JNDIRealm with required ChannelBindingToken fails
Hello Tomcat-Team, we are currently using a JNDIRealm to authenticate against an ActiveDirectory via LDAPs. For security reasons, the LDAP-Server should be configured to enforce channel binding token (CBT). If CBT is set to enforced however, the JNDIRealm fails with this exception: org.apache.catalina.realm.JNDIRealm.getPrincipal Exception performing authentication javax.naming.AuthenticationException: [LDAP: error code 49 - 80090346: LdapErr: DSID-0C0906AD, comment: AcceptSecurityContext error, data 80090346, v4563 ]; remaining name 'ou=xxx,dc=com' at java.naming/com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3260) ... Java should support CBT since version 16 according to these pages: https://bugs.openjdk.org/browse/JDK-8258824 https://bugs.openjdk.org/browse/JDK-8247311 It mentions, that a JNDI environment property "com.sun.jndi.ldap.tls.cbtype" should be set, to make JNDI work with CBT. Looking at the class JNDIRealm.java --> getDirectoryContextEnvironment() I can't find any property with this name or any way to inject additional properties. The realm configuration in Tomcat is quite common, nothing special: Does anybody have succeeded in JNDIReal with CBT? Could the connection issue be solved with standard methods? If further information is needed, I can provide further details. Thank you very much in advance! Thomas
Re: context path version number with parallel deployment
On 18/03/2025 08:02, Усманов Азат Анварович wrote: Mark, I was thinking more about Parallel deployment section of Tomcat Docs https://tomcat.apache.org/tomcat-9.0-doc/config/context.html Just a simple mention like " If you want to get the current webapp version number in a servlet you should use org.apache.catalina.webappVersion attribute, like this: String webappVersion = (String)request.gteServletContext().getAttribute("org.apache.catalina.webappVersion"); " If you are going to mention one attribute there, you should mention them all. The easiest way to do that is to create a PR against the following file to add a paragraph with your suggest text. You might want a table of attribute name and meaning. You might also want to think about which of those sections it fits best. https://github.com/apache/tomcat/blob/main/webapps/docs/config/context.xml Kind regards, Mark От: Mark Thomas Отправлено: 18 марта 2025 г. 9:35 Кому: users@tomcat.apache.org Тема: Re: context path version number with parallel deployment On 17/03/2025 18:43, Усманов Азат Анварович wrote: thanks a lot! I got it working. A quick follow up What's step do I need to take to include this info in documentation ? I think it might be useful to others The list is in the Javadoc: https://tomcat.apache.org/tomcat-11.0-doc/api/org/apache/catalina/Globals.html Where else would you like to see it? The where may change which steps are required to update the docs. Mark От: Christopher Schultz Отправлено: 17 марта 2025 г. 17:40 Кому: users@tomcat.apache.org Тема: Re: context path version number with parallel deployment Азат, On 3/17/25 8:53 AM, Усманов Азат Анварович wrote: Hi everyone! is it possible to display current version number in a jsp page or servlet when using parallel deployment . using some property. Currently when building an app war we use git to calculate last revision number, store it in a file, use it to name a war accordingly.ex Education##15229, Education##15230 etc. I know tomcat already using something to show version because when checking catalina.out for errors it already shows something like 17-Mar-2025 11:15:49.732 SEVERE [https-openssl-apr-8443-exec-73] org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service() for servlet [IndexServlet] with context path [/Education##23459] threw exception [org.opensaml.common.SAMLException: Assertion is not conformed with notOnOrAfter condition] with root cause I know if such property exists its probably a tomcat one, not java, since parallel deployment is not a java but a tomcat feature and request. getContextPath() shows only the main part (before ##) - /Education Ability to display such information in a webpage, would help greatly in troubleshooting various app users requests when dealing with multiple version s Any help is appreciated! Tomcat version 9.0.64 OS RHEL Linux 6.5 Java version 1.8.202 String webappVersion = (String)request.gteServletContext().getAttribute("org.apache.catalina.webappVersion"); -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Archive localhost_access_log
Hello, Tomcat server version: 9.0.98. server.xml configuration for AccessLogValve: Everything works fine. Now, I have a requirement to archive these log files similar to log4j (pattern is already taken care of in the valve) with (archive when the file size reaches certain size) and (cleanup archived files). Is there a way to archive these logs via the configuration in the valve? If not, what the best way to go about it: a custom class that implements ValveBase or extends AccessLogValve or do something else entirely? Thanks and regards, - Quoc
RE: context path version number with parallel deployment
Mark, I was thinking more about Parallel deployment section of Tomcat Docs https://tomcat.apache.org/tomcat-9.0-doc/config/context.html Just a simple mention like " If you want to get the current webapp version number in a servlet you should use org.apache.catalina.webappVersion attribute, like this: String webappVersion = (String)request.gteServletContext().getAttribute("org.apache.catalina.webappVersion"); " От: Mark Thomas Отправлено: 18 марта 2025 г. 9:35 Кому: users@tomcat.apache.org Тема: Re: context path version number with parallel deployment On 17/03/2025 18:43, Усманов Азат Анварович wrote: > thanks a lot! I got it working. > A quick follow up > What's step do I need to take to include this info in documentation ? I > think it might be useful to others The list is in the Javadoc: https://tomcat.apache.org/tomcat-11.0-doc/api/org/apache/catalina/Globals.html Where else would you like to see it? The where may change which steps are required to update the docs. Mark > > От: Christopher Schultz > Отправлено: 17 марта 2025 г. 17:40 > Кому: users@tomcat.apache.org > Тема: Re: context path version number with parallel deployment > > Азат, > > On 3/17/25 8:53 AM, Усманов Азат Анварович wrote: >> Hi everyone! is it possible to display current version number in a jsp page >> or servlet when using parallel deployment . using some property. >> Currently when building an app war we use git to calculate last revision >> number, store it in a file, use it to name a war accordingly.ex >> Education##15229, Education##15230 etc. >> I know tomcat already using something to show version because when >> checking catalina.out for errors it already shows something like >> 17-Mar-2025 11:15:49.732 SEVERE [https-openssl-apr-8443-exec-73] >> org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service() for >> servlet [IndexServlet] with context path [/Education##23459] threw >> exception [org.opensaml.common.SAMLException: Assertion is not conformed >> with notOnOrAfter condition] with root cause >> >> I know if such property exists its probably a tomcat one, not java, since >> parallel deployment is not a java but a tomcat feature >> and request. getContextPath() shows only the main part (before ##) - >> /Education >> Ability to display such information in a webpage, would help greatly in >> troubleshooting various app users requests when dealing with multiple >> version s >> Any help is appreciated! >> Tomcat version 9.0.64 >> OS RHEL Linux 6.5 >> Java version 1.8.202 > > String webappVersion = > (String)request.gteServletContext().getAttribute("org.apache.catalina.webappVersion"); > > -chris > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [EXTERNAL] Re: Archive localhost_access_log
There are other ways to capture or store logs... Tools or toolsets like Telegraf. OT but could be of help Thank you Mr. Funk. My request is two-folds a) archive the log files elsewhere (not the "logs" folder) based on some policy b) clean up (delete) the archived files based on some policy. If I'm not mistaken, your suggestion may address the latter but nothing on the former? Thanks and regards, - Quoc -Original Message- From: Tim Funk Sent: Tuesday, March 18, 2025 1:10 PM To: Tomcat Users List Subject: [EXTERNAL] Re: Archive localhost_access_log Personally. I rely on a daily cron with a find by time and the -delete flag. Where the time to keeps is based on policy. -Tim On Tue, Mar 18, 2025 at 9:52 AM Nguyen, Quoc A. (QUANTUM MANAGEMENT, LLC) wrote: > Hello, > > Tomcat server version: 9.0.98. > > server.xml configuration for AccessLogValve: > > directory="logs" prefix="localhost_access_log" suffix=".log" maxDays="7" > pattern="%h %{X-Forwarded-For}i %t %I "%m %U" %{local}p %s %b %D" > resolveHosts="false" /> > > Everything works fine. Now, I have a requirement to archive these log > files similar to log4j (pattern is already taken care of > in the valve) with (archive when the file size reaches > certain > size) and (cleanup archived files). > > Is there a way to archive these logs via the configuration in the valve? > If not, what the best way to go about it: a custom class that > implements ValveBase or extends AccessLogValve or do something else entirely? > > > B�CB��[��X��ܚX�KK[XZ[�\�\��][��X��ܚX�P�X�] �\X�K�ܙ�B��܈Y][ۘ[��[X[��K[XZ[�\�\��Z[�X�] �\X�K�ܙ�B�
RE: [EXTERNAL] Re: Archive localhost_access_log
Thank you Mr. Funk. My request is two-folds a) archive the log files elsewhere (not the "logs" folder) based on some policy b) clean up (delete) the archived files based on some policy. If I'm not mistaken, your suggestion may address the latter but nothing on the former? Thanks and regards, - Quoc -Original Message- From: Tim Funk Sent: Tuesday, March 18, 2025 1:10 PM To: Tomcat Users List Subject: [EXTERNAL] Re: Archive localhost_access_log Personally. I rely on a daily cron with a find by time and the -delete flag. Where the time to keeps is based on policy. -Tim On Tue, Mar 18, 2025 at 9:52 AM Nguyen, Quoc A. (QUANTUM MANAGEMENT, LLC) wrote: > Hello, > > Tomcat server version: 9.0.98. > > server.xml configuration for AccessLogValve: > > directory="logs" prefix="localhost_access_log" suffix=".log" maxDays="7" > pattern="%h %{X-Forwarded-For}i %t %I "%m %U" %{local}p %s %b %D" > resolveHosts="false" /> > > Everything works fine. Now, I have a requirement to archive these log > files similar to log4j (pattern is already taken care of > in the valve) with (archive when the file size reaches > certain > size) and (cleanup archived files). > > Is there a way to archive these logs via the configuration in the valve? > If not, what the best way to go about it: a custom class that > implements ValveBase or extends AccessLogValve or do something else entirely? > > >
Re: Archive localhost_access_log
Personally. I rely on a daily cron with a find by time and the -delete flag. Where the time to keeps is based on policy. -Tim On Tue, Mar 18, 2025 at 9:52 AM Nguyen, Quoc A. (QUANTUM MANAGEMENT, LLC) wrote: > Hello, > > Tomcat server version: 9.0.98. > > server.xml configuration for AccessLogValve: > > directory="logs" prefix="localhost_access_log" suffix=".log" maxDays="7" > pattern="%h %{X-Forwarded-For}i %t %I "%m %U" %{local}p %s %b %D" > resolveHosts="false" /> > > Everything works fine. Now, I have a requirement to archive these log > files similar to log4j (pattern is already taken care of in > the valve) with (archive when the file size reaches certain > size) and (cleanup archived files). > > Is there a way to archive these logs via the configuration in the valve? > If not, what the best way to go about it: a custom class that implements > ValveBase or extends AccessLogValve or do something else entirely? > > >
Re: JNDIRealm with required ChannelBindingToken fails
On 2025/03/18 16:22:42 "Thomas Hoffmann (Speed4Trade GmbH)" wrote: > Hello Tomcat-Team, > we are currently using a JNDIRealm to authenticate against an ActiveDirectory > via LDAPs. > For security reasons, the LDAP-Server should be configured to enforce channel > binding token (CBT). > > If CBT is set to enforced however, the JNDIRealm fails with this exception: > > org.apache.catalina.realm.JNDIRealm.getPrincipal Exception performing > authentication > javax.naming.AuthenticationException: [LDAP: error code 49 - 80090346: > LdapErr: DSID-0C0906AD, comment: AcceptSecurityContext error, data 80090346, > v4563 ]; remaining name 'ou=xxx,dc=com' > at java.naming/com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3260) > ... > > Java should support CBT since version 16 according to these pages: > https://bugs.openjdk.org/browse/JDK-8258824 > https://bugs.openjdk.org/browse/JDK-8247311 > > It mentions, that a JNDI environment property "com.sun.jndi.ldap.tls.cbtype" > should be set, to make JNDI work with CBT. > > Looking at the class JNDIRealm.java --> getDirectoryContextEnvironment() I > can't find any property with this name or any way to inject additional > properties. > > The realm configuration in Tomcat is quite common, nothing special: > adCompat="true" > allRolesMode ="authOnly" > connectionTimeout="3000" > connectionURL="ldaps://server1:636" > ... > useDelegatedCredential="true" > spnegoDelegationQop="auth" > /> > > Does anybody have succeeded in JNDIReal with CBT? > Could the connection issue be solved with standard methods? There is none and the JNDIRealm does not provide a way to pass arbitrary properties to the DirContext. you best shot is to extend the class, override getDirectoryContextEnvironment() and pass the desired property. It was actually backported to older versions: https://bugs.openjdk.org/browse/JDK-8245527 My recommendation is to test it in an isolated environment first: * Plain DirContext * ldapsearch(1) + Cyrus SASL In our huge interprise this isn't enforced, I guess that qop-auth is still good enough with aes256-cts-hmac-sha1-96 (SSF 256). Even back then when I co-reviewed the PR I did not fully understand what the huge benefit of TLS-CB is if you have AES-256 and auth-conf with Kerberos, but I am not a security expert. Michael - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [EXTERNAL] Re: Archive localhost_access_log
Nothing built in to move them. But the same advice applies. The find command chained with mv or mv+gzip could be a solution Or if your backup policy is good enough. Doing nothing and relying on backups to retrieve old logs would work too. But all of this depends on use case for need of retrieval. Such as how quickly do the files need retrieved. What’s the effort and how often would this happen. On Tue, Mar 18, 2025 at 10:41 AM Nguyen, Quoc A. (QUANTUM MANAGEMENT, LLC) wrote: > Thank you Mr. Funk. > > My request is two-folds a) archive the log files elsewhere (not the "logs" > folder) based on some policy b) clean up (delete) the archived files based > on some policy. > > If I'm not mistaken, your suggestion may address the latter but nothing on > the former?