Re: After Windows Server Restart, tomcat generating New JSESSIONID even with <%@ page session="false" %>
On 06/05/2024 11:05, Hamdan Khan wrote: Hello everyone, We're having a problem with Tomcat on Windows servers. It only happens when: Tomcat is running as a service (automatically started by Windows). The Windows server automatically restarts for updates. After the restart, Tomcat starts creating new session IDs for every request, That suggests that the client isn't returning the session ID to Tomcat for the subsequent request. I'd be asking why that is the case. Is there a reverse proxy in the mix? Are you using sessions at all or are they completely disabled? If yes, which session manager are you using? even though our jsp tells it not to. <%@ page session="false" %> That is just a single page and any page can potentially trigger session creation. We can fix this by deleting temp and work files from Tomcat and restarting the service ourselves. However, this is a manual process, and we'd like to find a more permanent solution. It would be interesting to know if you need to clear both of these or whether clearing just one is sufficient to resolve the issue. That might narrow down potential root causes. Can anyone help us understand why this might be happening? I can't think of any way Tomcat would do this. This feels more like an application issue at this point. Or what logs to configure and monitor. My preference would always be to attach an IDE and use remote debugging but that probably isn't an option in production. You could try attaching a profiler and recording object allocations. That should show you where/how sessions are being created. The minimally invasive option would probably be to add an HttpSessionListener to your application that logs the current stack trace every time a session is created. Version of Tomcat is Tomcat-9.0.83 To emphasize we are not able to reproduce this in our local computer it only happens to the longrunning production servers. If you manually reboot the production servers (without clearing out work or temp) can you trigger the issue? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SPNEGO GSSCaller {UNKNOWN} No Delegated Creds
We need to split between constrained and unconstrained delegation. Let's stay
with uncontrained, simplest one.
For that to happen you need:
* Enable it for the service account (acceptor side)
* Set the delegate flag (also there is a policy) on the security context
(initiator side)
Try again. The best thing would be to do with with gss-client/gss-server which
comes with MIT Kerberos otherwise you have too many variables in the game.
Alternatively, use https://github.com/pythongssapi/python-gssapi. It has a
fantastic interface to MIT Kerberos or Heimdal to exactly evaluate your
environment. I use it as well.
Michael
On 2024/05/03 13:42:39 Tom Delaney wrote:
> Thanks for the reply Michael,
>
> I'm trying to achieve retrieving delegated credentials. I'm confused by the
> debug output because I'm being told that authentication succeeded but no
> indication of why I'm not receiving delegated credentials other than there
> are none.I have looked over the delegation rules for the service account
> and SPN multiple times. When you mentioned "S4U is tried, but not
> configured for that account. Totally fine" What does that mean? Is there a
> specific place on Tomcat or Windows I need to look for this?
>
> What I'm expecting to see outputted "Delegated Creds have pname=
> tdela...@subdomain.domain.com sname=krbtgt/SUBDOMAIN.DOMAIN.COM
> authtime=null starttime={date/timestamp} endtime={date/timestamp}"
>
> P.S
> I see in my ktpass command I made a typo and meant to put SA_EX_VAISSO
> instead of "SA_EX_SSO"
>
> On Fri, May 3, 2024 at 8:26 AM Michael Osipov wrote:
>
> > On 2024/05/02 19:20:59 Tom Delaney wrote:
> > > Hi All,
> > >
> > > Sorry for the duplicate requests. The first one was accidentally flagged
> > > for Google's new Confidential Mode which happened to be flagged.
> > > I have a red hat 9.2 server hosting a web application on a single
> > instance
> > > of Apache Tomcat. This instance is behind an apache HTTP server on
> > version
> > > 2.4.57.The application is hosted on Tomcat 9.0.54.
> > >
> > > Domain: subdomain.domain.com
> > > Site: devexample.domain.com
> > >
> > > URL hit: https://example.subdomain.domain.com/webclient/
> > > exclient.jsp
> > >
> > > *I keep getting this in the Tomcat Logs when accessing the application:*
> > > *>>> Constrained deleg from GSSCaller{UNKNOWN}*
> >
> > You should first try to describe what you are trying to achieve and not
> > what the debug output is. The debug message comes from:
> > https://github.com/openjdk/jdk8u-dev/blob/6b53212ef78ad50f9eede829c5ff87cadcdb434b/jdk/src/share/classes/sun/security/jgss/krb5/Krb5Context.java#L540
> > The message is obviously caused by this call:
> > https://github.com/openjdk/jdk8u-dev/blob/6b53212ef78ad50f9eede829c5ff87cadcdb434b/jdk/src/share/classes/sun/security/jgss/krb5/Krb5Context.java#L254-L263
> >
> > S4U is tried, but not configured for that account. Totally fine.
> >
> > BTW: The filter you use isn't from us.
> >
> > M
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >
>
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
RE: After Windows Server Restart, tomcat generating New JSESSIONID even with <%@ page session="false" %>
Thank you Mark, We have har files when the server is in error state, it shows that the jsessionid is sent in request. *Is there a reverse proxy in the mix?* No. we directly access tomcat. *Are you using sessions at all* Yes, we are using the default tomcat session in debugger it says (org.apache.catalina.session.StandardSessionFacade) *That is just a single page and any page can potentially trigger session cre*ation. It is a multi page application we create and maintain our UserSession object, which is used to auth on subsequent requests. The application is working ok on many of our servers, but starts to generate jsessionid for every request once the server goes in the problem state. *It would be interesting to know if you need to clear both of these or whether clearing just one is sufficient to resolve the issue. That might narrow down potential root causes.* I have requested the team to restart without removing work/temp will update later in the week. *You could try attaching a profiler and recording object allocations. That should show you where/how sessions are being created.* I don't think that is possible for a production server, but if we can get a clue on how to reproduce this case. We have a SessionListener, will add logging to it. thanks, Hamdan
Re: [EXTERNAL] RE: After Windows Server Restart, tomcat generating New JSESSIONID even with <%@ page session="false" %>
Coud this be the culprit ?
${CATALINA_BASE}/conf/context.xml
From: Hamdan Khan
Sent: Tuesday, May 7, 2024 9:09 AM
To: users@tomcat.apache.org
Subject: [EXTERNAL] RE: After Windows Server Restart, tomcat generating New
JSESSIONID even with <%@ page session="false" %>
Thank you Mark,
We have har files when the server is in error state, it shows that the
jsessionid is sent in request.
*Is there a reverse proxy in the mix?*
No. we directly access tomcat.
*Are you using sessions at all*
Yes, we are using the default tomcat session in debugger it says
(org.apache.catalina.session.StandardSessionFacade)
*That is just a single page and any page can potentially trigger session
cre*ation.
It is a multi page application we create and maintain our UserSession
object, which is used to auth on subsequent requests. The application is
working ok on many of our servers, but starts to generate jsessionid for
every request once the server goes in the problem state.
*It would be interesting to know if you need to clear both of these or
whether clearing just one is sufficient to resolve the issue. That might
narrow down potential root causes.*
I have requested the team to restart without removing work/temp will update
later in the week.
*You could try attaching a profiler and recording object allocations. That
should show you where/how sessions are being created.*
I don't think that is possible for a production server, but if we can get a
clue on how to reproduce this case.
We have a SessionListener, will add logging to it.
thanks,
Hamdan
[ANN] Apache Tomcat 9.0.89 available
The Apache Tomcat team announces the immediate availability of Apache Tomcat 9.0.89. Apache Tomcat 9 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and JASPIC technologies. Apache Tomcat 9.0.89 is a bugfix and feature release. The notable changes compared to 9.0.88 include: - Refactor HTTP header parsing to use common parsing code and fix non-blocking reads of chunked request bodies including trailer fields - Add more timescale options to AccessLogValve and ExtendedAccessLogValve - WebDAV locking handling fixes Along with lots of other bug fixes and improvements. Please refer to the change log for the complete list of changes: https://tomcat.apache.org/tomcat-9.0-doc/changelog.html Downloads: https://tomcat.apache.org/download-90.cgi Migration guides from Apache Tomcat 7.x and 8.x: https://tomcat.apache.org/migration.html Enjoy! - The Apache Tomcat team - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: FileUpload class not working with Tomcat 10.1
Mark,
On 5/3/24 12:16, Mark Foley wrote:
On 4/23/24 18:44, Chuck Caldarale wrote:
uploadfile
uploadfile
/schDistImportResults.jsp
The first servlet is named “uploadfile”.
On Apr 23, 2024, at 12:42, Mark Foley wrote:
Now I need to add another program to the system that does file
uploads. I
created another definition in WEB-INF/web.xml following the
original:
uploadfile
uploadfile
/1099R-Etrans.jsp
This second servlet is also named “uploadfile”.
That didn't work so well. Now, any and all programs using the
fileupload
function launches this 2nd program 1099R-Etrans.jsp. It appears that
this
second definition replaces the first.
You gave them the same names, so the second one wins...
What magic were you expecting to differentiate between the two?
- Chuck
I can easily change the name of the second servlet, but how would the
respective jsp programs (schDistImportResults.jsp, 1099R-Etrans.jsp)
specify one or the other? The programs do:
String contentType = request.getContentType();
if (contentType.startsWith("multipart/form-data;"))
{
Part fileUpload = request.getPart("taxResults"); // for
schDistImportResults.jsp
// or
Part fileUpload = request.getPart("vendor1099-MISC"); // for
1099R-Etrans.jsp
InputStream inFile = fileUpload.getInputStream();
:
}
That's it. There is nothing in the program that specifies a servlet
name. My initial servlet definition (for schDistImportResults.jsp) was
based on the XML suggestion from Christopher Schultz back in November,
2023. Since only the one jsp program was involved, there was no
discussion of how to specify more than one program in web.xml.
So, I can (and will) give the servlets different names in web.xml, but
how does the jsp program select the one for its use?
Does the JSP need to reference the "program" (servlet?) at all? When you
make a request, Tomcat determines which servlet in your application will
service the request. If that's a JSP, then the JSP is invoked. A JSP
just compiles to a servlet, just as if you had written a .java file with
a class that "extends HttpServlet" or similar.
It's not clear what "the program" is: JSP or servlet? Or something else?
It's also not clear how "the program" would or should reference a
servlet name.
Maybe you can explain (again)?
-chris
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [EXTERNAL] RE: After Windows Server Restart, tomcat generating New JSESSIONID even with <%@ page session="false" %>
Joey,
On 5/7/24 10:50, Joey Cochran wrote:
Coud this be the culprit ?
${CATALINA_BASE}/conf/context.xml
Possible, but the report was that every single request generates a new
JSESSIONID, not that every session seems to have expired and needs to be
re-initialized.
-chris
From: Hamdan Khan
Sent: Tuesday, May 7, 2024 9:09 AM
To: users@tomcat.apache.org
Subject: [EXTERNAL] RE: After Windows Server Restart, tomcat generating New JSESSIONID even
with <%@ page session="false" %>
Thank you Mark,
We have har files when the server is in error state, it shows that the
jsessionid is sent in request.
*Is there a reverse proxy in the mix?*
No. we directly access tomcat.
*Are you using sessions at all*
Yes, we are using the default tomcat session in debugger it says
(org.apache.catalina.session.StandardSessionFacade)
*That is just a single page and any page can potentially trigger session
cre*ation.
It is a multi page application we create and maintain our UserSession
object, which is used to auth on subsequent requests. The application is
working ok on many of our servers, but starts to generate jsessionid for
every request once the server goes in the problem state.
*It would be interesting to know if you need to clear both of these or
whether clearing just one is sufficient to resolve the issue. That might
narrow down potential root causes.*
I have requested the team to restart without removing work/temp will update
later in the week.
*You could try attaching a profiler and recording object allocations. That
should show you where/how sessions are being created.*
I don't think that is possible for a production server, but if we can get a
clue on how to reproduce this case.
We have a SessionListener, will add logging to it.
thanks,
Hamdan
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
