We Keep Coding

Jboss EAP 7.2 - How to use the SSL keystore and password in Java application since there is no system variables supported for these two variables?

We are migrating Jboss EAP 6.4 to Jboss EAP 7.2. Jboss 6.4 has system variables supported for keystore and password. Question here is how to use the SSL keystore/password from Jboss EAP 7.2 configuration file (standalone.xml) in Java application since there is no system variables supported for these two variables? Instead of these two variables, Jboss 7.2 uses Elytron framework for TLS.
I'm getting below error since I'm not able to pass these two system variables.
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure.
Any help/pointers will be greatly appreciated. Thanks.
Jboss 7.2 Standalone.xml file:
<tls>
<key-stores>
<key-store name="default-trust-store">
<credential-reference store="keystore" alias="truststore_pw"/>
<implementation type="JKS"/>
<file path="../certs/truststore.jks"/>
</key-store>
<key-store name="httpsKS" alias-filter="">
<credential-reference store="keystore" alias="keystore_pw"/>
<implementation type="JKS"/>
<file path="/.../keystore.jks"/>
</key-store>
</key-stores>
<trust-managers>
<trust-manager name="default-trust-manager" key-store="default-trust-store"/>
</trust-managers>
<server-ssl-contexts>
<server-ssl-context name="httpsSSC" cipher-suite-filter="[ciphers here]" protocols="TLSv1.2" key-manager="httpsKM"/>
</server-ssl-contexts>
</tls>

How to rewrite a RewriteValve for Undertow / JBoss 7.2 EAP?

I'm migrating from JBoss 6.4.3 to JBoss 7.2 and saw a Valves are no longer supported warning during deployment. This came from a jboss-web.xml file with:
<valve>
<class-name>org.jboss.web.rewrite.RewriteValve</class-name>
</valve>
...and a corresponding rewrite.properties file:
RewriteCond %{HTTP:X-Forwarded-Proto} http
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
Could anyone advise how to rewrite this (no pun intended) for Undertow?

You can create a rewrite filter in the Undertow subsystem, and then reference it in the server host within the configuration file (standalone.xml or domain.xml - depending on the mode in which you start the application server).
I can think of two options, which might help you:
Using the JBoss Application Server Client (should be placed in path/to/jboss-7.2/bin/)
Creating the rewrite filter with the custom name redirect-http-to-https:
./jboss-cli.sh --connect --command="/subsystem=undertow/configuration=filter/rewrite=redirect-http-to-https:add(redirect=\"true\",target=\"https://%{LOCAL_SERVER_NAME}%{REQUEST_URL}\")"
Using/referencing the filter redirect-http-to-https:
./jboss-cli.sh --connect --command="/subsystem=undertow/server=default-server/host=default-host/filter-ref=redirect-http-to-https:add(predicate=\"equals(%p,80)\")"
Manually editing the respective config file (e.g. standalone.xml)
<subsystem xmlns="urn:jboss:domain:undertow:11.0" default-server="default-server" [...]>
<buffer-cache name="default"/>
<server name="default-server">
[...]
<host name="default-host" alias="localhost">
<filter-ref name="redirect-http-to-https" predicate="equals(%p,80)"/>
</host>
</server>
[...]
<filters>
<rewrite name="redirect-http-to-https" target="https://%{LOCAL_SERVER_NAME}%{REQUEST_URL}" redirect="true"/>
</filters>
</subsystem>
Note: For the Undertow exchange attributes (e.g. LOCAL_SERVER_NAME) refer to Undertow documentation. Further, the part predicate=\"equals(%p,80)\" in the filter-refchecks the requested port (%p -> just another Undertow exchange attribute) and if it equals to 80, then it triggers our redirect filter redirect-http-to-https - you can change the port 80 as per your need.

tomcat starts but its not listening on any port

I have a tomcat service configured to run on port 8380. This site was running fine until recently. I started to see this in the mod_jk.log on apache:
[3409:140197396281344] [info] jk_open_socket::jk_connect.c (627): connect to 127.0.0.1:8309 failed (errno=111)
[3409:140197396281344] [info] ajp_connect_to_endpoint::jk_ajp_common.c (995): Failed opening socket to (127.0.0.1:8309) (errno=111)
[3409:140197396281344] [error] ajp_send_request::jk_ajp_common.c (1630): (worker1) connecting to backend failed. Tomcat is probably not started or is listening on the wrong port (errno=111)
[3409:140197396281344] [info] ajp_service::jk_ajp_common.c (2623): (worker1) sending request to tomcat failed (recoverable), because of error during request sending (attempt=1)
[3409:140197396281344] [info] jk_open_socket::jk_connect.c (627): connect to 127.0.0.1:8309 failed (errno=111)
[3409:140197396281344] [info] ajp_connect_to_endpoint::jk_ajp_common.c (995): Failed opening socket to (127.0.0.1:8309) (errno=111)
[3409:140197396281344] [error] ajp_send_request::jk_ajp_common.c (1630): (worker1) connecting to backend failed. Tomcat is probably not started or is listening on the wrong port (errno=111)
[3409:140197396281344] [info] ajp_service::jk_ajp_common.c (2623): (worker1) sending request to tomcat failed (recoverable), because of error during request sending (attempt=2)
[3409:140197396281344] [error] ajp_service::jk_ajp_common.c (2643): (worker1) connecting to tomcat failed.
[3409:140197396281344] [info] jk_handler::mod_jk.c (2788): Service error=-3 for worker=worker1
I'm able to start up the tomcat service but the port it's supposed to be listening on is not accepting connections. nmap and netstat don't show the ports as available. I've also tried telnetting to to the port just in case but as i expected there's no response. I've stopped the firewall in case it's a iptables rule issue but that too had no effect. I've googled similar issues resolved by what i tried above but none of them apply to my issues. I'm not sure what else to try at this point and so I'm turning to you all!
For this particular host the CATALINA_BASE is from a mounted nfs export. I have 2 tomcat sites hosted on this server. For the sake of testing I've disabled one from starting up since they both have same issue. i figured if i can get 1 running the other will be work as well.
server.xml:
<Server port="8105" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<Listener className="org.apache.catalina.core.JasperListener" />
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<GlobalNamingResources>
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<Service name="Catalina">
<Connector port="8380" protocol="HTTP/1.1"
connectionTimeout="20000"
URIEncoding="UTF-8"
redirectPort="8443" />
<Connector port="8309" protocol="AJP/1.3" redirectPort="8443" />
<Engine name="Catalina" defaultHost="localhost">
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log." suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
</Host>
<Host name="mytomcat.site.org" appBase="webapps"
unpackWARs="true" autoDeploy="true">
</Host>
</Engine>
</Service>
</Server>
My worker.properties in apache. I have 2 workers 1 for each tomcat site.
workers.tomcat_home=/opt/tomcat
workers.java_home=/usr/local/jdk/jre
ps=/
# Define workers
worker.list=worker1
worker.list=worker2
# Set properties for worker1 - localhost
worker.worker1.type=ajp13
worker.worker1.host=127.0.0.1
worker.worker1.port=8309
worker.worker1.socket_keepalive=True
worker.worker1.socket_timeout=300
# Set properties for worker2 - localhost
worker.worker2.type=ajp13
worker.worker2.host=127.0.0.1
worker.worker2.port=8409
worker.worker2.socket_keepalive=True
worker.worker2.socket_timeout=300
Apache starts up ok and is serving static pages ok. tomcat starts ok but like i said it's not listening on any port.
Any help would be appreciated. TIA!
MORE INFO:
I ran the init script with -debug in the JAVA_OPTS var. and I see the following towards the bottom of the output that scrolls out to stdout:
...
user changed to 'daemon'
User 'daemon' validated
Attempting to locate Java Home in /usr/local/jdk
Attempting to locate VM configuration file /usr/local/jdk/jre/lib/jvm.cfg
Attempting to locate VM configuration file /usr/local/jdk/lib/jvm.cfg
Attempting to locate VM configuration file /usr/local/jdk/jre/lib/amd64/jvm.cfg
Found VM configuration file at /usr/local/jdk/jre/lib/amd64/jvm.cfg
Found VM server definition in configuration
Checking library /usr/local/jdk/jre/lib/amd64/server/libjvm.so
Found VM client definition in configuration
Checking library /usr/local/jdk/jre/lib/amd64/client/libjvm.so
Checking library /usr/local/jdk/lib/amd64/client/libjvm.so
Cannot locate library for VM client (skipping)
Found VM hotspot definition in configuration
Checking library /usr/local/jdk/jre/lib/amd64/hotspot/libjvm.so
Checking library /usr/local/jdk/lib/amd64/hotspot/libjvm.so
Cannot locate library for VM hotspot (skipping)
Found VM classic definition in configuration
Checking library /usr/local/jdk/jre/lib/amd64/classic/libjvm.so
Checking library /usr/local/jdk/lib/amd64/classic/libjvm.so
Cannot locate library for VM classic (skipping)
Found VM native definition in configuration
Checking library /usr/local/jdk/jre/lib/amd64/native/libjvm.so
Checking library /usr/localjdk/lib/amd64/native/libjvm.so
Cannot locate library for VM native (skipping)
Found VM green definition in configuration
Checking library /usr/local/jdk/jre/lib/amd64/green/libjvm.so
Checking library /usr/local/jdk/lib/amd64/green/libjvm.so
Cannot locate library for VM green (skipping)
Java Home located in /usr/local/jdk
+-- DUMPING JAVA HOME STRUCTURE ------------------------
| Java Home: "/usr/local/jdk"
| Java VM Config.: "/usr/local/jdk/jre/lib/amd64/jvm.cfg"
| Found JVMs: 1
| JVM Name: "server"
| "/usr/local/jdk/jre/lib/amd64/server/libjvm.so"
+-------------------------------------------------------
Running w/ LD_LIBRARY_PATH=/usr/local/jdk/jre/lib/amd64/server:/usr/local/jdk/jre/lib/amd64
wait_child 12035
redirecting stdout to /opt/www/mytomcat/logs/catalina-daemon.out and stderr to &1
Then it goes back to the shell prompt. If it completed successfully it would have additional lines scrolling out:
get_pidf: 5 in /opt/www/mytomcat/logs/catalina-daemon.pid
get_pidf: pid 97253
check_tmp_file: /tmp/97253.jsvc_up
get_pidf: 5 in /opt/www/mytomcat/logs/catalina-daemon.pid
get_pidf: pid 97253
check_tmp_file: /tmp/97253.jsvc_up
get_pidf: 5 in /opt/www/mytomcat/logs/catalina-daemon.pid
get_pidf: pid 97253
check_tmp_file: /tmp/97253.jsvc_up
get_pidf: 5 in /opt/www/mytomcat/logs/catalina-daemon.pid
get_pidf: pid 97253
check_tmp_file: /tmp/97253.jsvc_up
get_pidf: 5 in /opt/www/mytomcat/logs/catalina-daemon.pid
get_pidf: pid 97253
check_tmp_file: /tmp/97253.jsvc_up
get_pidf: 5 in /opt/www/mytomcat/logs/catalina-daemon.pid
get_pidf: pid 97253
check_tmp_file: /tmp/97253.jsvc_up
I also noticed both tomcat process are running as root when i expect the child process to be running as daemon. Not sure why this is happening but it may be related to the issue.

Based on the debug output I started to try a bunch of different things specifically around catalina-daemon.out and catalina-daemon.pid files. As it turns out because these files are on the nfs location it causes the odd issue of the service starting but not listening. Once I moved these to the local filesystem the service started up AND it was listening on the correct port again. I also noticed the child tomcat process switched to the unprivileged user daemon. The page is reachable again.
Not entirely sure why it was working before but all of a sudden its not when i made no changes to the server. Something must have changed in the nfs export from the zfs machine that was serving up the CATALINA_BASE. Somehow this may have exposed a bug that causes this issue on the tomcat server.

Tomcat 8 cannot deploy via Ant script

Tomcat Version: 8.0.43
OS: Windows 10
My Deploy URL: http://localhost:8080/manager/text
My user accounts appear to be setup properly as I can access the web UI just fine.
<?xml version='1.0' encoding='utf-8'?>
<tomcat-users xmlns="http://tomcat.apache.org/xml"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
version="1.0">
<role rolename="manager-gui"/>
<role rolename="manager-script"/>
<user username="user" password="pass" roles="manager-gui,manager-script"/>
</tomcat-users>
When I try to manually access that deploy URL in a browser I have no problems and I see this in my logs
user [08/Oct/2018:12:51:15 -0700] "GET /manager/text/deploy?path=/apc HTTP/1.1" 200 69
When I try to deploy via Ant I get the following error and log entry with a 401 unauthorized HTTP code
<target name="deploy" description="Install web application" depends="dist">
<deploy url="http://localhost:8080/manager/text" username="user" password="pass"
path="/apc" war="dist/apc.war"/>
</target>
java.io.IOException: Error writing request body to server
at sun.net.www.protocol.http.HttpURLConnection$StreamingOutputStream.checkError(HttpURLConnection.java:3536)
at sun.net.www.protocol.http.HttpURLConnection$StreamingOutputStream.write(HttpURLConnection.java:3519)
at java.io.BufferedOutputStream.write(BufferedOutputStream.java:122)
at org.apache.catalina.ant.AbstractCatalinaTask.execute(AbstractCatalinaTask.java:238)
at org.apache.catalina.ant.DeployTask.execute(DeployTask.java:194)
at org.apache.tools.ant.UnknownElement.execute(UnknownElement.java:292)
at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.tools.ant.dispatch.DispatchUtils.execute(DispatchUtils.java:99)
at org.apache.tools.ant.Task.perform(Task.java:350)
at org.apache.tools.ant.Target.execute(Target.java:449)
at org.apache.tools.ant.Target.performTasks(Target.java:470)
at org.apache.tools.ant.Project.executeSortedTargets(Project.java:1388)
at org.apache.tools.ant.Project.executeTarget(Project.java:1361)
at org.apache.tools.ant.helper.DefaultExecutor.executeTargets(DefaultExecutor.java:41)
at org.apache.tools.ant.Project.executeTargets(Project.java:1251)
at org.apache.tools.ant.Main.runBuild(Main.java:834)
at org.apache.tools.ant.Main.startAnt(Main.java:223)
at org.apache.tools.ant.launch.Launcher.run(Launcher.java:284)
at org.apache.tools.ant.launch.Launcher.main(Launcher.java:101)
Suppressed: java.io.IOException: insufficient data written
at sun.net.www.protocol.http.HttpURLConnection$StreamingOutputStream.close(HttpURLConnection.java:3558)
at java.io.FilterOutputStream.close(FilterOutputStream.java:159)
at org.apache.catalina.ant.AbstractCatalinaTask.execute(AbstractCatalinaTask.java:241)
... 17 more
- [08/Oct/2018:12:52:14 -0700] "PUT /manager/text/deploy?path=%2Fapc HTTP/1.1" 401 2473
The strange part is that my Undeploy Ant command works just fine using the same username and password. So If I manually deploy my WAR I can successfully undeploy using this command
<target name="undeploy" description="Remove web application">
<undeploy url="http://localhost:8080/manager/text" username="user" password="pass"
path="/apc"/>
</target>
user [08/Oct/2018:12:47:34 -0700] "GET /manager/text/undeploy?path=%2Fapc HTTP/1.1" 200 61
So it seems that my username and password are correct, but for whatever reason the deploy doesn't recognize it as valid
One thing to note is that the log entries for my successful manual access and undeploy attempts show the user in front of the entry. The unsuccessful log entry for the deploy shows a - instead. Not sure what that means but might be important.
UPDATE:
It appears it might have something to do with the tomcat 8 lib files. Currently I use catalina-ant, tomcat-coyote, tomcat-util JAR's in my classpath to run my ant script. If i use the lib's provided in Tomcat 8 I have those errors above. If I instead use the libs from an old Tomcat 7 installation I have then it works fine.

Authentication support is known to be broken in all version of Tomcat 8.0 later than 2017-05-30 (8.0.45 and later) -- see issue #62809.
The issue #62809 has been fixed in Tomcat 9.0.13, 8.5.35, 7.0.92. It has not been fixed in Tomcat 8.0, as Tomcat 8.0 has already reached End of Life.
For reference: r1796838, r1843992.
at java.io.BufferedOutputStream.write(BufferedOutputStream.java:122)
at org.apache.catalina.ant.AbstractCatalinaTask.execute(AbstractCatalinaTask.java:238)
The line numbers above are not from Tomcat 8.0.43 as you are claiming, but from 8.0.45 or later.
In 8.0.43 the "ostream.write(..)" call is on line 242 of AbstractCatalinaTask. In 8.0.45+ it is on line 238.

java web application deployed to google app engine using maven,deployment successful,but for all back end services getting 404 error

am trying to deploy my java/spring based web application to google app engine using maven following below steps
1) In pom.xml added appengine-maven-plugin
<plugin>
<groupId>com.google.appengine</groupId>
<artifactId>appengine-maven-plugin</artifactId>
<version>1.9.42</version>
<configuration>
<version>1</version>
<oauth2>false</oauth2>
</configuration>
</plugin>
2) added appengine-web.xml
<appengine-web-app xmlns="http://appengine.google.com/ns/1.0">
<application>XXX-XXX-14807</application>
<version>1</version>
<threadsafe>true</threadsafe>
<env-variables>
<env-var name="env" value="prod" />
</env-variables>
</appengine-web-app>
3) deployed application using mvn appengine:update command
the application deployed successfully,welcome page getting displayed,but
services failing throwing errors like
"The requested URL XXX-XXX-14807.appspot.com/serach.do was not found on the server"(working in my local tomcat).
PS: not used google app engine eclipse plugin for deployment, trying to deploy java project from maven followed https://cloud.google.com/appengine/docs/java/tools/uploadinganapp.
do we need any other configuration?