tomcat 11 tomcat-util.jar is contains a soon to be removed class

[Rick Noel]

Hello,

When I upgraded to tomcat 11.0.5 and Java 24,
Tomcat log gives this warning..

WARNING: A terminally deprecated method in sun.misc.Unsafe has been called
WARNING: sun.misc.Unsafe::invokeCleaner has been called by 
org.apache.tomcat.util.buf.ByteBufferUtilsUnsafe 
(file:/home/web/servers/apache-tomcat-11.0.5/lib/tomcat-util.jar)
WARNING: Please consider reporting this to the maintainers of class 
org.apache.tomcat.util.buf.ByteBufferUtilsUnsafe
WARNING: sun.misc.Unsafe::invokeCleaner will be removed in a future release





Rick Noel
Systems Programmer | Westwood One
rn...@westwoodone.com

PLEASE NOTE: This message may contain confidential information and is intended 
only for the individual(s) named. Employees of Cumulus Media Inc. and its 
subsidiaries (including Westwood One) are prohibited from disclosing 
confidential information to any third party. If you are not the named addressee 
you should not disseminate, distribute or copy this e-mail. Please notify the 
sender immediately by e-mail if you have received this e-mail by mistake and 
delete this e-mail from your system. If you are not the intended recipient you 
are notified that disclosing, copying, distributing or taking any action in 
reliance on the contents of this information is strictly prohibited.

Re: Help with Cluster Setup on Tomcat 9

[Zoran Avtarovski]

Hi Mark,

By duplicate session I mean that we get a duplicate session id created 
by one of the nodes which then hijacks an existing session and we have 
two users with a single session. We thought using JDBC based sessions 
would avoid this but that doesn't seem to be the case. It could be how 
our PersistentManager is setup, see config below, but I'm leaning to 
going back to default memory based sessions and using the cluster tag. 
We are out of our comfort zone on this and are happy for any 
advice/experience.


Z.


    
    


On 24/4/2025 7:45 pm, Mark Thomas wrote:

On 24/04/2025 02:02, Zoran Avtarovski wrote:
We have a cluster of tomcat servers on AWS EC2 which operate behind 
an AWS load balancer with sticky sessions.


We have our session storage on a DB using a JDBC store which for the 
most part is working well, but we occasionally see duplicate session 
ids which create issues where a new session with a duplicate session 
id hijacks an existing session.


What do you mean by a duplicate session?

What causes this situation.

As you can imagine we would like to prevent this from occurring and 
have been looking into the issue. It looks like using the cluster tag 
might be the solution but I wanted to tap into the collective wisdom 
of the group on the best way forward. We can't just add the


| |


That could be quite a big change.

Mark



tag as it uses ip multicast which doesn't work in EC2 as there is no 
physical broadcast layer. The alternative appears to be to use the 
StaticMemebrshipService and I wanted to confirm if my config ideas 
are correct? I have the following setup:


className="org.apache.catalina.tribes.membership.StaticMembershipService">
className="org.apache.catalina.tribes.membership.StaticMember"
   host="10.0.1.11" port="4004" 
uniqueId="{0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15}"/>
    className="org.apache.catalina.tribes.membership.StaticMember"
   host="10.0.1.12" port="4004" 
uniqueId="{1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,1}"/>



Does this look right to others and do I need a separate Member tag 
for each member of the cluster?


I'd appreciate any assistance on this and other suggestions you guys 
may have.


Z.




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Registration on the Labour Department Website

[Christa Olivier]

Good afternoon

Our HR and Payroll functions are being outsources to a HUB in Manila.

The employees who will be dealing with the these functions require access to be 
able to submit the ROE and any claims, however they do not have a South African 
Identity Number, is there another way that we will be able to register these 
employees on the Department of Labour websit?

Kind regards,

Christa Olivier

HR Specialist
Human Resources

[cid:image001.jpg@01DBB523.33FAF850]

Merck (Pty) Ltd I 1 Friesland Drive I Longmeadow Business Estate I 1645 I 
Modderfontein I South Africa
Office (Swicthboard): +27 11 372 5000
Email: christa.oliv...@external.merckgroup.com I Home: 
www.merck.co.za




This message and any attachment are confidential and may be privileged or 
otherwise protected from disclosure. If you are not the intended recipient, you 
must not copy this message or attachment or disclose the contents to any other 
person. If you have received this transmission in error, please notify the 
sender immediately and delete the message and any attachment from your system. 
Merck KGaA, Darmstadt, Germany and any of its subsidiaries do not accept 
liability for any omissions or errors in this message which may arise as a 
result of E-Mail-transmission or for damages resulting from any unauthorized 
changes of the content of this message and any attachment thereto. Merck KGaA, 
Darmstadt, Germany and any of its subsidiaries do not guarantee that this 
message is free of viruses and does not accept liability for any damages caused 
by any virus transmitted therewith.



Click 
merckgroup.com/disclaimer
 to access the German, French, Spanish, Portuguese, Turkish, Polish and Slovak 
versions of this disclaimer.



Please find our Privacy Statement information by clicking here: 
merckgroup.com/privacy-statements-by-location

Annual Application for ROE

[Christa Olivier]

Good afternoon

Our letter of Good Standing expires on 31 April 2025, however the system to 
submit ROE applications only opens for renewal on 1 May 2025.

Could you please advise an alternative way that we can submit the application 
for ROE?

Kind regards,

Christa Olivier

HR Specialist
Human Resources

[cid:image001.jpg@01DBB522.AD33F2E0]

Merck (Pty) Ltd I 1 Friesland Drive I Longmeadow Business Estate I 1645 I 
Modderfontein I South Africa
Office (Swicthboard): +27 11 372 5000
Email: christa.oliv...@external.merckgroup.com I Home: 
www.merck.co.za




This message and any attachment are confidential and may be privileged or 
otherwise protected from disclosure. If you are not the intended recipient, you 
must not copy this message or attachment or disclose the contents to any other 
person. If you have received this transmission in error, please notify the 
sender immediately and delete the message and any attachment from your system. 
Merck KGaA, Darmstadt, Germany and any of its subsidiaries do not accept 
liability for any omissions or errors in this message which may arise as a 
result of E-Mail-transmission or for damages resulting from any unauthorized 
changes of the content of this message and any attachment thereto. Merck KGaA, 
Darmstadt, Germany and any of its subsidiaries do not guarantee that this 
message is free of viruses and does not accept liability for any damages caused 
by any virus transmitted therewith.



Click 
merckgroup.com/disclaimer
 to access the German, French, Spanish, Portuguese, Turkish, Polish and Slovak 
versions of this disclaimer.



Please find our Privacy Statement information by clicking here: 
merckgroup.com/privacy-statements-by-location

Re: Help with Cluster Setup on Tomcat 9

[Zoran Avtarovski]

Thanks Chuck,

I missed that and will implement. Bigger problem is that 
PersistentManager is incompatible with Clusters so we have to migrate 
back to memory based sessions and use clusters to share sessions.


I would have thought that cluster would be easier to support with DB 
based sessions. Does anyone know why they aren't supported?


Z.



On 24/4/2025 11:20 am, Chuck Caldarale wrote:

On 2025 Apr 23, at 20:02, Zoran Avtarovski wrote:

We have a cluster of tomcat servers on AWS EC2 which operate behind an AWS load 
balancer with sticky sessions.

We have our session storage on a DB using a JDBC store which for the most part 
is working well, but we occasionally see duplicate session ids which create 
issues where a new session with a duplicate session id hijacks an existing 
session.

As you can imagine we would like to prevent this from occurring and have been 
looking into the issue. It looks like using the cluster tag might be the 
solution but I wanted to tap into the collective wisdom of the group on the 
best way forward. We can't just add the

| |

tag as it uses ip multicast which doesn't work in EC2 as there is no physical 
broadcast layer. The alternative appears to be to use the 
StaticMemebrshipService and I wanted to confirm if my config ideas are correct? 
I have the following setup:



   


Does this look right to others and do I need a separate Member tag for each 
member of the cluster?

I'd appreciate any assistance on this and other suggestions you guys may have.


Have you specified a unique jvmRoute attribute in the  element of each 
Tomcat server?

https://tomcat.apache.org/tomcat-9.0-doc/config/engine.html#Common_Attributes

   - Chuck

Re: Axis Fault, Xerces sees the webapp as stopped although it is running

[Mark Thomas]

On 23/04/2025 16:10, Simon Arame wrote:




What java method call should I be searching for in libraries source code ?


It isn't going to be that simple. You'll need to do something like.

1. Deploy the application

2. Undeploy the application

3. Force GC (with a profiler)

4. Take a memory snapshot (with a profiler)

5. Look for instances of the web application class loader

6. Find the one with the state STOPPED or similar

7. Trace the GC roots

8. Figure out what is creating those reference chains

9. Figure out what you need to do to destroy each reference chain when 
the application shuts down and/or cause each reference chain to be 
created to the common class loader rather than the web application 
specific one.


If you can provide a minimal web application that reproduces the issue, 
we can help with the above.


Mark





Simon

On Tue, Apr 22, 2025 at 12:02 PM Mark Thomas  wrote:


On 22/04/2025 16:44, Simon Arame wrote:




What is strange is that although it says "this web application instance

has

been stopped already", the web application is still running, end users

are

still receiving 200 OKs from the web application.


Any other web applications running on that Tomcat instance?

Has the web application with the issue ever been restarted / reloaded?


We are not sure what causes this because it does not always happen, it is
"intermittent". The SoapBindingStub is called from a JSP which is aimed

to

simulate a call to a Soap service as if it was coming from outside of

this

app.
So the jsp that made the call received this 500 error from the Soap

service

but this is unusual.


What you are seeing is the web application attempting to use classes
that were loaded by a different/"older version of the current" web
application.

This sort of thing can happen when a web application (or a library is
uses) registers something at the JVM level which then becomes a global
resource rather than a web application specific resource.

The trick to fixing this is figuring out what code is performing this
JVM level registration and moving that code from the web application to
$CATALINA_BASE/lib

If it is a library the application is using, this is relatively simple.
If it is the application then things get trickier.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org







-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Help with Cluster Setup on Tomcat 9

[Mark Thomas]

On 24/04/2025 02:02, Zoran Avtarovski wrote:
We have a cluster of tomcat servers on AWS EC2 which operate behind an 
AWS load balancer with sticky sessions.


We have our session storage on a DB using a JDBC store which for the 
most part is working well, but we occasionally see duplicate session ids 
which create issues where a new session with a duplicate session id 
hijacks an existing session.


What do you mean by a duplicate session?

What causes this situation.

As you can imagine we would like to prevent this from occurring and have 
been looking into the issue. It looks like using the cluster tag might 
be the solution but I wanted to tap into the collective wisdom of the 
group on the best way forward. We can't just add the


| |


That could be quite a big change.

Mark



tag as it uses ip multicast which doesn't work in EC2 as there is no 
physical broadcast layer. The alternative appears to be to use the 
StaticMemebrshipService and I wanted to confirm if my config ideas are 
correct? I have the following setup:


className="org.apache.catalina.tribes.membership.StaticMembershipService">

       host="10.0.1.11" port="4004" 
uniqueId="{0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15}"/>

       host="10.0.1.12" port="4004" 
uniqueId="{1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,1}"/>



Does this look right to others and do I need a separate Member tag for 
each member of the cluster?


I'd appreciate any assistance on this and other suggestions you guys may 
have.


Z.




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Axis Fault, Xerces sees the webapp as stopped although it is running

[Simon Arame]

Hi Mark, thank you for providing those steps. I downloaded a "YourKit"
trial and did execute them.

I am blocked at the "Figure out what is creating those reference chains"
step. The documentation [
https://tomcat.apache.org/tomcat-9.0-doc/api/org/apache/catalina/loader/WebappClassLoaderBase.html
] states the following implementation note:

""" By default, this class loader follows the delegation model required by
the specification. The bootstrap class loader will be queried first, then
the local repositories, and only then delegation to the parent class loader
will occur. This allows the web application to override any shared class
except the classes from J2SE. Special handling is provided from the JAXP
XML parser interfaces, the JNDI interfaces, and the classes from the
servlet API, which are never loaded from the webapp repositories. The
delegate property allows an application to modify this behavior to move the
parent class loader ahead of the local repositories. """

Not sure I am interpreting the doc correctly, does this mean that the
concerned classes of the xercesImpl jar in /WEB-INF/lib will be
ignored when there exists the equivalent in the bootstrap class loader
and/or the parent one if any ?

So the problem I am experiencing is with JAXP XML parser interfaces,
specifically I am getting an error when our code calls


javax.xml.bind.DatatypeConverter.parseDateTime(someString)


so that the org.apache.xerces.jaxp.datatype.DatatypeFactoryImpl tries to
use org.apache.xerces.jaxp.datatype.XMLGregorianCalendarImpl but cannot
load the inner class called XMLGregorianCalendarImpl$DaysInMonth.

Opening the HPROF memory dump, I've found that after context is stopped,
the org.apache.xerces.jaxp.datatype.XMLGregorianCalendarImpl class is
referenced in 2 ParallelWebappClassLoader although almost all contexts that
are subject to be using some xml were stopped except Tomcat's manager.

1) GC Root from one of our class that has a static method that calls
SSLContext.setDefault() with an ssl context declared inside that static
method as parameter.
2) GC Root from a sun.awt.AppContext. We are not using AppContext directly
so I blocked there.

Does that finding of 2 ParallelWebappClassLoader was the right thing to
find ? I would have tought that the reference I was looking for would have
been in either the  or the java.net.URLClassLoader that
contains most of the used catalina classes.

Moreover, I've found that there is one of the existing
org.apache.jasper.servlet.JasperLoader that contains the compiled JSP class
that is faulty, could that be related somehow?

I've changed the SSLContext.setDefault call from one of our class so it's
not dangling anymore and run the steps one more time, stopping all contexts
this time except tomcat's manager and opening the HPROF dump found:

1) XMLGregorianCalendarImpl in classes of
org.apache.catalina.loader.ParallelWebappClassLoader [Held by JVM]
2) XMLGregorianCalendarImpl from constant pool of
org.apache.xerces.jaxp.datatype.DatatypeFactoryImpl which is the
datatypeFactory of com.sun.xml.bind.DatatypeConverterImpl which is the
theConverter of javax.xml.bind.DatatypeConverter which itself is a GC Root.

Could I for instance add a Class.forName(javax.xml.bind.DatatypeConverter)
in my JSP or perhaps try to explicitly load that class differently?

At this point, I do not know what to do next!

Simon

On Thu, Apr 24, 2025 at 5:40 AM Mark Thomas  wrote:

> On 23/04/2025 16:10, Simon Arame wrote:
>
> 
>
> > What java method call should I be searching for in libraries source code
> ?
>
> It isn't going to be that simple. You'll need to do something like.
>
> 1. Deploy the application
>
> 2. Undeploy the application
>
> 3. Force GC (with a profiler)
>
> 4. Take a memory snapshot (with a profiler)
>
> 5. Look for instances of the web application class loader
>
> 6. Find the one with the state STOPPED or similar
>
> 7. Trace the GC roots
>
> 8. Figure out what is creating those reference chains
>
> 9. Figure out what you need to do to destroy each reference chain when
> the application shuts down and/or cause each reference chain to be
> created to the common class loader rather than the web application
> specific one.
>
> If you can provide a minimal web application that reproduces the issue,
> we can help with the above.
>
> Mark
>
>
>
> >
> > Simon
> >
> > On Tue, Apr 22, 2025 at 12:02 PM Mark Thomas  wrote:
> >
> >> On 22/04/2025 16:44, Simon Arame wrote:
> >>
> >> 
> >>
> >>> What is strange is that although it says "this web application instance
> >> has
> >>> been stopped already", the web application is still running, end users
> >> are
> >>> still receiving 200 OKs from the web application.
> >>
> >> Any other web applications running on that Tomcat instance?
> >>
> >> Has the web application with the issue ever been restarted / reloaded?
> >>
> >>> We are not sure what causes this because it does not always happen, it
> is
> >>> "intermittent". The SoapBindingStub is called fro