Tomcat 8.5.51 fails

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Tomcat 8.5.51 fails

kohmoto@iris.eonet.ne.jp
Hi,

I have install Tomcat 8.5.51 today and found something wrong.

I have been using tomcat for last 5 years and never met this
kind of problem.

It would be appreciated if I could be advised.

Thank you.

System:
CentOS 7.7.1908
httpd 2.4.41 (community version)
   httpd.conf:
     (LoadModule proxy_ajp_module
lib64/httpd/modules/mod_proxy_ajp.so)
   httpd-proxy.conf:
     <Location /manager/>
           ProxyPass ajp://localhost:8009/manager/
     </Location>
tomcat 8.5.*

error log-----------
13-Feb-2020 17:13:12.523 重大 [main]
org.apache.catalina.core.StandardService.startInternal
Failed to start connector [Connector[AJP/1.3-8009]]
         org.apache.catalina.LifecycleException:
プロトコルハンドラの起動に失敗しました ( 'fail to start
protocolhandler' in English )
                 at
org.apache.catalina.connector.Connector.startInternal(Connector.java:1057)
                 at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
                 at
org.apache.catalina.core.StandardService.startInternal(StandardService.java:440)
                 at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
                 at
org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:766)
                 at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
                 at
org.apache.catalina.startup.Catalina.start(Catalina.java:688)
                 at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)
                 at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
                 at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
                 at
java.base/java.lang.reflect.Method.invoke(Method.java:567)
                 at
org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343)
                 at
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474)
         Caused by: java.lang.IllegalArgumentException: The
AJP Connector is configured with secretRequired="true" but
the secret attribute is either null or "". This combination
is not valid.
                 at
org.apache.coyote.ajp.AbstractAjpProtocol.start(AbstractAjpProtocol.java:274)
                 at
org.apache.catalina.connector.Connector.startInternal(Connector.java:1055)
                 ... 12 more

Yours truly,
Kazuhiko Kohmoto



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Tomcat 8.5.51 fails

remm
On Thu, Feb 13, 2020 at 10:13 AM kohmoto <[hidden email]> wrote:

> Hi,
>
> I have install Tomcat 8.5.51 today and found something wrong.
>
> I have been using tomcat for last 5 years and never met this
> kind of problem.
>
> It would be appreciated if I could be advised.
>

Ok, so ...


>          Caused by: java.lang.IllegalArgumentException: The
> AJP Connector is configured with secretRequired="true" but
> the secret attribute is either null or "". This combination
> is not valid.
>
> The error message gives the explanation. The AJP defaults changed so you
need to adjust your server.xml to that.

Rémy
Reply | Threaded
Open this post in threaded view
|

Re: Tomcat 8.5.51 fails

André Warnier (tomcat/perl)
In reply to this post by kohmoto@iris.eonet.ne.jp
On 13.02.2020 10:13, kohmoto wrote:

> Hi,
>
> I have install Tomcat 8.5.51 today and found something wrong.
>
> I have been using tomcat for last 5 years and never met this kind of problem.
>
> It would be appreciated if I could be advised.
>
> Thank you.
>
> System:
> CentOS 7.7.1908
> httpd 2.4.41 (community version)
>    httpd.conf:
>      (LoadModule proxy_ajp_module lib64/httpd/modules/mod_proxy_ajp.so)
>    httpd-proxy.conf:
>      <Location /manager/>
>            ProxyPass ajp://localhost:8009/manager/
>      </Location>
> tomcat 8.5.*
>
> error log-----------
> 13-Feb-2020 17:13:12.523 重大 [main]
> org.apache.catalina.core.StandardService.startInternal Failed to start connector
> [Connector[AJP/1.3-8009]]
>          org.apache.catalina.LifecycleException: プロトコルハンドラの起動に失敗しました (
> 'fail to start protocolhandler' in English )
>                  at
> org.apache.catalina.connector.Connector.startInternal(Connector.java:1057)
>                  at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
>                  at
> org.apache.catalina.core.StandardService.startInternal(StandardService.java:440)
>                  at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
>                  at
> org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:766)
>                  at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
>                  at org.apache.catalina.startup.Catalina.start(Catalina.java:688)
>                  at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
> Method)
>                  at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>
>                  at
> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>
>                  at java.base/java.lang.reflect.Method.invoke(Method.java:567)
>                  at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343)
>                  at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474)
>          Caused by: java.lang.IllegalArgumentException: The AJP Connector is configured
> with secretRequired="true" but the secret attribute is either null or "". This combination
> is not valid.
>                  at
> org.apache.coyote.ajp.AbstractAjpProtocol.start(AbstractAjpProtocol.java:274)
>                  at
> org.apache.catalina.connector.Connector.startInternal(Connector.java:1055)
>                  ... 12 more
>

Hi.
The log message above :

         Caused by: java.lang.IllegalArgumentException: The AJP Connector is configured
with secretRequired="true" but the secret attribute is either null or "". This combination
is not valid.

seems pretty clear.

Check in the file (tomcat_dir)/conf/server.xml, the Connector :

     <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

and the associated on-line documentation :

http://tomcat.apache.org/tomcat-8.5-doc/config/ajp.html

search for "secretRequired".


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Tomcat 8.5.51 fails

kohmoto@iris.eonet.ne.jp
On 2020/02/13 18:25, André Warnier (tomcat/perl) wrote:
> Check in the file (tomcat_dir)/conf/server.xml, the Connector :
>
>     <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

The setting is the same as mine.

I have use server.xml used in 8.5.50. In case of 8.5.50, I have no
problem.

Please notice, I have been using Tomcat for 5 years with updates.
Why this time?

Thank you.


Yours truly,
Kazuhiko Kohmoto

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Tomcat 8.5.51 fails

kohmoto@iris.eonet.ne.jp
In reply to this post by remm
On 2020/02/13 18:22, Rémy Maucherat wrote:
> need to adjust your server.xml to that

I think this time problem seems not due to server.xml.
The server.xml works well with 8.5.50.

Thank you.

Yours truly,
Kazuhiko Kohmoto

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Tomcat 8.5.51 fails

Olaf Kock
In reply to this post by kohmoto@iris.eonet.ne.jp

On 13.02.20 10:36, [hidden email] wrote:

> On 2020/02/13 18:25, André Warnier (tomcat/perl) wrote:
>> Check in the file (tomcat_dir)/conf/server.xml, the Connector :
>>
>>     <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
>
> The setting is the same as mine.
>
> I have use server.xml used in 8.5.50. In case of 8.5.50, I have no
> problem.
>
> Please notice, I have been using Tomcat for 5 years with updates.
> Why this time?


Because this time, security relevant defaults changed: See these recent
commits on the git mirror:

https://github.com/apache/tomcat/commit/b962835f98b905286b78c414d5aaec2d0e711f75#diff-8dc0090e11bd1ca2caa389bb79d52262

https://github.com/apache/tomcat/commit/2becbfd3228942a18b663ca715ee9c9b80743120#diff-8dc0090e11bd1ca2caa389bb79d52262




---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Tomcat 8.5.51 fails

Olaf Kock

On 13.02.20 11:17, Olaf Kock wrote:

> On 13.02.20 10:36, [hidden email] wrote:
>> On 2020/02/13 18:25, André Warnier (tomcat/perl) wrote:
>>> Check in the file (tomcat_dir)/conf/server.xml, the Connector :
>>>
>>>     <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
>> The setting is the same as mine.
>>
>> I have use server.xml used in 8.5.50. In case of 8.5.50, I have no
>> problem.
>>
>> Please notice, I have been using Tomcat for 5 years with updates.
>> Why this time?
>
> Because this time, security relevant defaults changed: See these recent
> commits on the git mirror:
>
> https://github.com/apache/tomcat/commit/b962835f98b905286b78c414d5aaec2d0e711f75#diff-8dc0090e11bd1ca2caa389bb79d52262
>
> https://github.com/apache/tomcat/commit/2becbfd3228942a18b663ca715ee9c9b80743120#diff-8dc0090e11bd1ca2caa389bb79d52262

Or, even better digestible (I hit 'send' too early):

Mark's announcement of the availability contained:

> - AJP defaults changed to listen the loopback address, require a
secret and to be disabled in the sample server.xml

And the changelog on
http://tomcat.apache.org/tomcat-8.5-doc/changelog.html for 8.5.51
contains this information on AJP:

  * Update: Disable (comment out in server.xml) the AJP/1.3 connector by
    default. (markt)
  * Update: Change the default bind address for the AJP/1.3 connector to
    be the loopback address. (markt)
  * Add: Rename the |requiredSecret| attribute of the AJP/1.3 Connector
    to |secret| and add a new attribute |secretRequired| that defaults
    to |true|. When |secretRequired| is |true| the AJP/1.3 Connector
    will not start unless the |secret| attribute is configured to a
    non-null, non-zero length String. (markt)
  * Add: Add a new attribute, |allowedRequestAttributesPattern| to the
    AJP/1.3 Connector. Requests with unrecognised attributes will be
    blocked with a 403. (markt)

There's also a discussion on the "Re: [ANN] Apache Tomcat 9.0.31
available" thread on this changed default that might give you some
background.

I hope, this helps,

Olaf

Reply | Threaded
Open this post in threaded view
|

Re: Tomcat 8.5.51 fails

André Warnier (tomcat/perl)
In reply to this post by kohmoto@iris.eonet.ne.jp
On 13.02.2020 10:36, [hidden email] wrote:

> On 2020/02/13 18:25, André Warnier (tomcat/perl) wrote:
>> Check in the file (tomcat_dir)/conf/server.xml, the Connector :
>>
>>     <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
>
> The setting is the same as mine.
>
> I have use server.xml used in 8.5.50. In case of 8.5.50, I have no problem.
>
> Please notice, I have been using Tomcat for 5 years with updates.
> Why this time?
>

Yes, you are right, and I am sorry for my previous short answer.
(I thought that you were a "newbie" installing tomcat 8.5 for the firdst time, and that
you had just not configured the Connector correctly.)

But Remy's answer, and the other thread "Re: [ANN] Apache Tomcat 9.0.31 available" seems
to indicate that this was due to a *change* in behaviour between 8.5.50 and 8.5.51.

In any case, it seems that for now, you will have to modify the AJP Connector
configuration in server.xml, to make it work with 8.5.51 and above, and add an explicit

secretRequired="false"

attribute.  And maybe also an explicit listening address..

It looks like these changes are documented here :
http://tomcat.apache.org/tomcat-8.5-doc/changelog.html
--> Coyote


Update:  Disable (comment out in server.xml) the AJP/1.3 connector by default. (markt)
Update:  Change the default bind address for the AJP/1.3 connector to be the loopback
address. (markt)
Add:  Rename the requiredSecret attribute of the AJP/1.3 Connector to secret and add a new
attribute secretRequired that defaults to true. When secretRequired is true the AJP/1.3
Connector will not start unless the secret attribute is configured to a non-null, non-zero
length String. (markt)

I think that the first change above is ok, because it only affects the distribution of
newly-downloaded server.xml files.

But the other two also impact existing installations just being updated, and in a way that
is not very clearly indicated in the on-line documentation. That looks a bit more iffy..


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Tomcat 8.5.51 fails

kohmoto@iris.eonet.ne.jp
Dear André Warnier,

Thank you for the following-up. I now am understanding what
I should make a change on server.xml.

Thank you for your kind response and Tomcat Users List's
conversation.

Yours truly,
Kazuhiko Kohmoto

PS.
Sorry, not response to you quickly, because in Japan time
was night.
Thank you.



On 2020/02/13 20:21, André Warnier (tomcat/perl) wrote:
> In any case, it seems that for now, you will have to
> modify the AJP Connector configuration in server.xml, to
> make it work with 8.5.51 and above, and add an explicit


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Tomcat 8.5.51 fails

kohmoto@iris.eonet.ne.jp
In reply to this post by Olaf Kock
Thank you for your kind response to my mail.
I read the changinglog. I might understand the contents.

Thank you.

Yours truly,
Kazuhiko Kohmoto

On 2020/02/13 19:26, Olaf Kock wrote:

> On 13.02.20 11:17, Olaf Kock wrote:
>> On 13.02.20 10:36, [hidden email] wrote:
>>> On 2020/02/13 18:25, André Warnier (tomcat/perl) wrote:
>>>> Check in the file (tomcat_dir)/conf/server.xml, the Connector :
>>>>
>>>>      <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
>>> The setting is the same as mine.
>>>
>>> I have use server.xml used in 8.5.50. In case of 8.5.50, I have no
>>> problem.
>>>
>>> Please notice, I have been using Tomcat for 5 years with updates.
>>> Why this time?
>> Because this time, security relevant defaults changed: See these recent
>> commits on the git mirror:
>>
>> https://github.com/apache/tomcat/commit/b962835f98b905286b78c414d5aaec2d0e711f75#diff-8dc0090e11bd1ca2caa389bb79d52262
>>
>> https://github.com/apache/tomcat/commit/2becbfd3228942a18b663ca715ee9c9b80743120#diff-8dc0090e11bd1ca2caa389bb79d52262
> Or, even better digestible (I hit 'send' too early):
>
> Mark's announcement of the availability contained:
>
>> - AJP defaults changed to listen the loopback address, require a
> secret and to be disabled in the sample server.xml
>
> And the changelog on
> http://tomcat.apache.org/tomcat-8.5-doc/changelog.html for 8.5.51
> contains this information on AJP:
>
>    * Update: Disable (comment out in server.xml) the AJP/1.3 connector by
>      default. (markt)
>    * Update: Change the default bind address for the AJP/1.3 connector to
>      be the loopback address. (markt)
>    * Add: Rename the |requiredSecret| attribute of the AJP/1.3 Connector
>      to |secret| and add a new attribute |secretRequired| that defaults
>      to |true|. When |secretRequired| is |true| the AJP/1.3 Connector
>      will not start unless the |secret| attribute is configured to a
>      non-null, non-zero length String. (markt)
>    * Add: Add a new attribute, |allowedRequestAttributesPattern| to the
>      AJP/1.3 Connector. Requests with unrecognised attributes will be
>      blocked with a 403. (markt)
>
> There's also a discussion on the "Re: [ANN] Apache Tomcat 9.0.31
> available" thread on this changed default that might give you some
> background.
>
> I hope, this helps,
>
> Olaf
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Tomcat 8.5.51 fails

kohmoto@iris.eonet.ne.jp
In reply to this post by Olaf Kock
Thank you for your links.
Now, I fully understand what I should make a change to
server.xml.

Thank you.

Yours truly,
Kazuhiko Kohmoto

On 2020/02/13 19:17, Olaf Kock wrote:

> On 13.02.20 10:36, [hidden email] wrote:
>> On 2020/02/13 18:25, André Warnier (tomcat/perl) wrote:
>>> Check in the file (tomcat_dir)/conf/server.xml, the Connector :
>>>
>>>      <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
>> The setting is the same as mine.
>>
>> I have use server.xml used in 8.5.50. In case of 8.5.50, I have no
>> problem.
>>
>> Please notice, I have been using Tomcat for 5 years with updates.
>> Why this time?
>
> Because this time, security relevant defaults changed: See these recent
> commits on the git mirror:
>
> https://github.com/apache/tomcat/commit/b962835f98b905286b78c414d5aaec2d0e711f75#diff-8dc0090e11bd1ca2caa389bb79d52262
>
> https://github.com/apache/tomcat/commit/2becbfd3228942a18b663ca715ee9c9b80743120#diff-8dc0090e11bd1ca2caa389bb79d52262
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]