfo(WelcomeActio
> n.java:120)
>
> at
> com.usps.nom.tops.web.struts.action.WelcomeAction.welcome(WelcomeActio
> n.java:61)
>
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.j
> ava:62)
>
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccess
> orImpl.java:43)
>
> at java.lang.reflect.Method.invoke(Method.java:498)
>
> at
> com.usps.ibm.core.servlet.struts.AbstractDispatchAction.dispatchMethod
> (AbstractDispatchAction.java:136)
>
> at
> com.usps.ibm.core.servlet.struts.AbstractDispatchAction.execute(Abstra
> ctDispatchAction.java:84)
>
> at
> com.usps.nom.tops.web.struts.action.AbstractTOPSDispatchAction.execute
> (AbstractTOPSDispatchAction.java:258)
>
> at
> org.apache.struts.action.RequestProcessor.processActionPerform(Request
> Processor.java:419)
>
> at
> org.apache.struts.action.RequestProcessor.process(RequestProcessor.jav
> a:224)
>
> at
> org.apache.struts.action.ActionServlet.process(ActionServlet.java:1194
> )
>
> at
> org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414)
>
> at
> javax.servlet.http.HttpServlet.service(HttpServlet.java:634)
>
> at
> javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
>
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.j
> ava:62)
>
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccess
> orImpl.java:43)
>
> at java.lang.reflect.Method.invoke(Method.java:498)
>
> at
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
>
> at
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
>
> at java.security.AccessController.doPrivileged(Native Method)
>
> at
> javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
>
> at
> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:31
> 4)
>
> at
> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.j
> ava:170)
>
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appli
> cationFilterChain.java:225)
>
> at
> org.apache.catalina.core.ApplicationFilterChain.access$000(Application
> FilterChain.java:47)
>
> at
> org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilte
> rChain.java:149)
>
> at
> org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilte
> rChain.java:145)
>
> at java.security.AccessController.doPrivileged(Native Method)
>
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFi
> lterChain.java:144)
>
> at
> org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
>
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.j
> ava:62)
>
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccess
> orImpl.java:43)
>
> at java.lang.reflect.Method.invoke(Method.java:498)
>
> at
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
>
> at
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
>
> at java.security.AccessController.doPrivileged(Native Method)
>
> at
> javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
>
> at
> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:31
> 4)
>
> at
> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.j
> ava:253)
>
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appli
> cationFilterChain.java:191)
>
> at
> org.apache.catalina.core.ApplicationFilterChain.access$000(Application
> FilterChain.java:47)
>
> at
> org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilte
> rChain.java:149)
>
> at
> org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilte
> rChain.java:145)
>
> at java.security.AccessController.doPrivileged(Native Method)
>
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFi
> lterChain.java:144)
>
> at
> org.displaytag.filter.ResponseOverrideFilter.doFilter(ResponseOverride
> Filter.java:125)
>
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.j
> ava:62)
>
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccess
> orImpl.java:43)
>
> at java.lang.reflect.Method.invoke(Method.java:498)
>
> at
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
>
> at
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
>
> at java.security.AccessController.doPrivileged(Native Method)
>
> at
> javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
>
> at
> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:31
> 4)
>
> at
> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.j
> ava:253)
>
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appli
> cationFilterChain.java:191)
>
> at
> org.apache.catalina.core.ApplicationFilterChain.access$000(Application
> FilterChain.java:47)
>
> at
> org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilte
> rChain.java:149)
>
> at
> org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilte
> rChain.java:145)
>
> at java.security.AccessController.doPrivileged(Native Method)
>
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFi
> lterChain.java:144)
>
> at
> com.usps.nom.tops.web.TOPSDebugFilter.doFilter(TOPSDebugFilter.java:49
> )
>
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.j
> ava:62)
>
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccess
> orImpl.java:43)
>
> at java.lang.reflect.Method.invoke(Method.java:498)
>
> at
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
>
> at
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
>
> at java.security.AccessController.doPrivileged(Native Method)
>
> at
> javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
>
> at
> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:31
> 4)
>
> at
> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.j
> ava:253)
>
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appli
> cationFilterChain.java:191)
>
> at
> org.apache.catalina.core.ApplicationFilterChain.access$000(Application
> FilterChain.java:47)
>
> at
> org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilte
> rChain.java:149)
>
> at
> org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilte
> rChain.java:145)
>
> at java.security.AccessController.doPrivileged(Native Method)
>
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFi
> lterChain.java:144)
>
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperVa
> lve.java:199)
>
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextVa
> lve.java:96)
>
> at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authenticat
> orBase.java:607)
>
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.ja
> va:139)
>
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.ja
> va:92)
>
> at
> org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAcces
> sLogValve.java:668)
>
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValv
> e.java:74)
>
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java
> :343)
>
> at
> org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:
> 408)
>
> at
> org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLigh
> t.java:66)
>
> at
> org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractP
> rotocol.java:791)
>
> at
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoi
> nt.java:1417)
>
> at
> org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase
> .java:49)
>
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.j
> ava:1149)
>
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.
> java:624)
>
> at
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThr
> ead.java:61)
>
> at java.lang.Thread.run(Thread.java:748)
>
>
>
>
>
>
>
> If I only entered “http://eagnmnmed1f45:9080/TOPS-WEB/”,
> the login screen showed up.
>
> After I entered topsadmin/@88Topstopstops as id/pd and clicked
> Login button on the login screen, I got the following error:
>
>
>
>
>
> *Error*
>
> Error Message: You've entered an invalid Logon ID or Password. Please
> check that your Logon ID and Password are correct and try again.
>
>
>
>
>
>
>
>
>
> I know the topsadmin/@88Topstopstops is the correct id/pd.
>
>
>
> Any idea what happens here? Any input is appreciated. Following is
> the contents of server.xml and LDAP_realm.xml
>
>
>
>
>
> atadmin@eagnmnmed1f45:/opt/TomCat/tomcat/conf>more server.xml
>
> <?xml version='1.0' encoding='utf-8'?>
>
> <!DOCTYPE server-xml [
>
> <!ENTITY LDAP_realm SYSTEM "LDAP_realm.xml">
>
> ]>
>
> <!--
>
> Licensed to the Apache Software Foundation (ASF) under one or more
>
> contributor license agreements. See the NOTICE file distributed
> with
>
> this work for additional information regarding copyright ownership.
>
> The ASF licenses this file to You under the Apache License, Version
> 2.0
>
> (the "License"); you may not use this file except in compliance with
>
> the License. You may obtain a copy of the License at
>
>
>
> http://www.apache.org/licenses/LICENSE-2.0
>
>
>
> Unless required by applicable law or agreed to in writing, software
>
> distributed under the License is distributed on an "AS IS" BASIS,
>
> WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
>
> See the License for the specific language governing permissions and
>
> limitations under the License.
>
> -->
>
> <!-- Note: A "Server" is not itself a "Container", so you may not
>
> define subcomponents such as "Valves" at this level.
>
> Documentation at /docs/config/server.html
>
> -->
>
> <Server port="-1" shutdown="j55Rn3Q5wUrs9CtFlbXz">
>
> <Listener className="org.apache.catalina.startup.VersionLoggerListener"
> />
>
>
>
> <!-- Security listener. Documentation at /docs/config/listeners.html
> -->
>
> <Listener className="org.apache.catalina.security.SecurityListener"
> checkedOsUsers="root" minimumUmask="0007"/>
>
>
>
> <!--APR library loader. Documentation at /docs/apr.html -->
>
> <Listener className="org.apache.catalina.core.AprLifecycleListener"
> SSLEngine="on" />
>
> <!-- Prevent memory leaks due to use of particular java/javax
> APIs-->
>
> <Listener
> className="org.apache.catalina.core.JreMemoryLeakPreventionListener"
> />
>
> <Listener
> className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener
> " />
>
> <Listener
> className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"
> />
>
>
>
> <!-- Global JNDI resources Documentation at
> /docs/jndi-resources-howto.html -->
>
> <GlobalNamingResources>
>
> <!-- Editable user database that can also be used by
> UserDatabaseRealm to authenticate users -->
>
> <!-- *** Not needed, because we use JNDI Realm *** -->
>
> <!-- <Resource name="UserDatabase" auth="Container"
>
> type="org.apache.catalina.UserDatabase"
>
> description="User database that can be updated and saved"
>
> factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
>
> pathname="tomcat-users.xml" />
>
> -->
>
> </GlobalNamingResources>
>
>
>
> <!-- A "Service" is a collection of one or more "Connectors" that
> share
>
> a single "Container" Note: A "Service" is not itself a
> "Container",
>
> so you may not define subcomponents such as "Valves" at this level.
>
> Documentation at /docs/config/service.html
>
> -->
>
> <Service name="Catalina">
>
>
>
> <!--The connectors can use a shared executor, you can define one
> or more named thread pools-->
>
> <!-- <Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
> maxThreads="150" minSpareThreads="4"/> -->
>
>
>
> <!-- A "Connector" represents an endpoint by which requests are
> received
>
> and responses are returned. Documentation at :
>
> Java HTTP Connector: /docs/config/http.html (blocking &
> non-blocking)
>
> Java AJP Connector: /docs/config/ajp.html
>
> APR (HTTP/AJP) Connector: /docs/apr.html
>
> Define a non-SSL/TLS HTTP/1.1 Connector on port 9080
>
> -->
>
> <Connector port="9080"
>
> protocol="HTTP/1.1"
>
> connectionTimeout="20000"
>
> redirectPort="9443"
>
> maxHttpHeaderSize="8192"
>
> allowTrace="false"
>
> xpoweredBy="false"
>
> enableLookups="false" />
>
> <!-- A "Connector" using the shared thread pool-->
>
> <!--
>
> <Connector executor="tomcatThreadPool"
>
> port="9080" protocol="HTTP/1.1"
>
> connectionTimeout="20000"
>
> redirectPort="9443"
>
> allowTrace="false"
>
> xpoweredBy="false"
>
> server="USPS"
>
> enableLookups="false" />
>
> -->
>
> <!-- Define a SSL/TLS HTTP/1.1 Connector on port 9443
>
> This connector uses the NIO implementation that requires the
> JSSE
>
> style configuration. When using the APR/native
> implementation, the
>
> OpenSSL style configuration is required as described in the
> APR/native
>
> documentation -->
>
> <Connector port="9443"
>
> protocol="org.apache.coyote.http11.Http11NioProtocol"
>
> connectionTimeout="60000"
>
> maxThreads="150"
>
> SSLEnabled="true"
>
> scheme="https"
>
> secure="true"
>
> keystoreFile="/opt/TomCat/tomcat/conf/ssl/tc_keystore.jks"
>
> keystorePass="4bidden!"
>
> clientAuth="want"
>
> ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
>
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
>
> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
>
> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
>
> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
>
> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
>
> TLS_RSA_WITH_AES_256_CBC_SHA256,
>
> TLS_RSA_WITH_AES_256_GCM_SHA384"
>
> maxHttpHeaderSize="8192"
>
> allowTrace="false"
>
> xpoweredBy="false"
>
> server="USPS"
>
> enableLookups="false" />
>
>
>
> <!-- Define an AJP 1.3 Connector on port 8009 -->
>
> <!--
>
> <Connector port="8009" protocol="AJP/1.3"
>
> connectionTimeout="20000"
>
> protocol="AJP/1.3"
>
> redirectPort="9443"
>
> allowTrace="false"
>
> xpoweredBy="false"
>
> enableLookups="false" />
>
> -->
>
>
>
> <!-- An Engine represents the entry point (within Catalina) that
> processes
>
> every request. The Engine implementation for Tomcat stand
> alone
>
> analyzes the HTTP headers included with the request, and
> passes them
>
> on to the appropriate Host (virtual host).
>
> Documentation at /docs/config/engine.html -->
>
>
>
> <!-- You should set jvmRoute to support load-balancing via AJP ie :
>
> <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
>
> -->
>
> <Engine name="Catalina" defaultHost="localhost">
>
>
>
> <!--For clustering, please take a look at documentation at:
>
> /docs/cluster-howto.html (simple how to)
>
> /docs/config/cluster.html (reference documentation) -->
>
> <!--
>
> <Cluster
> className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
> -->
>
>
>
> <!-- Use the LockOutRealm to prevent attempts to guess user
> passwords
>
> via a brute-force attack -->
>
> <Realm className="org.apache.catalina.realm.LockOutRealm">
>
>
>
> <!-- This Realm uses the UserDatabase configured in the global
> JNDI
>
> resources under the key "UserDatabase". Any edits
>
> that are performed against this UserDatabase are
> immediately
>
> available for use by the Realm. -->
>
> <!--
>
> <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
>
> resourceName="UserDatabase"/>
>
> -->
>
> &LDAP_realm;
>
> </Realm>
>
>
>
> <Host name="localhost"
>
> appBase="webapps"
>
> unpackWARs="true"
>
> deployOnStartup="false"
>
> autoDeploy="false">
>
>
>
> <Context path=""
>
> docBase="/opt/TomCat/tomcat/webapps/ROOT"
>
> debug="0"
>
> privileged="true">
>
> </Context>
>
>
>
> <Context path="/TOPS-WEB"
>
> docBase="/opt/TomCat/tomcat/webapps/TOPS-WEB"
>
> debug="0"
>
> privileged="true">
>
> <Resource name="jdbc/TOPSDB"
>
> auth="Container"
>
> type="javax.sql.DataSource"
>
> driverClassName="oracle.jdbc.OracleDriver"
>
> inactiveConnectionTimeout="120"
>
> maxPoolSize="20"
>
> minPoolSize="1"
>
> password="g3td0wn"
>
> url="jdbc:oracle:thin:@
> (DESCRIPTION=(LOAD_BALANCE=on)(FAILOVER=on)(ADDRESS_LIST=(LOAD_BALANCE
> =ON)(ADDRESS=(PROTOCOL=tcp)(HOST=eag
>
>
> nmnmed4c2)(PORT=1521))(ADDRESS=(PROTOCOL=tcp)(HOST=eagnmnmed4c3)(PORT=
> 1521)))(CONNECT_DATA=(SERVICE_NAME=
> dtops.usps.gov)))"
>
> username="TOPS_ADMIN"
>
> validateConnectionOnBorrow="true"/>
>
> </Context>
>
>
>
> <!-- SingleSignOn valve, share authentication between web applications
>
> Documentation at: /docs/config/valve.html -->
>
> <!--
>
> <Valve className="org.apache.catalina.authenticator.SingleSignOn"
> />
>
> -->
>
>
>
> <!-- Access log processes all example.
>
> Documentation at: /docs/config/valve.html
>
> Note: The pattern used is equivalent to using
> pattern="common" -->
>
> <Valve className="org.apache.catalina.valves.AccessLogValve"
> directory="logs"
>
> prefix="localhost_access_log" suffix=".txt"
>
> pattern="%h %l %u %t "%r" %s %b" />
>
>
>
> </Host>
>
> </Engine>
>
> </Service>
>
> </Server>
>
>
>
>
>
>
>
> atadmin@eagnmnmed1f45:/opt/TomCat/tomcat/conf>more LDAP_realm.xml
>
> <Realm className="org.apache.catalina.realm.JNDIRealm"
>
> connectionURL="ldaps://eagandcs-dev-sha2.usps.gov:636"
>
> connectionName="wasd...@devsub.dev.dce.usps.gov"
>
> connectionPassword="F0rkedup"
>
> authentication="simple"
>
> referrals="ignore"
>
> userSearch="(sAMAccountName={0})"
>
> userBase="DC=devsub,DC=dev,DC=dce,DC=usps,DC=gov"
>
> userSubtree="true"
>
> roleSearch="(member={0})"
>
> roleName="cn"
>
> roleSubtree="true"
>
> roleBase="DC=devsub,DC=dev,DC=dce,DC=usps,DC=gov"
>
> adCompat="true"
>
> />
>
>
>
>
>
> Thanks
>
> Gary
>
>
>
>
>
>
>
>
>
--
"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
- Samuel Beckett
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
