[Bug 64503] New: ClassNotFoundException: org.apache.naming.java.javaURLContextFactory using java.util.Collection.parallelStream()

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=64503

Bug ID: 64503
   Summary: ClassNotFoundException:
org.apache.naming.java.javaURLContextFactory using
java.util.Collection.parallelStream()
   Product: Tomcat 9
   Version: 9.0.35
  Hardware: PC
Status: NEW
  Severity: normal
  Priority: P2
 Component: Servlet
  Assignee: dev@tomcat.apache.org
  Reporter: mse...@guh-software.de
  Target Milestone: -

Created attachment 37293
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=37293&action=edit
context.xml (to reproduce the problem)

Steps to reproduce:

- Use the attached context.xml
- Add the attached SimpleContextListener class into a war
- Start tomcat with the war

The following exception occurs:

java.lang.RuntimeException: java.lang.RuntimeException: Error on lookup
at
java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native
Method)
at
java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at
java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at
java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:490)
at
java.base/java.util.concurrent.ForkJoinTask.getThrowableException(ForkJoinTask.java:600)
at
java.base/java.util.concurrent.ForkJoinTask.reportException(ForkJoinTask.java:678)
at
java.base/java.util.concurrent.ForkJoinTask.invoke(ForkJoinTask.java:737)
at
java.base/java.util.stream.ReduceOps$ReduceOp.evaluateParallel(ReduceOps.java:919)
at
java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:233)
at
java.base/java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:578)
at
SimpleContextListener.contextInitialized(SimpleContextListener.java:26)
at
org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4686)
at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5147)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at
org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1384)
at
org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1374)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at
org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
at
java.base/java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:140)
at
org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:909)
at
org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:841)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at
org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1384)
at
org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1374)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at
org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
at
java.base/java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:140)
at
org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:909)
at
org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:262)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at
org.apache.catalina.core.StandardService.startInternal(StandardService.java:421)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at
org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:930)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
at org.apache.catalina.startup.Catalina.start(Catalina.java:633)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474)
Caused by: java.lang.RuntimeException: Error on lookup
at SimpleContextListener.lambda$0(SimpleContextListener.java:24)
at
java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:195)
at
java.base/java.util.Spliterators$ArraySpliterator.forEachRemaining(Spliterators.java:948)
   

[Bug 64503] ClassNotFoundException: org.apache.naming.java.javaURLContextFactory using java.util.Collection.parallelStream()

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=64503

--- Comment #1 from Michael Seele  ---
Created attachment 37294
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=37294&action=edit
java object (to reproduce the problem)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 64503] ClassNotFoundException: org.apache.naming.java.javaURLContextFactory using java.util.Collection.parallelStream()

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=64503

Michael Seele  changed:

   What|Removed |Added

 OS||All

--- Comment #2 from Michael Seele  ---
This happens with Java 11.0.7+10 (AdoptOpenJDK)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [tomcat] branch master updated: Ignore exception getting content length

[Rémy Maucherat]

On Fri, Jun 5, 2020 at 5:59 PM Mark Thomas  wrote:

> On 05/06/2020 13:21, r...@apache.org wrote:
> > This is an automated email from the ASF dual-hosted git repository.
> >
> > remm pushed a commit to branch master
> > in repository https://gitbox.apache.org/repos/asf/tomcat.git
> >
> >
> > The following commit(s) were added to refs/heads/master by this push:
> >  new e8bcbf1  Ignore exception getting content length
> > e8bcbf1 is described below
> >
> > commit e8bcbf1a017e598498343ebd05f77f07934910bb
> > Author: remm 
> > AuthorDate: Fri Jun 5 14:21:39 2020 +0200
> >
> > Ignore exception getting content length
> >
> > If the value is invalid, there will be another attempt to convert the
> > number with no really easy way out. Ignore the exception which
> already
> > happened in prepareRequest.
>
> Thanks for catching this.
>
> I think it would be useful to cache the fact that the header had been
> parsed (or not found) to save looping through the headers again.
>
> What do you think to switching to Long and using:
> - null -> not yet parsed
> - -1   -> known that no valid value is present
> - >=0  -> the parsed value of the header
>
> The alternative is a boolean flag. Long seems cleaner to me even if it
> is slightly more memory.
>
> Thoughts?
>

If you want to, but it's processed twice only if there's a problem so the
cost is minimal.

Rémy

Support for LetsEncrypt certs, and update process, in Tomcat without restart.

[Merlin Beedell]

I am getting a lot of flack from some senior devs who insist that Tomcat must 
be put behind a Proxy - HA Proxy or Nginx, which will handle the SSL offloading 
etc.
While this seems sensible for multi-server environments, they want it for 
single server too.  But Tomcat can do all the things that are required:

  *   Certificate handling.
  *   TLS level and Cipher restrictions
  *   CORS handling (though this could be simpler!)
But now with the requirement for LetsEncrypt certificates, we find that Tomcat 
has to be restarted every 3 months.  Indeed - any changes to the above require 
tomcat restarts - and that is found to be unacceptable.

So what I really want to understand is if Tomcat has any plans to include the 
ability to restart an https connector WITHOUT needing to restart the whole of 
Tomcat.  Better still, a hook that would help refresh certificates - like 
LetsEncrypt.
https://stackoverflow.com/questions/43571572/programmatically-update-certificates-in-tomcat-8-without-server-restart

Merlin Beedell

Re: Support for LetsEncrypt certs, and update process, in Tomcat without restart.

[Romain Manni-Bucau]

Hi Merlin,

you can reload the certificates already (think it is in JMX but you can
also do it programmatically through a listener or valve - which is
convenient to handle the let's encrypt public part), you can have a look to
https://github.com/apache/openwebbeans-meecrowave/blob/master/meecrowave-letsencrypt/src/main/java/org/apache/meecrowave/letencrypt/LetsEncryptReloadLifecycle.java#L155
for
an impl.

Romain Manni-Bucau
@rmannibucau  |  Blog
 | Old Blog
 | Github  |
LinkedIn  | Book



Le lun. 8 juin 2020 à 16:17, Merlin Beedell  a
écrit :

> I am getting a lot of flack from some senior devs who insist that Tomcat
> must be put behind a Proxy – HA Proxy or Nginx, which will handle the SSL
> offloading etc.
>
> While this seems sensible for multi-server environments, they want it for
> single server too.  But Tomcat can do all the things that are required:
>
>- Certificate handling.
>- TLS level and Cipher restrictions
>- CORS handling (though this could be simpler!)
>
> But now with the requirement for LetsEncrypt certificates, we find that
> Tomcat has to be restarted every 3 months.  Indeed – any changes to the
> above require tomcat restarts – and that is found to be unacceptable.
>
>
>
> So what I really want to understand is if Tomcat has any plans to include
> the ability to restart an https connector WITHOUT needing to restart the
> whole of Tomcat.  Better still, a hook that would help refresh certificates
> – like LetsEncrypt.
>
>
> https://stackoverflow.com/questions/43571572/programmatically-update-certificates-in-tomcat-8-without-server-restart
>
>
>
> Merlin Beedell
>
>
>

Re: Usage of SynchronizedStack/Queue

[Martin Grigorov]

On Fri, Jun 5, 2020 at 6:29 PM Mark Thomas  wrote:

> On 05/06/2020 14:08, Martin Grigorov wrote:
> > For load testing it I use wrk: wrk -c96 -t8 -d60s https://host:port/test
> > The GC JVM arguments are: -Xloggc:./gc.log -XX:+PrintGCDetails
> -verbose:gc
> > JDK 1.8.0 b252
> >
> > The GC logs are:
> > - Tomcat 9.0.x (uses
> > SynchronizedQueue/Stack):
> https://gist.github.com/martin-g/d2570e7a6896e4d094ce548ceea3adb6
> > - Tomcat 9.0.x with my
> > changes:
> https://gist.github.com/martin-g/52c7d3a883b37e9bcd11ad6430800852
> > I've uploaded them to https://gceasy.io/ and the charts are similar.
>
> lock-free has marginally higher throughput.
>
> It has a longer GC pause but that might be a result of running longer
> (~x2 longer).
>
> Average creation rate and average promotion rate are lower.
>
> Given this was with Java 8 I'm +1 to switching Tomcat 10 and also +1 to
> switching Tomcat 9 if we can do it without impacting the API.
>

I've
noticed org.apache.tomcat.util.collections.TesterPerformanceSynchronizedStack
and org.apache.tomcat.util.collections.TesterPerformanceSynchronizedQueue
in test/ folder.
Those give 1.5-3 times better results for SynchronizedQueue/Stack than Java
Collections impls.
I am not so sure my proposal is a good one anymore.


>
> I'm neutral on making the change in Tomcat 8.5 and -0.5 on Tomcat 7.
>
> Mark
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: dev-h...@tomcat.apache.org
>
>

svn commit: r1878632 - in /tomcat/site/trunk/docs/tomcat-10.0-doc: ./ annotationapi/ annotationapi/jakarta/annotation/ annotationapi/jakarta/annotation/security/ annotationapi/jakarta/annotation/sql/

[markt]

Author: markt
Date: Mon Jun  8 20:13:19 2020
New Revision: 1878632

URL: http://svn.apache.org/viewvc?rev=1878632&view=rev
Log:
Update docs for 10.0.0-M6 release


[This commit notification would consist of 70 parts, 
which exceeds the limit of 50 ones, so it was shortened to the summary.]

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: Support for LetsEncrypt certs, and update process, in Tomcat without restart.

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Merlin,

On 6/8/20 10:17, Merlin Beedell wrote:
> I am getting a lot of flack from some senior devs who insist that
> Tomcat must be put behind a Proxy – HA Proxy or Nginx, which will
> handle the SSL offloading etc.
>
> While this seems sensible for multi-server environments, they want
> it for single server too.  But Tomcat can do all the things that
> are required:
>
> * Certificate handling. * TLS level and Cipher restrictions * CORS
> handling (though this could be simpler!)
>
> But now with the requirement for LetsEncrypt certificates, we find
> that Tomcat has to be restarted every 3 months.  Indeed – any
> changes to the above require tomcat restarts – and that is found to
> be unacceptable.

Nonsense.

http://tomcat.apache.org/presentations.html#latest-lets-encrypt

Updating CORS configuration may require a redeployment of your web
application, but it does not require Tomcat to be shut-down.

There are other reasons to use a reverse proxy in front of Tomcat, but
none of the above are good reasons.

> So what I really want to understand is if Tomcat has any plans to
> include the ability to restart an https connector WITHOUT needing
> to restart the whole of Tomcat.  Better still, a hook that would
> help refresh certificates – like LetsEncrypt.
>
> https://stackoverflow.com/questions/43571572/programmatically-update-c
ertificates-in-tomcat-8-without-server-restart

There
>
are no currently-correct answers to that question.

I can fix that.

- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl7em/oACgkQHPApP6U8
pFiuqw//SfBmQ4eMhXUw0WkiQ5Fe9dJIa724h0wv60ghJQK80n9cu7CdcB9om9R4
w4tbhvxkBCc/ENBQP2gfszRwT8Y7EleyDTY09OKaQ1aiqgnWaE4hj2Srmoi/kUFi
LAbgNm/vpHzTS/ozp3+T/vD8GtLHc1UXDnsKY3zzMc8CFgRo10YDyAMJoC8S4SGe
1Ji4NF1uY2aqeY7LPBMDU1IrQTK4EW2SNFV9JSyEjsPBB8yKCzvGdCJRPvJih/mg
ZsTI6w/X2cldSbVvpAUh5hOUglo8+5BqN2W1aOKttwxbds/KbckQg5vOHs4+sCPk
M6ngE0sYggz2JsF/IZQ9PtMDtuZdKxmCWsXwbTw7G5qpjv6RWQW2GtMl52d1qabO
Xna7npVd1kiGOvA/uuNPxI7Z3qOhYiCs78JCG6oaUQejqywgvKO4HyibNlFJD1F+
P3S/SLuxQB7uhC5CuY3wKXckJEbGbL7D04wkCY90N1q5PQO0oy5j/jyS3y6cDmHw
SZNuH3Gvc7WUE8xbJNx5W8fP9m5mpwAJ0lwcCgqN8zqUEqbbE4imrMOrVxjmqPiT
V/jySH8D0ckk+jyQ8gADmId8vGF5KrQCrfTwxjpLhxSuEZ+cB3d7tsOCCI6Xw9o1
ShMM500fXsMgHkrhyqg7gG6Pf7zVutqhgOBkUZUntFkuMEB38Ow=
=O9u2
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1878633 - in /tomcat/site/trunk: ./ docs/ xdocs/

[markt]

Author: markt
Date: Mon Jun  8 20:15:19 2020
New Revision: 1878633

URL: http://svn.apache.org/viewvc?rev=1878633&view=rev
Log:
Update site excluding docs for 10.0.0-M6 release

Modified:
tomcat/site/trunk/build.properties.default
tomcat/site/trunk/docs/download-10.html
tomcat/site/trunk/docs/index.html
tomcat/site/trunk/docs/migration-10.html
tomcat/site/trunk/docs/oldnews.html
tomcat/site/trunk/docs/whichversion.html
tomcat/site/trunk/xdocs/download-10.xml
tomcat/site/trunk/xdocs/index.xml
tomcat/site/trunk/xdocs/migration-10.xml
tomcat/site/trunk/xdocs/oldnews.xml
tomcat/site/trunk/xdocs/whichversion.xml

Modified: tomcat/site/trunk/build.properties.default
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/build.properties.default?rev=1878633&r1=1878632&r2=1878633&view=diff
==
--- tomcat/site/trunk/build.properties.default (original)
+++ tomcat/site/trunk/build.properties.default Mon Jun  8 20:15:19 2020
@@ -39,7 +39,7 @@ tomcat.loc=https://downloads.apache.org/
 tomcat70=7.0.104
 tomcat85=8.5.55
 tomcat90=9.0.35
-tomcat100=10.0.0-M5
+tomcat100=10.0.0-M6
 
 # - Download destination -
 tomcat-site-docs.home=${base.path}/tomcat-site-docs/

Modified: tomcat/site/trunk/docs/download-10.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/download-10.html?rev=1878633&r1=1878632&r2=1878633&view=diff
==
--- tomcat/site/trunk/docs/download-10.html (original)
+++ tomcat/site/trunk/docs/download-10.html Mon Jun  8 20:15:19 2020
@@ -21,7 +21,7 @@
 
   Quick Navigation
 
-[define v]10.0.0-M5[end]
+[define v]10.0.0-M6[end]
 https://downloads.apache.org/tomcat/tomcat-10/KEYS";>KEYS |
 [v] |
 Browse |

Modified: tomcat/site/trunk/docs/index.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/index.html?rev=1878633&r1=1878632&r2=1878633&view=diff
==
--- tomcat/site/trunk/docs/index.html (original)
+++ tomcat/site/trunk/docs/index.html Mon Jun  8 20:15:19 2020
@@ -28,6 +28,37 @@ wiki page.
 Apache Tomcat, Tomcat, Apache, the Apache feather, and the Apache Tomcat
 project logo are trademarks of the Apache Software Foundation.
 
+2020-06-07 Tomcat 10.0.0-M6 Released
+
+The Apache Tomcat Project is proud to announce the release of version 10.0.0-M6
+of Apache Tomcat. This release is a milestone release and is targeted at 
Jakarta
+EE 9.
+Users of Tomcat 10 onwards should be aware that, as a result of the move 
from
+Java EE to Jakarta EE as part of the transfer of Java EE to the Eclipse
+Foundation, the primary package for all implemented APIs has changed from
+javax.* to jakarta.*. This will almost certainly
+require code changes to enable applications to migrate from Tomcat 9 and 
earlier
+to Tomcat 10 and later. A
+https://github.com/apache/tomcat-jakartaee-migration";>migration
+tool is under development to aid this process.
+The notable changes in this release are:
+
+Add support for ALPN on recent OpenJDK 8 releases.
+Add support for the CATALINA_OUT_CMD environment variable that defines a
+command to which captured stdout and stderr will be redirected. For use
+with, for example, rotatelogs. Patch provided by Harald Dunkel.
+Be more flexible with respect to the ordering of groups, roles and users in
+the tomcat-users.xml file
+
+
+Full details of these changes, and all the other changes, are available in the
+Tomcat 10
+(alpha) changelog.
+
+
+
+https://tomcat.apache.org/download-10.cgi";>Download
+
 2020-05-16 Tomcat 7.0.104 Released
 
 The Apache Tomcat Project is proud to announce the release of version 7.0.104 
of
@@ -108,36 +139,6 @@ changelog.
 
 https://tomcat.apache.org/download-80.cgi";>Download
 
-2020-05-11 Tomcat 10.0.0-M5 Released
-
-The Apache Tomcat Project is proud to announce the release of version 10.0.0-M5
-of Apache Tomcat. This release is a milestone release and is targeted at 
Jakarta
-EE 9.
-Users of Tomcat 10 onwards should be aware that, as a result of the move 
from
-Java EE to Jakarta EE as part of the transfer of Java EE to the Eclipse
-Foundation, the primary package for all implemented APIs has changed from
-javax.* to jakarta.*. This will almost certainly
-require code changes to enable applications to migrate from Tomcat 9 and 
earlier
-to Tomcat 10 and later. A
-https://github.com/apache/tomcat-jakartaee-migration";>migration
-tool is under development to aid this process.
-The notable changes in this release are:
-
-Remove useAprConnector flag from AprLifecycleListener so that the
-only way to use the APR connectors is to set the full class name.
-Change default value separator for property replacement to ":-"
-due to possible conflicts. The syntax is now "${name:-default}".
-Update the packaged version of the Tomcat Native Library to 1.

[ANN] Apache Tomcat 10.0.0-M6 available

[Mark Thomas]

The Apache Tomcat team announces the immediate availability of Apache
Tomcat 10.0.0-M6.

Apache Tomcat 10 is an open source software implementation of the
Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language,
Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations
specifications.

Users of Tomcat 10 onwards should be aware that, as a result of the move
from Java EE to Jakarta EE as part of the transfer of Java EE to the
Eclipse Foundation, the primary package for all implemented APIs has
changed from javax.* to jakarta.*. This will almost certainly require
code changes to enable applications to migrate from Tomcat 9 and earlier
to Tomcat 10 and later. A migration tool is under development to aid
this process.

Apache Tomcat 10.0.0-M6 is a milestone release of the 10.0.x
branch and has been made to provide users with early access to the new
features in Apache Tomcat 10.0.x so that they may provide feedback. The
notable changes compared to 10.0.0-M5 include:

- Add support for ALPN on recent OpenJDK 8 releases.

- Add support for the CATALINA_OUT_CMD environment variable that defines
  a command to which captured stdout and stderr will be redirected. For
  use with, for example, rotatelogs. Patch provided by Harald Dunkel.

- Be more flexible with respect to the ordering of groups, roles and
  users in the tomcat-users.xml file

Please refer to the change log for the complete list of changes:
http://tomcat.apache.org/tomcat-10.0-doc/changelog.html

Downloads:
http://tomcat.apache.org/download-10.cgi

Migration guides from Apache Tomcat 7.0.x, 8.5.x and 9.0.x:
http://tomcat.apache.org/migration.html

Enjoy!

- The Apache Tomcat team

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r39992 - /release/tomcat/tomcat-10/v10.0.0-M5/

[markt]

Author: markt
Date: Mon Jun  8 20:17:48 2020
New Revision: 39992

Log:
Drop 10.0.0-M5 from mirror network

Removed:
release/tomcat/tomcat-10/v10.0.0-M5/


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1878635 - in /tomcat/site/trunk: ./ docs/tomcat-9.0-doc/ docs/tomcat-9.0-doc/annotationapi/ docs/tomcat-9.0-doc/annotationapi/javax/annotation/ docs/tomcat-9.0-doc/annotationapi/javax/ann

[markt]

Author: markt
Date: Mon Jun  8 20:27:44 2020
New Revision: 1878635

URL: http://svn.apache.org/viewvc?rev=1878635&view=rev
Log:
Update docs for 9.0.36 release


[This commit notification would consist of 70 parts, 
which exceeds the limit of 50 ones, so it was shortened to the summary.]

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1878637 - in /tomcat/site/trunk: docs/ xdocs/

[markt]

Author: markt
Date: Mon Jun  8 20:29:22 2020
New Revision: 1878637

URL: http://svn.apache.org/viewvc?rev=1878637&view=rev
Log:
Update site (excluding docs) for 9.0.36 release

Modified:
tomcat/site/trunk/docs/doap_Tomcat.rdf
tomcat/site/trunk/docs/download-90.html
tomcat/site/trunk/docs/index.html
tomcat/site/trunk/docs/migration-9.html
tomcat/site/trunk/docs/oldnews.html
tomcat/site/trunk/docs/whichversion.html
tomcat/site/trunk/xdocs/doap_Tomcat.rdf
tomcat/site/trunk/xdocs/download-90.xml
tomcat/site/trunk/xdocs/index.xml
tomcat/site/trunk/xdocs/migration-9.xml
tomcat/site/trunk/xdocs/oldnews.xml
tomcat/site/trunk/xdocs/whichversion.xml

Modified: tomcat/site/trunk/docs/doap_Tomcat.rdf
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/doap_Tomcat.rdf?rev=1878637&r1=1878636&r2=1878637&view=diff
==
--- tomcat/site/trunk/docs/doap_Tomcat.rdf (original)
+++ tomcat/site/trunk/docs/doap_Tomcat.rdf Mon Jun  8 20:29:22 2020
@@ -60,8 +60,8 @@
 
   
 Latest Stable 9.0.x Release
-2020-05-11
-9.0.35
+2020-06-07
+9.0.36
   
 
 

Modified: tomcat/site/trunk/docs/download-90.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/download-90.html?rev=1878637&r1=1878636&r2=1878637&view=diff
==
--- tomcat/site/trunk/docs/download-90.html (original)
+++ tomcat/site/trunk/docs/download-90.html Mon Jun  8 20:29:22 2020
@@ -12,7 +12,7 @@
 
   Quick Navigation
 
-[define v]9.0.35[end]
+[define v]9.0.36[end]
 https://downloads.apache.org/tomcat/tomcat-9/KEYS";>KEYS |
 [v] |
 Browse |

Modified: tomcat/site/trunk/docs/index.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/index.html?rev=1878637&r1=1878636&r2=1878637&view=diff
==
--- tomcat/site/trunk/docs/index.html (original)
+++ tomcat/site/trunk/docs/index.html Mon Jun  8 20:29:22 2020
@@ -28,6 +28,27 @@ wiki page.
 Apache Tomcat, Tomcat, Apache, the Apache feather, and the Apache Tomcat
 project logo are trademarks of the Apache Software Foundation.
 
+2020-06-07 Tomcat 9.0.36 Released
+
+The Apache Tomcat Project is proud to announce the release of version 9.0.36
+of Apache Tomcat. The notable changes compared to 9.0.35 include:
+
+Add support for ALPN on recent OpenJDK 8 releases.
+Add support for the CATALINA_OUT_CMD environment variable that defines a
+command to which captured stdout and stderr will be redirected. For use
+with, for example, rotatelogs. Patch provided by Harald Dunkel.
+Be more flexible with respect to the ordering of groups, roles and users in
+the tomcat-users.xml file
+
+
+Full details of these changes, and all the other changes, are available in the
+Tomcat 9
+changelog.
+
+
+
+https://tomcat.apache.org/download-90.cgi";>Download
+
 2020-06-07 Tomcat 10.0.0-M6 Released
 
 The Apache Tomcat Project is proud to announce the release of version 10.0.0-M6
@@ -93,27 +114,6 @@ Full details of these changes, and all t
 
 https://tomcat.apache.org/download-70.cgi";>Download
 
-2020-05-11 Tomcat 9.0.35 Released
-
-The Apache Tomcat Project is proud to announce the release of version 9.0.35
-of Apache Tomcat. The notable changes compared to 9.0.34 include:
-
-Improve the handling of requests that use an expectation. Do not
-disable keep-alive where the response has a non-2xx status code
-but the request body has been fully read.
-Change default value separator for property replacement to ":-"
-due to possible conflicts. The syntax is now "${name:-default}".
-Update the packaged version of the Tomcat Native Library to 1.2.24.
-
-
-Full details of these changes, and all the other changes, are available in the
-Tomcat 9
-changelog.
-
-
-
-https://tomcat.apache.org/download-90.cgi";>Download
-
 2020-05-11 Tomcat 8.5.55 Released
 
 The Apache Tomcat Project is proud to announce the release of version 8.5.55

Modified: tomcat/site/trunk/docs/migration-9.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/migration-9.html?rev=1878637&r1=1878636&r2=1878637&view=diff
==
--- tomcat/site/trunk/docs/migration-9.html (original)
+++ tomcat/site/trunk/docs/migration-9.html Mon Jun  8 20:29:22 2020
@@ -397,8 +397,9 @@ of Apache Tomcat.
 9.0.30
 9.0.31
 9.0.33
-9.0.34
-9.0.35
+9.0.34
+9.0.35
+9.0.36
 , new version:
 
 9.0.0-M1
@@ -444,7 +445,8 @@ of Apache Tomcat.
 9.0.31
 9.0.33
 9.0.34
-9.0.35
+9.0.35
+9.0.36
 trunk (unreleased)
 
 

Modified: tomcat/site/trunk/docs/oldnews.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/oldnews.html?rev=1878637&r1=1878636&r2=1878637&view=diff

svn commit: r39993 - /release/tomcat/tomcat-9/v9.0.35/

[markt]

Author: markt
Date: Mon Jun  8 20:29:50 2020
New Revision: 39993

Log:
Drop 9.0.35 from mirror network

Removed:
release/tomcat/tomcat-9/v9.0.35/


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[ANN] Apache Tomcat 9.0.36 available

[Mark Thomas]

The Apache Tomcat team announces the immediate availability of Apache
Tomcat 9.0.36.

Apache Tomcat 9 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language, Java
WebSocket and JASPIC technologies.

Apache Tomcat 9.0.36 is a bugfix and feature release. The notable
changes compared to 9.0.35 include:

- Add support for ALPN on recent OpenJDK 8 releases.

- Add support for the CATALINA_OUT_CMD environment variable that defines
  a command to which captured stdout and stderr will be redirected. For
  use with, for example, rotatelogs. Patch provided by Harald Dunkel.

- Be more flexible with respect to the ordering of groups, roles and
  users in the tomcat-users.xml file

Please refer to the change log for the complete list of changes:
http://tomcat.apache.org/tomcat-9.0-doc/changelog.html


Downloads:
http://tomcat.apache.org/download-90.cgi

Migration guides from Apache Tomcat 7.x and 8.x:
http://tomcat.apache.org/migration.html

Enjoy!

- The Apache Tomcat team


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1878639 - in /tomcat/site/trunk: docs/ xdocs/

[markt]

Author: markt
Date: Mon Jun  8 20:38:45 2020
New Revision: 1878639

URL: http://svn.apache.org/viewvc?rev=1878639&view=rev
Log:
Update site (excludign docs) for 8.5.56 release

Modified:
tomcat/site/trunk/docs/doap_Tomcat.rdf
tomcat/site/trunk/docs/download-80.html
tomcat/site/trunk/docs/index.html
tomcat/site/trunk/docs/migration-85.html
tomcat/site/trunk/docs/oldnews.html
tomcat/site/trunk/docs/whichversion.html
tomcat/site/trunk/xdocs/doap_Tomcat.rdf
tomcat/site/trunk/xdocs/download-80.xml
tomcat/site/trunk/xdocs/index.xml
tomcat/site/trunk/xdocs/migration-85.xml
tomcat/site/trunk/xdocs/oldnews.xml
tomcat/site/trunk/xdocs/whichversion.xml

Modified: tomcat/site/trunk/docs/doap_Tomcat.rdf
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/doap_Tomcat.rdf?rev=1878639&r1=1878638&r2=1878639&view=diff
==
--- tomcat/site/trunk/docs/doap_Tomcat.rdf (original)
+++ tomcat/site/trunk/docs/doap_Tomcat.rdf Mon Jun  8 20:38:45 2020
@@ -67,8 +67,8 @@
 
   
 Latest Stable 8.5.x Release
-2020-05-11
-8.5.55
+2020-06-07
+8.5.56
   
 
 

Modified: tomcat/site/trunk/docs/download-80.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/download-80.html?rev=1878639&r1=1878638&r2=1878639&view=diff
==
--- tomcat/site/trunk/docs/download-80.html (original)
+++ tomcat/site/trunk/docs/download-80.html Mon Jun  8 20:38:45 2020
@@ -12,7 +12,7 @@
 
   Quick Navigation
 
-[define v]8.5.55[end]
+[define v]8.5.56[end]
 https://downloads.apache.org/tomcat/tomcat-8/KEYS";>KEYS |
 [v] |
 Browse |

Modified: tomcat/site/trunk/docs/index.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/index.html?rev=1878639&r1=1878638&r2=1878639&view=diff
==
--- tomcat/site/trunk/docs/index.html (original)
+++ tomcat/site/trunk/docs/index.html Mon Jun  8 20:38:45 2020
@@ -49,6 +49,31 @@ changelog.
 
 https://tomcat.apache.org/download-90.cgi";>Download
 
+2020-06-07 Tomcat 8.5.56 Released
+
+The Apache Tomcat Project is proud to announce the release of version 8.5.56
+of Apache Tomcat. Apache Tomcat 8.5.x replaces 8.0.x and includes new features
+pulled forward from Tomcat 9.0.x. The minimum Java version and implemented
+specification versions remain unchanged. The notable changes compared
+to 8.5.55 include:
+
+Add support for ALPN on recent OpenJDK 8 releases.
+Add support for the CATALINA_OUT_CMD environment variable that defines a
+command to which captured stdout and stderr will be redirected. For use
+with, for example, rotatelogs. Patch provided by Harald Dunkel.
+Be more flexible with respect to the ordering of groups, roles and users in
+the tomcat-users.xml file
+
+
+
+Full details of these changes, and all the other changes, are available in the
+Tomcat 8.5
+changelog.
+
+
+
+https://tomcat.apache.org/download-80.cgi";>Download
+
 2020-06-07 Tomcat 10.0.0-M6 Released
 
 The Apache Tomcat Project is proud to announce the release of version 10.0.0-M6
@@ -114,31 +139,6 @@ Full details of these changes, and all t
 
 https://tomcat.apache.org/download-70.cgi";>Download
 
-2020-05-11 Tomcat 8.5.55 Released
-
-The Apache Tomcat Project is proud to announce the release of version 8.5.55
-of Apache Tomcat. Apache Tomcat 8.5.x replaces 8.0.x and includes new features
-pulled forward from Tomcat 9.0.x. The minimum Java version and implemented
-specification versions remain unchanged. The notable changes compared
-to 8.5.54 include:
-
-Improve the handling of requests that use an expectation. Do not
-disable keep-alive where the response has a non-2xx status code
-but the request body has been fully read.
-Change default value separator for property replacement to ":-"
-due to possible conflicts. The syntax is now "${name:-default}".
-Update the packaged version of the Tomcat Native Library to 1.2.24.
-
-
-
-Full details of these changes, and all the other changes, are available in the
-Tomcat 8.5
-changelog.
-
-
-
-https://tomcat.apache.org/download-80.cgi";>Download
-
 2020-04-29 Tomcat Native 1.2.24 Released
 
 The Apache Tomcat Project is proud to announce the release of version 1.2.24 of

Modified: tomcat/site/trunk/docs/migration-85.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/migration-85.html?rev=1878639&r1=1878638&r2=1878639&view=diff
==
--- tomcat/site/trunk/docs/migration-85.html (original)
+++ tomcat/site/trunk/docs/migration-85.html Mon Jun  8 20:38:45 2020
@@ -316,8 +316,9 @@ of Apache Tomcat.
 8.5.50
 8.5.51
 8.5.53
-8.5.54
-8.5.55
+8.5.54
+8.5.55
+8.5.56
 , new version:
 
 8.5.0
@@ -362,7 +363,8

svn commit: r1878638 - in /tomcat/site/trunk: ./ docs/tomcat-8.5-doc/ docs/tomcat-8.5-doc/annotationapi/ docs/tomcat-8.5-doc/annotationapi/javax/annotation/ docs/tomcat-8.5-doc/annotationapi/javax/ann

[markt]

Author: markt
Date: Mon Jun  8 20:38:06 2020
New Revision: 1878638

URL: http://svn.apache.org/viewvc?rev=1878638&view=rev
Log:
Update docs for 8.5.56 release


[This commit notification would consist of 65 parts, 
which exceeds the limit of 50 ones, so it was shortened to the summary.]

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1878640 - in /tomcat/site/trunk: docs/index.html xdocs/index.xml

[markt]

Author: markt
Date: Mon Jun  8 20:47:19 2020
New Revision: 1878640

URL: http://svn.apache.org/viewvc?rev=1878640&view=rev
Log:
Trival chnage to try and trigger site update

Modified:
tomcat/site/trunk/docs/index.html
tomcat/site/trunk/xdocs/index.xml

Modified: tomcat/site/trunk/docs/index.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/index.html?rev=1878640&r1=1878639&r2=1878640&view=diff
==
--- tomcat/site/trunk/docs/index.html (original)
+++ tomcat/site/trunk/docs/index.html Mon Jun  8 20:47:19 2020
@@ -62,7 +62,7 @@ to 8.5.55 include:
 command to which captured stdout and stderr will be redirected. For use
 with, for example, rotatelogs. Patch provided by Harald Dunkel.
 Be more flexible with respect to the ordering of groups, roles and users in
-the tomcat-users.xml file
+the tomcat-users.xml file.
 
 
 

Modified: tomcat/site/trunk/xdocs/index.xml
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/index.xml?rev=1878640&r1=1878639&r2=1878640&view=diff
==
--- tomcat/site/trunk/xdocs/index.xml (original)
+++ tomcat/site/trunk/xdocs/index.xml Mon Jun  8 20:47:19 2020
@@ -76,7 +76,7 @@ to 8.5.55 include:
 command to which captured stdout and stderr will be redirected. For use
 with, for example, rotatelogs. Patch provided by Harald Dunkel.
 Be more flexible with respect to the ordering of groups, roles and users in
-the tomcat-users.xml file
+the tomcat-users.xml file.
 
 
 



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[ANN] Apache Tomcat 8.5.56 available

[Mark Thomas]

The Apache Tomcat team announces the immediate availability of Apache
Tomcat 8.5.56.

Apache Tomcat 8 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language, Java
WebSocket and Java Authentication Service Provider Interface for
Containers technologies.

Apache Tomcat 8.5.x replaces 8.0.x and includes new features pulled
forward from the 9.0.x branch. The notable changes since 8.5.55 include:

- Add support for ALPN on recent OpenJDK 8 releases.

- Add support for the CATALINA_OUT_CMD environment variable that defines
  a command to which captured stdout and stderr will be redirected. For
  use with, for example, rotatelogs. Patch provided by Harald Dunkel.

- Be more flexible with respect to the ordering of groups, roles and
  users in the tomcat-users.xml file

Please refer to the change log for the complete list of changes:
http://tomcat.apache.org/tomcat-8.5-doc/changelog.html


Downloads:
http://tomcat.apache.org/download-80.cgi

Migration guides from Apache Tomcat 7.x and 8.0.x:
http://tomcat.apache.org/migration.html

Enjoy!

- The Apache Tomcat team


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r39994 - /release/tomcat/tomcat-8/v8.5.55/

[markt]

Author: markt
Date: Mon Jun  8 20:56:13 2020
New Revision: 39994

Log:
Drop 8.5.55 from mirror network

Removed:
release/tomcat/tomcat-8/v8.5.55/


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Implementing TNO (Trust No One) for Session Stores

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

All,

Tomcat stores sessions without any encryption and/or authentication,
and anyone with write-access to the session-store can poison a session
and mount an attack. This kind of attack is (arguably appropriately)
declared to be outside of the scope of Tomcat's responsibilities,
because the system administrator should arrange for appropriate
access-controls to whatever storage medium is being used.

Note that sessions can also be read from such a store, of course, but
I'm more concerned with a privilege-elevation attack, here and not a
loss of privacy. It turns out that the solution to one problem can
solve them both.

If you want to be as  paranoid as possible (and why not?), you'll want
to make sure that your session persistence mechanism isn't readable by
anyone but Tomcat. I'm sure there are use-cases for making those
session stores readable outside of Tomcat, but then again, those
people aren't asking Tomcat to provide secure session storage.

It would be simple to encrypt (or sign) the session-data and decrypt
(or validate) the data coming back in when reloading.

Of course, it would be a deployment headache because it's another
shared secret that needs to be deployed to all servers in e.g. a
cluster. I'll be talking to Rémy about his cloud provider for clusters
to see if we can do things like trade-around cluster-encryption keys
via a cloud manage r(e.g. Kubernetes), and then it seems logical that
we could do the same kind of thing for the session manager, too.
Environments without such orchestration would have to arrange to
distribute their shared secrets in some other way.

This could be implemented either at the Store level or -- even better
IMO -- at the StandardSession level, since
StandardSession.wrireObjectData/StandardSession.readObjectData can do
anything it likes to its own data such as signing or encrypting. No
interfaces would have to change.

I didn't see an opportunity to install any kind of
shim/interceptor/decorator into the existing pipeline to add this
"outside" of either the Session or the Store without any API change,
so the above idea seemed to me to be the best way to look at
implementing such as thing.

The interface for Session doesn't help at all, since this
facet (session persistence) is only introduced at the StandardSession
level. Also, the interface is basically:

writeObjectData(ObjectOutputStream)
readObjectData(ObjectInputStream)

In order to provide arbitrary manipulations, we could introduce a new
interface:

interface DataMassager {
  writeObjectData(ObjectOutputStream)
  readObjectData(ObjectInputStream)
}

Then we just wrap these things around the existing implementations.
Maybe the DataMassager is a field in StandardSession.

I generally like the idea of an interceptor, but with a stream-based
API -- especially when the stream class isn't very generic -- it's
difficult to do. If we were able to change from
Object(In|Out)putStream to (In|Out)putStream or just simply
writeObjectData(byte[]), then various interceptors could mutate the
data arbitrarily on the way in or out (or, likely, both).

If we could get away from Object(In|Out)putStream, I think that would
be a win.

We might be able to do that by introducing new API methods in
Session.java:

public void writeObjectData(OutputStream);
public void readObjectData(InputStream);

Those can, by default, just wrap an Object(In|Out)putStream around
those streams and call the existing code. But other implementations
could use the generic streams directly.

But without an API change, I think we are going to have to have a
single session-data mutator object. Stacking things up will have to be
an exercise for someone who wants something beyond the complexity I
expect to introduce, which is simply to encrypt data in the persisted
session-store.

If Tomcat encrypts session data with a symmetric key (shared with any
other Tomcat instance which would need to read the session data from
the same store), then we can guarantee that session data loaded by
Tomcat was generated by Tomcat. (Or at least was generated by code
which knew the key. We can only do so much.) Such encryption protects
the data from being viewed by unauthorized parties or from being
forged and/or manipulated.

The only thing I can think of that it will not prevent is replay
attacks: grabbing a copy of a stored session and then re-injecting it
into the session-store. I'm not sure there is an attack against Tomcat
hidden in there, but certainly there is an attack against the
application in there. Applications could version sessions or add
timestamps to things as a mitigation against session-replay attacks.

Tomcat could add replay-mitigations in a few ways, but I'm not
entirely sure these are worth is. In the spirit of academic
navel-observation, let me lay out a few ways that could be done.

First, we could version sessions. Each time a session is written-out,
its version number is incremented. Or a timestamp i

[Bug 64506] New: NullPointerException when loading webapp class

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=64506

Bug ID: 64506
   Summary: NullPointerException when loading webapp class
   Product: Tomcat 9
   Version: 9.0.27
  Hardware: All
OS: Linux
Status: NEW
  Severity: major
  Priority: P2
 Component: Catalina
  Assignee: dev@tomcat.apache.org
  Reporter: arvind.tal...@veeva.com
  Target Milestone: -

We have upgraded our Tomcat version to 9.0.27 from 8.0.42, since then we have
been pretty frequently running into the below NullPointerException when our
application classes get loaded, we believe this is due a concurrency issue
(more details below). 
java.lang.NullPointerException
at
org.apache.catalina.webresources.CachedResource.getURL(CachedResource.java:317)
at
org.apache.catalina.webresources.FileResource.getCodeBase(FileResource.java:277)
at
org.apache.catalina.loader.WebappClassLoaderBase.findClassInternal(WebappClassLoaderBase.java:2350)
at
org.apache.catalina.loader.WebappClassLoaderBase.findClass(WebappClassLoaderBase.java:865)
at
org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1334)
at
org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1188)

Our Environment: 
Tomcat Version: 9.0.27. Our application classes exploded to WEB-INF/classes.

Our Investigation:
To troubleshoot the issue, we have looked at code in
https://github.com/apache/tomcat/blob/9.0.27/java/org/apache/catalina/webresources/Cache.java
and 
https://github.com/apache/tomcat/blob/9.0.27/java/org/apache/catalina/webresources/CachedResource.java#L70,
and it appears that we would run into this error if CachedResource is used when
org.apache.catalina.webresources.CachedResource#webResource isn't initialized
(i.e. stays null).

Upon further debugging and viewing code in
https://github.com/apache/tomcat/blob/9.0.27/java/org/apache/catalina/webresources/Cache.java#L59,
it seems like it is possible that CachedResource could be used when its
#webResource isn't initialized when two threads concurrently ask for the same
resource but each with a different value for the boolean
useClassLoaderResources.

Consider this for example with 2 threads calling into Cache#getResource(String
path, boolean useClassLoaderResources) for the same resource but with two
different values for useClassLoaderResources and the resource is not in cache,
both threads end up at line
https://github.com/apache/tomcat/blob/9.0.27/java/org/apache/catalina/webresources/Cache.java#L82,
then:

Thread 1: 
useClassLoaderResources=true
A new CachedResource is created at line
https://github.com/apache/tomcat/blob/9.0.27/java/org/apache/catalina/webresources/Cache.java#L77
and put into cache at line
https://github.com/apache/tomcat/blob/9.0.27/java/org/apache/catalina/webresources/Cache.java#L82
but CachedResource#validateResource (where CachedResource#webResource is
initialized) is not called yet, this would happen at line 
https://github.com/apache/tomcat/blob/9.0.27/java/org/apache/catalina/webresources/Cache.java#L87.

Thread 2:
useClassLoaderResources=false  
A new CachedResource is created at line 
https://github.com/apache/tomcat/blob/9.0.27/java/org/apache/catalina/webresources/Cache.java#L77
 
but finds the CachedResource in the cache (put in by the above thread) at line
https://github.com/apache/tomcat/blob/9.0.27/java/org/apache/catalina/webresources/Cache.java#L82
and calls CachedResource#validateResource at line
https://github.com/apache/tomcat/blob/9.0.27/java/org/apache/catalina/webresources/Cache.java#L112,
 
but #validateResource doesn't do anything and returns because
useClassLoaderResources is false, and so CachedResource#webResource remains
uninitialized.  
Assuming that Thread 1 hasn't initialized #webResource yet, when this thread
(Thread 2) calls into CachedResource#getURL we would run into this error.

Looks like the changes in the revision
https://svn.apache.org/viewvc?view=revision&revision=1831828 are related. This
seems like a concurrency issue, and we haven't seen this addressed in newer
versions (from the changelog here
https://ci.apache.org/projects/tomcat/tomcat9/docs/changelog.html)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org