How to solve a JAR conflict in Tomcat web app required for a plugin that has a dependency on a class already in WEB-INF/lib?

I built a plugin for a web app that uses tomcat. The plugin is registered as a servlet bean. Now I want to use rabbitmq with the latest amqp client lib. Which has a dependency on classes in slf4j-api-1.7.25.jar. Unfortunately the web app has also a dependency on slf4j but an older version. So adding the the new jar file crashes the web app. Is there anything to rescue? I have two dependencies out of my control.

Tomcat localhost private ip link is not accessible by another PC in same network

I have ip:192.168.1.185 http://192.168.1.185:8080/projectname link is not able to accessible by the another computer in the same network having the ip 192.168.1.135.

I have disable IIS already. Through which the link was accessible. But through tomcat it is not accessible.

I have already enable the port in firewall settings.

Please do the needful.

Thanks in advance.

are following assertions about linux load and tomcat right?

I am looking to understand precisely how to use the load average and cpu usage on a Red hat machine that hosts a Tomcat 8 only. After looking on the net, I concluded the following assertions. Are the assertions right ? I am deeply sure of the first one since it comes from official Tomcat documentation. And I am confused about which processes could be in uninterruptible sleep.

1) Tomcat uses a thread to process a request, the maximum number of used threads is defined by Tomcat configuration ( see Tomcat documentation )

2) Oracle JVM works with native threads only since JRE 1.3 ( See JVM and threads I did not find an Oracle reference for this point)

3) Linux’s run queue contains processes and threads (id native threads) the same way ( See Linux Load Averages: Solving the Mystery and Wikipedia )

4) Load average provides the average number of process/threads in the run queue ( See Linux Journal )

5) On a Linux machine running a Tomcat only, the load average provides almost the average number of requests.

6) On Linux the load average count process/threads in state running, runnable, and uninterruptible sleep ( See Linux Journal )

7) Process/threads in uninterruptible sleep are waiting for disks I/O, non interruptible locks, network I/O ( See Redhat documenationt that includes network I/O and Linux Load Averages: Solving the Mystery that does not include network I/0 )

The point 7 is not coherent with the reference See Linux Journal that says that “In fact, it is precisely the CPU load that is measured, because load averages do not include any processes or threads waiting on I/O, networking, databases or anything else not demanding the CPU. “.

I understood that if a process reads swap it is in uninterruptible sleep but if it reads a file on internal disk, nfs folder or a SAN bay, is it in uninterruptible sleep ? Red hat documentation listed network, if a process requests a resource on the network is it in uninterruptible sleep ?

Systemctl start tomcat fails most of the time to start tomcat

If I run a specific tomcat folder it runs 100% of the time. If I run a second test folder (tomcat2) it will only run maybe 10% of the time. In other words it seems to succeed a small portion of the time. When it fails nothing is recorded in the catalina.out logs in tomcat. And when systemctl fails all I get is code = exited status 1. There’s no additional information other than tomcat.service entered failed state. If I run tomcat/bin/startup.sh it works 100% of the time.

What could it be? Why does it only work sometimes work for the second test tomcat instance? Where can I get any more debugging information? I have nothing to go on…

Firstly it’s great to hear that you’d like to update your version of LandlordMax. In regards to the instructions you can just re-download and re-install the software the same was as you did when you first installed it, the installer is smart enough to know whether it’s a new install or an upgrade. With that in mind you can find the instructions on how to install the software in Section 2 of the User Manual located online at:

To give an idea of the frustrations in one case all I did was remove SESSIONS.ser in the work folder and then it started. I then stopped and started it up again and it would no longer startup. But if I go back to the first tomcat folder it works 100% of the time.

UPDATE: After a lot of effort it looks as though the tomcat shutdown script is called right after the startup script as soon as the startup has completed…

Apache Tomcat 8.5 on windows 10

I installed Apache Tomcat in C:\ProgramFiles\Tomcat … and I didn’t have access to write in different file. I removed and uninstalled Tomcat and I reinstalled in another folder on C drive where I created a folder called “My programs”, but now not working, I have error ERR_CONNECTION_REFUSED. I checked if port 8080 are used by another application, but it’s free. I removed and reinstalled again in Program File, but with another port, 5050 and not working local host 🙁

I reinstalled again with port 8080 but the same error: ERR_CONNECTION_REFUSED when I tried to open localhost:8080

Can you help me? Thank you!

Tomcat keeps shutting down on fresh Ubuntu 18.10 install

I’m running a completely fresh install on Ubuntu 18.10 and I can’t for the life of me get Tomcat 8.5.37 to run. It keeps shutting down as soon as it runs. I have given group and user permissions. Please check the console output in the picture below.

/etc/environment:

PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games" JAVA_HOME="/usr/lib/jvm/java-1.11.0-openjdk-amd64" 

tomcat.service:

[Unit] Description=Apache Web App After=network.target  [Service] Type=forking  Environment=JAVA_HOME=/usr/lib/jvm/java-1.11.0-openjdk-amd64 Environment=CATALINA_PID=/opt/tomcat/temp/tomcat.pid Environment=CATALINA_HOME=/opt/tomcat Environment=CATALINA_BASE=/opt/tomcat Environment='CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC' Environment='JAVA_OPTS=-Djava.awt.headless=true -Djava.security.edg=file:/dev/./urandom' ExecStart=/opt/tomcat/bin/startup.sh ExecStop=/opt/tomcat/bin/shutdown.sh  User=tomcat Group=tomcat UMask=0007 RestartSec=10 Restart=always  [Install] WantedBy=multi-user.target 

Console 2

Console

Ownership and Permission for Java / Tomcat

We’re currently migrating from JDK7 to OpenJDK11 on pre-production environment, which is running RHEL 7.3 on VM. Using Apache Tomcat for web application development.

Current JDK and Tomcat configuration is below,

  • There exist user named tomcat
  • Tomcat directory has ownership as tomcat:root and permission: 770
  • JDK binaries having ownership as root:root and permission:776
  • Tomcat startup is, su tomcat -c $ CATALINA_HOME/bin/startup.sh

Are these ownership and permission are proper? Can any security problem may arise because of this? What should be recommended permissions / ownership for JDK and Tomcat?

How to disable 3DES and weak ciphers in Tomcat 8.5.15

Hello,

I am being pinged by our security folks on scans stating that we still use 3DES ciphers. This system is running on a Windows Server. I have tried several different ways to add ciphers and lists of weak ciphers but when I run a scan I still show them being weak. I want to know where in the connector settings do I put the ciphers and what other options are needed to block weak ciphers? I appreciate any help you can give. Here is a copy of our scrubbed server.xml

<?xml version="1.0"…

How to disable 3DES and weak ciphers in Tomcat 8.5.15

Tomcat application arbitrary file read exploitation

In recent black-box pen-test of a webapp hosted on CentOS, I found a vulnerability that allowed me to grab contents of files (kind of file inclusion) located within the home path of Tomcat.

In classic scenario, I tried to read /etc/passwd but failed to retrieve contents. It seems, Apache Tomcat forbids web server from reading outside of web app path. Vulnerable parameter located in GET request and application appends .jsp to that and tries to read it.

For example, if we navigate to http://site.com/abc.jsp?param=en then application will try to load /some/folder/somefile_en.jsp file from filesystem. If it fails, it returns HTTP status code 500 with java.io.IOException stack-trace.

For bypassing .jsp restriction, I added ? at the end of vulnerable parameter like this http://site.com/abc.jsp?param=asdasd_asdasd/../../../../META-INF/MANIFEST.MF?. I was only able to read these files:

  • /META-INF/context.xml
  • /META-INF/MANIFEST.MF
  • /WEB-INF/web.xml

I do not know what other files I can read (because I do not have fuzz list for java apps).

Q: Could you give me fuzz list for finding other sensitive files in filesystem or could you suggest me other attack vectors?

P.S. I could enumerate file and directory names based on HTTP response. If file does not exist, this kind of error message appears:

Trying to read nonexistent file