ClassNotFoundException listeners.ContextListener in IDE
Any thoughts why I get ClassNotFoundException: listeners.ContextListener (and other listeners) when I run Tomcat in an IDE (IntelliJ IDEA)? SEVERE: Error configuring application listener of class [listeners.ContextListener] java.lang.ClassNotFoundException: listeners.ContextListener Then when I try to make a request jakarta.servlet.jsp.JspFactory.getDefaultFactory() returns null and throws another exception (can be seen at the end of the console output) Here is the console output: /opt/java/jdk-22-ea+29/bin/java -agentlib:jdwp=transport=dt_socket,address=127.0.0.1:46023,suspend=y,server=n --enable-preview -javaagent:/opt/jetbrains/idea-IC-233.13135.103/plugins/java/lib/rt/debugger-agent.jar -Dfile.encoding=UTF-8 -Dsun.stdout.encoding=UTF-8 -Dsun.stderr.encoding=UTF-8 -classpath /workspace/src/tomcat/main/.idea/output/production/tomcat:/opt/java/apache-ant-1.10.8/lib/ant.jar:/workspace/build/tomcat-build-libs/junit-4.13.2/junit-4.13.2.jar:/workspace/build/tomcat-build-libs/ecj-4.29/ecj-4.29.jar:/workspace/build/tomcat-build-libs/easymock-4.3/easymock-4.3.jar:/workspace/build/tomcat-build-libs/hamcrest-2.2/hamcrest-2.2.jar:/workspace/build/tomcat-build-libs/cglib-3.3.0/cglib-nodep-3.3.0.jar:/workspace/build/tomcat-build-libs/objenesis-3.3/objenesis-3.3.jar:/workspace/build/tomcat-build-libs/bnd-7.0.0/biz.aQute.bnd-7.0.0.jar:/workspace/build/tomcat-build-libs/migration-1.0.7/jakartaee-migration-1.0.7-shaded.jar:/workspace/build/tomcat-build-libs/unboundid-6.0.11/unboundid-ldapsdk-6.0.11.jar:/workspace/src/tomcat/main/lib/jmh-core-1.36.jar:/workspace/src/tomcat/main/lib/jopt-simple-5.0.4.jar:/workspace/src/tomcat/main/lib/commons-math3-3.6.1.jar:/workspace/src/tomcat/main/lib/jmh-generator-annprocess-1.36.jar:/opt/jetbrains/idea-IC-233.13135.103/lib/idea_rt.jar org.apache.catalina.startup.Bootstrap Connected to the target VM, address: '127.0.0.1:46023', transport: 'socket' Dec 24, 2023 8:04:24 PM org.apache.catalina.startup.VersionLoggerListener log INFO: Server version name: Apache Tomcat/11.0.x-dev Dec 24, 2023 8:04:24 PM org.apache.catalina.startup.VersionLoggerListener log INFO: Server built: unknown Dec 24, 2023 8:04:24 PM org.apache.catalina.startup.VersionLoggerListener log INFO: Server version number: 11.0.x Dec 24, 2023 8:04:24 PM org.apache.catalina.startup.VersionLoggerListener log INFO: OS Name: Linux Dec 24, 2023 8:04:24 PM org.apache.catalina.startup.VersionLoggerListener log INFO: OS Version:6.2.0-39-generic Dec 24, 2023 8:04:24 PM org.apache.catalina.startup.VersionLoggerListener log INFO: Architecture: amd64 Dec 24, 2023 8:04:24 PM org.apache.catalina.startup.VersionLoggerListener log INFO: Java Home: /opt/java/jdk-22-ea+29 Dec 24, 2023 8:04:24 PM org.apache.catalina.startup.VersionLoggerListener log INFO: JVM Version: 22-ea+29-2286 Dec 24, 2023 8:04:24 PM org.apache.catalina.startup.VersionLoggerListener log INFO: JVM Vendor:Oracle Corporation Dec 24, 2023 8:04:24 PM org.apache.catalina.startup.VersionLoggerListener log INFO: CATALINA_BASE: /workspace/src/tomcat/main Dec 24, 2023 8:04:24 PM org.apache.catalina.startup.VersionLoggerListener log INFO: CATALINA_HOME: /workspace/src/tomcat/main Dec 24, 2023 8:04:24 PM org.apache.catalina.startup.VersionLoggerListener log INFO: Command line argument: -agentlib:jdwp=transport=dt_socket,address=127.0.0.1:46023,suspend=y,server=n Dec 24, 2023 8:04:24 PM org.apache.catalina.startup.VersionLoggerListener log INFO: Command line argument: --enable-preview Dec 24, 2023 8:04:24 PM org.apache.catalina.startup.VersionLoggerListener log INFO: Command line argument: -javaagent:/opt/jetbrains/idea-IC-233.13135.103/plugins/java/lib/rt/debugger-agent.jar Dec 24, 2023 8:04:24 PM org.apache.catalina.startup.VersionLoggerListener log INFO: Command line argument: -Dfile.encoding=UTF-8 Dec 24, 2023 8:04:24 PM org.apache.catalina.startup.VersionLoggerListener log INFO: Command line argument: -Dsun.stdout.encoding=UTF-8 Dec 24, 2023 8:04:24 PM org.apache.catalina.startup.VersionLoggerListener log INFO: Command line argument: -Dsun.stderr.encoding=UTF-8 Dec 24, 2023 8:04:24 PM org.apache.catalina.core.AprLifecycleListener lifecycleEvent INFO: The Apache Tomcat Native library which allows using OpenSSL was not found on the java.library.path: [/usr/java/packages/lib:/usr/lib64:/lib64:/lib:/usr/lib] Dec 24, 2023 8:04:24 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler ["http-nio-8080"] Dec 24, 2023 8:04:24 PM org.apache.catalina.startup.Catalina load INFO: Server initialization in [929] milliseconds Dec 24, 2023 8:04:24 PM org.apache.catalina.core.StandardService startInternal INFO: Starting service [Catalina] Dec 24, 2023 8:04:24 PM org.apache.catalina.core.StandardEngine startInternal INFO: Starting Servlet engine: [Apache Tomcat/11.0.x-dev] Dec 24, 2023 8:04:24 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web appli
Re: [PR] Csrf filter improvements [tomcat]
isapir commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1435943366
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -87,11 +104,170 @@ public void setNonceRequestParameterName(String
parameterName) {
this.nonceRequestParameterName = parameterName;
}
+/**
+ * Sets the flag to enforce CSRF protection or just log failures as DEBUG
+ * messages.
+ *
+ * @param enforce true to enforce CSRF protections or
+ *false to log DEBUG messages and allow
+ *all requests.
+ */
+public void setEnforce(boolean enforce) {
+this.enforce = enforce;
+}
+
+/**
+ * Gets the flag to enforce CSRF protection or just log failures as DEBUG
+ * messages.
+ *
+ * @return true if CSRF protections will be enforced or
+ * false if all requests will be allowed and
+ * failures will be logged as DEBUG messages.
+ */
+public boolean getEnforce() {
+return this.enforce;
+}
+
+/**
+ * Sets the list of URL patterns to suppress nonce-addition for.
+ *
+ * Some URLs do not need nonces added to them such as static resources.
+ * By not adding nonces to those URLs, HTTP caches can be more
+ * effective because the CSRF prevention filter won't generate what
+ * look like unique URLs for those commonly-reused resources.
+ *
+ * @param patterns A comma-separated list of URL patterns that will not
+ *have nonces added to them. Patterns may begin or end with a
+ ** character to denote a suffix-match or
+ *prefix-match. Any matched URL will not have a CSRF nonce
+ *added to it when passed through
+ *{@link HttpServletResponse#encodeURL(String)}.
+ */
+public void setNoNonceURLPatterns(String patterns) {
+this.noNoncePatterns = patterns;
+
+if (null != context) {
+this.noNoncePredicates = createNoNoncePredicates(context,
this.noNoncePatterns);
+}
+}
+
+/**
+ * Creates a collection of matchers from a comma-separated string of
patterns.
+ *
+ * @param patterns A comma-separated string of URL matching patterns.
+ *
+ * @return A collection of predicates representing the URL patterns.
+ */
+protected static Collection>
createNoNoncePredicates(ServletContext context, String patterns) {
+if (null == patterns || 0 == patterns.trim().length()) {
Review Comment:
In Java 11+ you can use `patterns.isBlank()` which will return true if the
string is empty or contains only whitespace
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [PR] Csrf filter improvements [tomcat]
isapir commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1435943790
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -87,11 +104,170 @@ public void setNonceRequestParameterName(String
parameterName) {
this.nonceRequestParameterName = parameterName;
}
+/**
+ * Sets the flag to enforce CSRF protection or just log failures as DEBUG
+ * messages.
+ *
+ * @param enforce true to enforce CSRF protections or
+ *false to log DEBUG messages and allow
+ *all requests.
+ */
+public void setEnforce(boolean enforce) {
+this.enforce = enforce;
+}
+
+/**
+ * Gets the flag to enforce CSRF protection or just log failures as DEBUG
+ * messages.
+ *
+ * @return true if CSRF protections will be enforced or
+ * false if all requests will be allowed and
+ * failures will be logged as DEBUG messages.
+ */
+public boolean getEnforce() {
+return this.enforce;
+}
+
+/**
+ * Sets the list of URL patterns to suppress nonce-addition for.
+ *
+ * Some URLs do not need nonces added to them such as static resources.
+ * By not adding nonces to those URLs, HTTP caches can be more
+ * effective because the CSRF prevention filter won't generate what
+ * look like unique URLs for those commonly-reused resources.
+ *
+ * @param patterns A comma-separated list of URL patterns that will not
+ *have nonces added to them. Patterns may begin or end with a
+ ** character to denote a suffix-match or
+ *prefix-match. Any matched URL will not have a CSRF nonce
+ *added to it when passed through
+ *{@link HttpServletResponse#encodeURL(String)}.
+ */
+public void setNoNonceURLPatterns(String patterns) {
+this.noNoncePatterns = patterns;
+
+if (null != context) {
+this.noNoncePredicates = createNoNoncePredicates(context,
this.noNoncePatterns);
+}
+}
+
+/**
+ * Creates a collection of matchers from a comma-separated string of
patterns.
+ *
+ * @param patterns A comma-separated string of URL matching patterns.
+ *
+ * @return A collection of predicates representing the URL patterns.
+ */
+protected static Collection>
createNoNoncePredicates(ServletContext context, String patterns) {
+if (null == patterns || 0 == patterns.trim().length()) {
+return null;
Review Comment:
What do you think about returning `Collections.emptyList()` instead of null?
Then you can use it in iterators with no issues and avoid having to check for
nulls / NPEs
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [PR] Csrf filter improvements [tomcat]
isapir commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1435945537
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -110,45 +285,70 @@ public void doFilter(ServletRequest request,
ServletResponse response, FilterCha
HttpSession session = req.getSession(false);
+String requestedPath = getRequestedPath(req);
boolean skipNonceCheck = skipNonceCheck(req);
NonceCache nonceCache = null;
if (!skipNonceCheck) {
String previousNonce =
req.getParameter(nonceRequestParameterName);
if (previousNonce == null) {
-if (log.isDebugEnabled()) {
-log.debug("Rejecting request for " +
getRequestedPath(req) + ", session " +
-(null == session ? "(none)" : session.getId())
+
-" with no CSRF nonce found in request");
-}
-
-res.sendError(getDenyStatus());
-return;
-}
+if (enforce(req, requestedPath)) {
+if (log.isDebugEnabled()) {
+log.debug("Rejecting request for " +
getRequestedPath(req) + ", session " +
Review Comment:
Looks like quite a few repetitions of log.debug blocks with very similar
content. Might be a good opportunity for a private function?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [PR] Csrf filter improvements [tomcat]
isapir commented on code in PR #681:
URL: https://github.com/apache/tomcat/pull/681#discussion_r1435945699
##
java/org/apache/catalina/filters/CsrfPreventionFilter.java:
##
@@ -87,11 +104,170 @@ public void setNonceRequestParameterName(String
parameterName) {
this.nonceRequestParameterName = parameterName;
}
+/**
+ * Sets the flag to enforce CSRF protection or just log failures as DEBUG
+ * messages.
+ *
+ * @param enforce true to enforce CSRF protections or
+ *false to log DEBUG messages and allow
+ *all requests.
+ */
+public void setEnforce(boolean enforce) {
+this.enforce = enforce;
+}
+
+/**
+ * Gets the flag to enforce CSRF protection or just log failures as DEBUG
+ * messages.
+ *
+ * @return true if CSRF protections will be enforced or
+ * false if all requests will be allowed and
+ * failures will be logged as DEBUG messages.
+ */
+public boolean getEnforce() {
+return this.enforce;
+}
+
+/**
+ * Sets the list of URL patterns to suppress nonce-addition for.
+ *
+ * Some URLs do not need nonces added to them such as static resources.
+ * By not adding nonces to those URLs, HTTP caches can be more
+ * effective because the CSRF prevention filter won't generate what
+ * look like unique URLs for those commonly-reused resources.
+ *
+ * @param patterns A comma-separated list of URL patterns that will not
+ *have nonces added to them. Patterns may begin or end with a
+ ** character to denote a suffix-match or
+ *prefix-match. Any matched URL will not have a CSRF nonce
+ *added to it when passed through
+ *{@link HttpServletResponse#encodeURL(String)}.
+ */
+public void setNoNonceURLPatterns(String patterns) {
+this.noNoncePatterns = patterns;
+
+if (null != context) {
+this.noNoncePredicates = createNoNoncePredicates(context,
this.noNoncePatterns);
+}
+}
+
+/**
+ * Creates a collection of matchers from a comma-separated string of
patterns.
+ *
+ * @param patterns A comma-separated string of URL matching patterns.
+ *
+ * @return A collection of predicates representing the URL patterns.
+ */
+protected static Collection>
createNoNoncePredicates(ServletContext context, String patterns) {
+if (null == patterns || 0 == patterns.trim().length()) {
+return null;
+}
+
+String values[] = patterns.split(",");
+
+ArrayList> matchers = new ArrayList<>(values.length);
+for (String value : values) {
+Predicate p = createNoNoncePredicate(context,
value.trim());
+
+if (null != p) {
+matchers.add(p);
+}
+}
+
+matchers.trimToSize();
+
+return matchers;
+}
+
+/**
+ * Creates a predicate that can match the specified type of pattern.
+ *
+ * @param pattern The pattern to match e.g. *.foo or
+ */bar/*.
+ *
+ * @return A Predicate which can match the specified pattern, or
+ * >null if the pattern is null or blank.
+ */
+protected static Predicate createNoNoncePredicate(ServletContext
context, String pattern) {
+if (null == pattern || 0 == pattern.trim().length()) {
+return null;
+}
+if (pattern.startsWith("mime:")) {
+return new MimePredicate(context, createNoNoncePredicate(context,
pattern.substring(5)));
+} else if (pattern.startsWith("*")) {
+return new SuffixPredicate(pattern.substring(1));
+} else if (pattern.endsWith("*")) {
+return new PrefixPredicate(pattern.substring(0, pattern.length() -
1));
+} else if (pattern.startsWith("/") && pattern.endsWith("/")) {
+return new PatternPredicate(pattern.substring(1, pattern.length()
- 1));
+} else {
+throw new IllegalArgumentException("Unsupported pattern: " +
pattern);
+}
+}
+
+protected static class MimePredicate implements Predicate {
+private final ServletContext context;
+private final Predicate predicate;
+
+public MimePredicate(ServletContext context, Predicate
predicate) {
+this.context = context;
+this.predicate = predicate;
+}
+
+@Override
+public boolean test(String t) {
+String mimeType = context.getMimeType(t);
+
+return predicate.test(mimeType);
+}
+}
+
+protected static class PrefixPredicate implements Predicate {
+private final String prefix;
+public PrefixPredicate(String prefix) {
+this.prefix = prefix;
+}
+
+@Override
+public boolean test(String t) {
+return t.endsWith(this.prefix);
Review
