Cannot increase log level debugging in tomcat6 using jndi realm - authentication

I am trying to configure tomcat to connect to an ldap database using JNDI Realm, in order to integrate with Active Directory. However, I am getting the following error in my logs and cannot seem to increase the log level to see what is really going on.
Feb 19, 2014 10:10:41 AM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 1048 ms
Feb 19, 2014 10:10:42 AM org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
Feb 19, 2014 10:10:42 AM org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/6.0.36
Feb 19, 2014 10:10:42 AM org.apache.catalina.realm.RealmBase init
FINE: Register Realm Catalina:type=Realm,realmPath=/realm0
Feb 19, 2014 10:10:42 AM org.apache.catalina.authenticator.AuthenticatorBase start
FINE: No SingleSignOn Valve is present
Feb 19, 2014 10:11:34 AM org.apache.catalina.authenticator.AuthenticatorBase start
FINE: No SingleSignOn Valve is present
Feb 19, 2014 10:11:44 AM org.apache.catalina.authenticator.AuthenticatorBase start
FINE: No SingleSignOn Valve is present
Feb 19, 2014 10:11:45 AM org.apache.catalina.startup.HostConfig deployDescriptor
INFO: Deploying configuration descriptor host-manager.xml
Feb 19, 2014 10:11:45 AM org.apache.catalina.authenticator.AuthenticatorBase start
FINE: No SingleSignOn Valve is present
Feb 19, 2014 10:11:45 AM org.apache.catalina.startup.HostConfig deployDescriptor
INFO: Deploying configuration descriptor manager.xml
Feb 19, 2014 10:11:45 AM org.apache.catalina.authenticator.AuthenticatorBase start
FINE: No SingleSignOn Valve is present
Feb 19, 2014 10:11:45 AM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-80
Feb 19, 2014 10:11:45 AM org.apache.catalina.startup.Catalina start
INFO: Server startup in 64228 ms
Feb 19, 2014 10:11:54 AM org.apache.catalina.authenticator.AuthenticatorBase invoke
FINE: Security checking request GET /tip/
Feb 19, 2014 10:11:54 AM org.apache.catalina.realm.RealmBase findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[Secure Area]' against GET /index.jsp --> true
Feb 19, 2014 10:11:54 AM org.apache.catalina.realm.RealmBase findSecurityConstraints
FINE: Checking constraint 'SecurityConstraint[Secure Area]' against GET /index.jsp --> true
Feb 19, 2014 10:11:54 AM org.apache.catalina.authenticator.AuthenticatorBase invoke
FINE: Calling hasUserDataPermission()
Feb 19, 2014 10:11:54 AM org.apache.catalina.realm.RealmBase hasUserDataPermission
FINE: User data constraint has no restrictions
Feb 19, 2014 10:11:54 AM org.apache.catalina.authenticator.AuthenticatorBase invoke
FINE: Calling authenticate()
Feb 19, 2014 10:11:54 AM org.apache.catalina.authenticator.AuthenticatorBase invoke
FINE: Failed authenticate() test
My Realm configuration within tomcat's server.xml looks like this: (I obviously remove sensitive information)
<!-- JNDI Realm authentication start -->
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
connectionURL="ldap://<ldap server goes here>:389"
connectionName="cn=app,ou=service admin accounts,ou=users,o=iam"
connectionPassword="password goes here"
referrals="follow"
userBase="ou=fil,ou=users,o=iam"
userSearch="(AMAccountName={0})"
userSubtree="true"
roleBase="ou=groups,o=iam"
roleName="cn"
roleSubtree="true"
roleSearch="(member={0})"
/>
<!-- JNDI Realm authentication end -->
My tomcat logging.properties look like this:
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
handlers = 1catalina.org.apache.juli.FileHandler, 2localhost.org.apache.juli.FileHandler, 3manager.org.apache.juli.FileHandler, 4host-manager.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler
.handlers = 1catalina.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler
############################################################
# Handler specific properties.
# Describes specific configuration info for Handlers.
############################################################
1catalina.org.apache.juli.FileHandler.level = ALL
1catalina.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
1catalina.org.apache.juli.FileHandler.prefix = catalina.
1catalina.org.apache.juli.FileHandler.bufferSize = -1
2localhost.org.apache.juli.FileHandler.level = ALL
2localhost.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
2localhost.org.apache.juli.FileHandler.prefix = localhost.
3manager.org.apache.juli.FileHandler.level = ALL
3manager.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
3manager.org.apache.juli.FileHandler.prefix = manager.
4host-manager.org.apache.juli.FileHandler.level = ALL
4host-manager.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
4host-manager.org.apache.juli.FileHandler.prefix = host-manager.
java.util.logging.ConsoleHandler.level = ALL
java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter
############################################################
# Facility specific properties.
# Provides extra control for each logger.
############################################################
# Possible levels are: SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST or ALL
org.apache.catalina.realm.level = ALL
org.apache.catalina.realm.useParentHandlers = true
org.apache.catalina.authenticator.level = ALL
org.apache.catalina.authenticator.useParentHandlers = true
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = ALL
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers = 2localhost.org.apache.juli.FileHandler
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].level = ALL
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].handlers = 3manager.org.apache.juli.FileHandler
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].level = ALL
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].handlers = 4host-manager.org.apache.juli.FileHandler
# For example, to log debug messages in ContextConfig and HostConfig
# classes and to log only warnings and errors in other
# org.apache.catalina.** classes, uncomment these lines:
#org.apache.catalina.startup.ContextConfig.level = FINE
#org.apache.catalina.startup.HostConfig.level = FINE
#org.apache.catalina.level = WARNING
So, as you can see I have tried to increase the log level by adding the debug="99" to the server.xml and change the real and authenticator levels to ALL. However, I am still not getting anything that looks useful except for the error Failed authenticate() test
Where is the rest of the log information? What I am expecting is to see the LDAP query going out.

Your setup seems right to me. So I'm wondering are you sure that there are other logs to show?
As you can see in the JavaDocs of this library the method authenticate is defined like this:
authenticate
protected abstract boolean authenticate(Request request,
Response response,
LoginConfig config)
throws java.io.IOException
And described as:
Authenticate the user making this request, based on the specified
login configuration.
Return true if any specified constraint has been
satisfied, or false if we have created a response challenge already.
Parameters: request - Request we are processing response - Response we
are creating config - Login configuration describing how
authentication should be performed.
Throws: java.io.IOException - if an
input/output error occurs
This means that the method will throw an error (and some log info with it) only if there is an IO error, otherwise it simply return false (probably authentication went wrong for some other reason).
So if whoever call this method does not handle the "false" case logging something meaningful but simply logging "authentication failed" can be the case that your config is well done and you cannot get additional information from this.

I already see an issue with your configuration...
referrals="follow"
userBase="ou=fil,ou=users,o=iam"
userSearch="(AMAccountName={0})"
userSubtree="true"
roleBase="ou=groups,o=iam"
should be
referrals="follow"
userBase="ou=fil,ou=users,o=iam"
userSearch="(sAMAccountName={0})"
userSubtree="true"
roleBase="ou=groups,o=iam"
And, from my experience, the transactions between the the Tomcat server and the LDAP/AD server will be reflected in the localhost.<date>.log rather than in the catalina... logs.
Hope that helps.

Related

Apache Tomcat is not finishing startup after deployed in Minikube - Kubernetes

I am trying to deploy a tomcat docker container in the Kubernetes and start the application deployed.
I have installed tomcat inside the docker container and copied my application war file in the tomcat webapps folder. When i ssh into the docker container and tried to start the tomcat server by running the catalina.sh file, tomcat server started deploying my app.war file and stayed there. Tomcat server is not finish starting up.
I tried looking at the logs, but did not help much to track down this issue. I tried deploying the same war file in the docker, it worked perfectly there.
Note: When i restart the minikube, i can see that tomcat tried to deploy the war and also tried to start the server as well. But when i restart the tomcat by navigating to the /tomcat/bin folder and running the catalina.sh start, tomcat server just deployed the war file and not starting up the server.
Here is what the catalina.out looks like
Jan 30, 2018 4:06:09 AM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-apr-8080"]
Jan 30, 2018 4:06:09 AM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["ajp-apr-8009"]
Jan 30, 2018 4:06:09 AM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 854 ms
Jan 30, 2018 4:06:09 AM org.apache.catalina.core.StandardService startInternal
INFO: Starting service Catalina
Jan 30, 2018 4:06:09 AM org.apache.catalina.core.StandardEngine startInternal
INFO: Starting Servlet Engine: Apache Tomcat/7.0.82
Jan 30, 2018 4:06:09 AM org.apache.catalina.startup.HostConfig deployWAR
INFO: Deploying web application archive /usr/local/tomcat/webapps/app.war
I appreciate any help on this ..
This issue was happening because of lack of memory for the Node. In my case it is Minikube which is acting as a Node. After i allotted more memory to minikube, i am able to deploy and start my application from tomcat docker container.

Unable to connect to the Administration Server weblogic 12.2.1

I have a WebLogic domain whit an Admin server and one Managed Server. I installed the certificate for ssl connection beetwen Admin and Managed, but when I restart the Managed I have this error:
<May 2, 2016 6:39:24 PM CEST> <Info> <Management> <BEA-141307> <Unable to connect to the Administration Server. Waiting 5 second(s) to retry (attempt number 3 of 3).>
<May 2, 2016 6:39:29 PM CEST> <Info> <Management> <BEA-141298> <Could not register with the Administration Server: java.rmi.RemoteException: [Deployer:149150]An IOException occurred while reading the input.; nested exception is:
javax.net.ssl.SSLHandshakeException: General SSLEngine problem>
I changed this option:
admin console Servers -> server name -> Configuration SSL tab -> Advanced -> Change Hostname Verification dropdown to None
Version 12.2.1
Do you have any solutions?
Thanks
Fabrizio
There's probably some problem with the SSL certificate. I would recommend to double check that and also rerun with -Dssl.debug added to the Weblogic command line to get more information. Then check both the admin and managed server log files, as it might have enough information to answer. If not, please and add more information here.

ERROR: Initialization failure: Cannot create configuration

i'm trying to get CouldBees working. Heres the error i get when im running:
C:\cloudbees-sdk-1.5.0>bees init --proxyHost=localhost --proxyPort=8008 (or 8080)
You have not created a CloudBees configuration profile, let's create
one now... Enter your default CloudBees API end point [us | eu]: eu
Enter your CloudBees account email address: abs#abs.com
Enter your CloudBees account password: Jul 18, 2013 1:32:09 PM
org.apache.commons.httpclient.HttpMethodDirector execute WithRetry
INFO: I/O exception (java.net.ConnectException) caught when processing
request: Connection refused: connect Jul 18, 2013 1:32:09 PM
org.apache.commons.httpclient.HttpMethodDirector execute WithRetry
INFO: Retrying request Jul 18, 2013 1:32:10 PM
org.apache.commons.httpclient.HttpMethodDirector execute WithRetry
INFO: I/O exception (java.net.ConnectException) caught when processing
request: Connection refused: connect Jul 18, 2013 1:32:10 PM
org.apache.commons.httpclient.HttpMethodDirector execute WithRetry
INFO: Retrying request Jul 18, 2013 1:32:11 PM
org.apache.commons.httpclient.HttpMethodDirector execute WithRetry
INFO: I/O exception (java.net.ConnectException) caught when processing
request: Connection refused: connect Jul 18, 2013 1:32:11 PM
org.apache.commons.httpclient.HttpMethodDirector execute WithRetry
INFO: Retrying request
ERROR: Initialization failure: Cannot create configuration
Can anyone read out what's causing this error?
It looks like the SDK can't establish Internet connections to the CloudBees website. If you are running behind a proxy, you will need to use proxy flags to connect.
bees init --proxyHost=YOUR_PROXY_HOST --proxyPort=YOUR_PROXY_PORT
This is covered in the CloudBees SDK docs: Running behind a proxy
It helps, to set the system time exactly to six hours ago (US-time).
Also cloudbees documentation sais, that You should create on your file system (under Windows7) c:\Users\Your_User.bees\bees.config file, which contains following line (if you want to call cloudbbees eu server):
bees.api.url=https\://api-eu.cloudbees.com/api>
but actually it didn't help in my case (maybe outdated version)

jdbc connection on tomcat server

I will try to formulate as best as I can.
First, web application(Spring MVC with Spring Jdbc) worked well until I started messing out with versions of STS(Spring Tool Suite based on Eclipse) and JDK+JRE7 to get features of Java 7.
Second, the current problem is that Apache Tomcat 6 or 7(I have both which I reinstalled for reason I don't remember) seems to be affecting the connection to the database. Saying directly: it fails to get jdbc connection
org.springframework.jdbc.CannotGetJdbcConnectionException: Could not get JDBC Connection; nested exception is java.sql.SQLException: No suitable driver found for jdbc:postgresql:postgres
and it happens whenever I try to do any operation on database from my web application.
The line jdbc:postgresql:postgres is OK just in case, because it worked before and it effectively says to connect to local database with name postgres(and also because of the point below).
Another important point to mention is that under vFabric tc Server everything works flawlessly without any problems whatsoever.
Third, the database is PostgreSql along with Apache DBCP pooling.
Fourth, the maven jdbc driver dependencies seems to work well, as again if they didn't vFabric tc Server would also fail same as Apache Tomcat which leads to me to an idea that Apache Tomcat is itself the culprit.
Some of the information produced during server start-up:
Dec 14, 2011 4:54:32 PM org.apache.catalina.core.AprLifecycleListener init
INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: C:\ProgramFiles\Java\jdk1.7.0_02\bin;C:\Windows\Sun\Java\bin;C:\Windows\system32;C:\Windows;C:\Program Files (x86)\MiKTeX 2.9\miktex\bin;C:\Program Files\Apache Software Foundation\apache-maven-3.0.3\bin;C:\Program Files (x86)\NVIDIA Corporation\PhysX\Common;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Intel\WiFi\bin\;C:\Program Files\Common Files\Intel\WirelessCommon\;C:\Program Files\WIDCOMM\Bluetooth Software\;C:\Program Files\WIDCOMM\Bluetooth Software\syswow64;C:\Program Files (x86)\Microsoft SQL Server\100\Tools\Binn\;C:\Program Files\Microsoft SQL Server\100\Tools\Binn\;C:\Program Files\Microsoft SQL Server\100\DTS\Binn\;C:\Program Files (x86)\QuickTime\QTSystem\;.
Dec 14, 2011 4:54:32 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-bio-8080"]
Dec 14, 2011 4:54:32 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["ajp-bio-8009"]
Dec 14, 2011 4:54:32 PM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 849 ms
Dec 14, 2011 4:54:32 PM org.apache.catalina.core.StandardServicestartInternal
INFO: Starting service Catalina
Dec 14, 2011 4:54:32 PM org.apache.catalina.core.StandardEngine startInternal
INFO: Starting Servlet Engine: Apache Tomcat/7.0.23
Dec 14, 2011 4:54:33 PM org.apache.catalina.startup.HostConfig deployDescriptor
INFO: Deploying configuration descriptor C:\Users\User\Documents\workspace-sts\.metadata\.plugins\org.eclipse.wst.server.core\tmp0\conf\Catalina\localhost\project.xml
Dec 14, 2011 4:54:33 PM org.apache.catalina.startup.SetContextPropertiesRule begin
WARNING: [SetContextPropertiesRule]{Context} Setting property 'source' to 'org.eclipse.jst.jee.server:project' did not find a matching property.
Dec 14, 2011 4:54:34 PM org.apache.catalina.core.ApplicationContext log
INFO: Initializing Spring root WebApplicationContext
Dec 14, 2011 4:54:37 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-bio-8080"]
Dec 14, 2011 4:54:37 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["ajp-bio-8009"]
Dec 14, 2011 4:54:37 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 4664 ms
I am really desperate please help.
UPDATE:
Still sitting in front looking at sad screen, so I decided to include all the .xml configuration.
<bean id="dataSource" class="org.apache.commons.dbcp.PoolingDataSource">
<constructor-arg ref="connectionPool"/>
</bean>
<bean id ="connectionPool" class="org.apache.commons.pool.impl.GenericObjectPool">
<constructor-arg><null/></constructor-arg>
</bean>
<bean id="poolableConnectionFactory" class="org.apache.commons.dbcp.PoolableConnectionFactory" >
<constructor-arg ref="connectionFactory"/>
<constructor-arg ref="connectionPool"/>
<constructor-arg><null/></constructor-arg>
<constructor-arg><null/></constructor-arg>
<constructor-arg value="false"/>
<constructor-arg value="true"/>
</bean>
<bean id="connectionFactory" class="org.apache.commons.dbcp.DriverManagerConnectionFactory">
<constructor-arg value="jdbc:postgresql:postgres"/>
<constructor-arg value="postgres"/>
<constructor-arg value="myCorrectPassword"/>
</bean>
In grl, I'd say that DB drivers should probably go into the common lib folder on Tomcat.
Usually those drivers are used for several applications.
Additionally, if you set your pool in the context.xml, this is required.

Apache load balancing not working properly | mod_jk

I have two jboss application server (on different machines and ip address) and I have setup apache as web server for this application server using mod_jk configuration. Apache web server is also setup to load balance between these two application servers.
Following is the content of my workers.properties file:
worker.list=portalworker1,portalworker2,portalbalancer
worker.portalbalancer.type=lb
worker.portalbalancer.balance_workers=portalworker1,portalworker2
worker.portalbalancer.sticky_session=True
# Application server 1 Portal application
worker.portalworker1.type=ajp13
worker.portalworker1.host=10.178.197.91
worker.portalworker1.port=8009
worker.portalworker1.lbfactor=1
# Application server 2 Portal application
worker.portalworker2.type=ajp13
worker.portalworker2.host=10.178.197.90
worker.portalworker2.port=8009
worker.portalworker2.lbfactor=1
The problem is that currently request is being sent to any of the application server (for eg. one request at application server 1 and the second request to application server 2) which will obv. won't work.
I have also checked mod_jk log in debug mode:
For 1st request
[Tue Dec 13 16:46:12.222 2011] [16097:47166030803776] [debug] get_most_suitable_worker::jk_lb_worker.c (946): searching worker for partial sessionid UH76jWj-q2yX39prlS-nBA**
[Tue Dec 13 16:46:12.222 2011] [16097:47166030803776] [debug] get_most_suitable_worker::jk_lb_worker.c (1001): found best worker portalworker2 (portalworker2) using method 'Request'
For 2nd request:
[Tue Dec 13 16:46:12.434 2011] [16100:47166030803776] [debug] get_most_suitable_worker::jk_lb_worker.c (946): searching worker for partial sessionid UH76jWj-q2yX39prlS-nBA**
[Tue Dec 13 16:46:12.434 2011] [16100:47166030803776] [debug] get_most_suitable_worker::jk_lb_worker.c (1001): found best worker portalworker1 (portalworker1) using method 'Request'
This also ensures that the sessionid's for 2 requset are same, still different workers are found.
Any idea what I am doing wrong?
The problem was that I had not added jvmRoute in my server.xml for my different application server to differentiate these servers, and also useJK was not set to true in jboss-service.xml file.