Re: Side effect of Tomcat 10.1.20 with Freemarker

2024-06-11 Thread Mark Thomas

On 07/06/2024 09:04, Jeroen Hoffman wrote:


On 06-Jun-24 18:17, Mark Thomas wrote:

On 06/06/2024 11:01, Jeroen Hoffman wrote:

Hi all,

We've found a side effect of change #68721 [1] in Tomcat 10.1.20 that 
we'd like to notify you about.


We're using Apache Freemarker for back-end templating, and its 
NodeModel class uses reflection to determine what classes to use for 
xpath, thereby catching IllegalAccessError, see [2].


Per change #68721 a IllegalAccessError is caught as LinkageError and 
turned into a Throwable, NoClassDefFoundError in our case, see [3], 
and then falls through that block in NodeModel and errors out.


So this change in Tomcat alters the behaviour in Freemarker, which I 
assume was unexpected. We can (and must) work around it, preventing 
the IllegalAccessError, but still, maybe you'd like to improve again 
or have other thoughts?


How are you getting from the original IllegalAccessError to a 
NoClassDefFoundError? Tomcat should re-throw the original 
IllegalAccessError.


Small correction from my side: WebappClassLoaderBase throws a 
ClassNotFoundException (not NoClassDefFoundError) at the end of 
#loadClass (line 1353).


It's not re-throwing the original IllegalAccessError because the call to 
#findLoadedClass0(name) at line 2361 is NOT throwing anything, just 
returns null and then the ClassNotFoundException is thrown.


This specific case is about an anonymous inner class that implements 
PrefixResolver from the java.xml module, see 
https://github.com/apache/freemarker/blob/2.3/freemarker-core/src/main/java/freemarker/ext/dom/SunInternalXalanXPathSupport.java


Got it. Thanks for the explanation.

I need to confirm that it doesn't break the original fix but my plan is 
to check clazz after line 2311 and rethrow the original exception if it 
is null.


Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Side effect of Tomcat 10.1.20 with Freemarker

2024-06-11 Thread Mark Thomas

On 11/06/2024 12:30, Mark Thomas wrote:



I need to confirm that it doesn't break the original fix but my plan is 
to check clazz after line 2311 and rethrow the original exception if it 
is null.


Testing with the original reproducer looks good.

Fixed in:
- 11.0.x for 11.0.0-M21 onwards
- 10.1.x for 10.1.25 onwards
-  9.0.x for  9.0.90 onwards

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Mysterious websocket disconnection--no logs

2024-06-11 Thread Mark Thomas

On 09/06/2024 01:08, Flaviu Tamas wrote:

I'm writing some tests for my Spring Boot application, which uses
tomcat-embed-websocket-10.1.18. When I send a message to the socket
from handleVideoFrame, all I see is

.WebSocketAnnotationMethodMessageHandler : Invoking
VideoStreamController#handleVideoFrame[3 args]
o.s.w.s.m.SubProtocolWebSocketHandler: Clearing session
3b7fc290-eeb3-a86c-a465-8826819f3bde

I can turn debug logging on for org.apache.tomcat.websocket.WsSession,
which give me a bit more detail, but this is detail that the
application user is unlikely to care about (some sort of internal ID
that I don't think is exposed anywhere else)

.WebSocketAnnotationMethodMessageHandler : Invoking
VideoStreamController#handleVideoFrame[3 args]
org.apache.tomcat.websocket.WsSession: Closing WebSocket session [3]
o.s.w.s.m.SubProtocolWebSocketHandler: Clearing session
a77dcddd-877e-1d5a-8dd2-daf3f38395f7

This is especially frustrating because this log line has complete
context. If I place a breakpoint in WsSession.doClose, I can see that
the error is "The decoded text message was too big for the output
buffer and the endpoint does not support partial messages", which does
help me solve my problem.

It would be nice if this message was exposed to the user, either by
default, or at the very least in the debug logs.


The message is sent to the user/client as part of the WebSocket close 
message. If the client doesn't expose that to the user, there isn't much 
Tomcat can do.


Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: PKCS#8 encryption algorithm unrecognized

2024-06-11 Thread Christopher Schultz

Mark,

On 6/10/24 14:56, Timothy Resh wrote:

After much debugging, I have found the issue in my situation. In the
server.xml file, you must put keystoreType="PKCS12" for it to recognize the
keystore properly.


That doesn't make any sense to me. Not a single one of your previous 
posts has been using a keystore file at all for Tomcat. You did show how 
you assembled a (rather complicated) PKCS12 keystore file using a 
combination of openssl and keytool in your message from 25 March but 
this is the only place in your configuration file I see that file:


SSLPassword="${KSENC(6qkaMErQ==; C:\Certificate\Keystore\Vessel.p12)}"

I have *no idea* what you are doing in there, but I assumed that 
keystore contained some kind of password and not a certificate or RSA key.


-chris


On Fri, Apr 5, 2024 at 4:27 AM Roberto Benedetti <
roberto.benede...@dedalus.eu> wrote:


I got the Object ID and version straight out of the Certificate using
Keystore Explorer.  I'm not sure why there is a difference.


Keystore Explorer uses Bouncy Castle (https://www.bouncycastle.org/) as
provider for JCE.

If your JRE/JDK does not provide some algorithm you could use Bouncy
Castle as well.

Regards,
Roberto
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org






-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Tomcat 9: Java 11 to Java 17

2024-06-11 Thread Christopher Schultz

Ryan,

Word-wrapping didn't help on this one...

On 6/10/24 15:44, Ryan Esch wrote:

Hi folks,I have a webapp running Apache Tomcat 9.0.67 with Java 11, using 
JASPIC for authentication. For reference, using these:
             org.apache.tomcat            
tomcat-catalina            9.0.85
             org.apache.tomcat            
catalina            6.0.53


Are you using two different versions of Tomcat glued together? 
tomcat-catalina is 9.0.85 (and not 9.0.67 as you claim above) but also 
catalina is 6.0.53?


You might want to sort this out before moving forward any more.


This works.I need to get this running with Java 17. I've updated my javax 
classes to jakarta and my JASPIC dependencies to:
             org.apache.tomcat            
tomcat-jaspic-api            11.0.0-M5
             org.apache.tomcat            
tomcat-catalina            11.0.0-M5


Those are Tomcat dependencies. Don't you have any dependencies on like 
servlet-api and jaspic and things like that? Those are much more 
important than depending on Tomcat itself.


Unless you are actually launching Tomcat from Maven or using Tomcat as 
an embedded server inside your application, you shouldn't have any Maven 
dependencies on Tomcat *at all*. You should be using the servlet-api and 
related artifacts instead.


Also... you have chosen Tomcat 11 dependencies, but you are deploying 
onto Tomcat 9.0.something. Not going to work.



These are built with Java 17. My webapp compiles and builds. But at runtime, I 
get errors like this:
java.lang.VerifyError: Bad type on operand stackException Details:  Reason:    
Type 'org/apache/catalina/authenticator/jaspic/AuthConfigFactoryImpl' (current 
frame, stack[4]) is not assignable to 
'jakarta/security/auth/message/config/AuthConfigFactory'
Specifically, this does not cause any issues:          AuthConfigFactory 
factory = new AuthConfigFactoryImpl();
However, if I call any method on this factory, I see the above Error.I can't 
seem to figure out the cause. I don't see any old javax AuthConfig classes in 
the dependencies.Anyone familiar with this?


This is definitely a javax/jakarta impedance issue.

I would go back to your pom and see if you are able to remove Tomcat 
completely. You should really be using these dependencies instead:



  jakarta.platform
  jakarta.jakartaee-api
  8.0.0
  provided


This is for the servlet API itself. JASPIC (now "Jakarta 
Authentication") is of course a separate artifact.


Once your application is building to a WAR properly, try deploying it 
into Tomcat 10 or Tomcat 11. As Chuck says, Tomcat 10 is the first 
version of Tomcat that supports the Jakarta APIs.


Going *way back to the beginning*, getting your application working with 
Java 17 should have been trivial: just install Java 17 and run 
everything you already had without any changes whatsoever. You shouldn't 
have even needed to recompile anything.


-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Excluding specific files when creating WAR files?

2024-06-11 Thread Christopher Schultz

James,

On 6/10/24 13:09, James H. H. Lampert wrote:
Please forgive me if this is a RTFM issue, or if it's outside the scope 
of this List (and this isn't exactly the first time I've imposed upon 
the friendly nature of this List, knowing that it's a much more 
forgiving environment than a lot of StackExchange forums are).


I've just been alerted that our WAR files contain ".DS_Store" (Mac OS 
desktop information) files.


So far as I'm aware, it's difficult or impossible to keep Mac OS from 
generating these files, but is there some WAR file generation parameter 
that can be used to exclude them?


The short answer to this is "yes" but the slightly longer answer is "ask 
your developers to arrange for artifacts such as these to be ignored 
when building ZIP files."


Others are offering some specifics, but if it's not your job to package 
the ZIP files then, well, don't bother to try to find the solution 
yourself. Just tell your devs to fix this.


If you want to fix your existing JAR files, you can do this if you are 
on a UNIX-like system and have the "zip" utility installed:


$ zip -d data.zip "*/.DS_Store"

The "*" here should expand to include all prefixes so it should remove 
these files from all directories.


Back to the original issue: .DS_Store files in ZIP files [is a security 
issue] as claimed by your customer's security scan. Eh... yeah, sure I 
guess. But it's not going to leak very much information from your 
developers' machines. The real problem would be if *other* files from 
your developers machines are ending up in the build... the only thing 
the presence of the .DS_Store files would be to indicate that other 
(usually more sensitive) files are also available.


-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org