tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From János Löbb <janos.l...@yale.edu>
Subject CSRF_NONCE
Date Mon, 21 Mar 2011 19:05:04 GMT
Hi,

On two OSX 10.6.6 machine I try to make a 4 member tomcat cluster.  On MachineA tomcat3 and
tomcat4, on MachineB tomcat1 and tomcat2.

I use MachineA as a reverse proxy.

Apache2 is 2.2.17, mod_jk is 1.2.31 and tomcat is 7.0.10

When I try to get to the manager application on one or the other balance members
http://bml0066.yalepath.org:8180/manager/html
http://bml0065.yalepath.org:8380/manager/html

I get a 500 error

<nyissz>
HTTP Status 500 -

type Exception report

message

description The server encountered an internal error () that prevented it from fulfilling
this request.

exception

java.lang.IllegalArgumentException: setAttribute: Non-serializable attribute org.apache.catalina.filters.CSRF_NONCE
	org.apache.catalina.session.StandardSession.setAttribute(StandardSession.java:1440)
	org.apache.catalina.ha.session.DeltaSession.setAttribute(DeltaSession.java:626)
	org.apache.catalina.ha.session.DeltaSession.setAttribute(DeltaSession.java:610)
	org.apache.catalina.session.StandardSessionFacade.setAttribute(StandardSessionFacade.java:154)
	org.apache.catalina.filters.CsrfPreventionFilter.doFilter(CsrfPreventionFilter.java:173)


note The full stack trace of the root cause is available in the Apache Tomcat/7.0.10 logs.

<nyassz>

Looking the apache error_log on one of the machine I see this:
[Mon Mar 21 14:34:43 2011] [error] [client 10.84.2.41] File does not exist: /usr/local/httpd-2.2.17/htdocs/manager

So looks like mod_jk did not do its job.  However the mod_jk.log file says:
[Mon Mar 21 14:13:08.016 2011] [290:140735090613408] [info] init_jk::mod_jk.c (3198): mod_jk/1.2.31
(1026297) initialized


Looking into Tomcat's log - catalina.out I see this:

<nyissz>
INFO: HTMLManager: init: Associated with Deployer 'Catalina:type=Deployer,host=localhost'
Mar 21, 2011 2:35:33 PM org.apache.catalina.core.ApplicationContext log
INFO: HTMLManager: init: Global resources are available
Mar 21, 2011 2:36:18 PM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [HTMLManager] in context with path [/manager] threw
exception
java.lang.IllegalArgumentException: setAttribute: Non-serializable attribute org.apache.catalina.filters.CSRF_NONCE
	at org.apache.catalina.session.StandardSession.setAttribute(StandardSession.java:1440)
	at org.apache.catalina.ha.session.DeltaSession.setAttribute(DeltaSession.java:626)
	at org.apache.catalina.ha.session.DeltaSession.setAttribute(DeltaSession.java:610)
	at org.apache.catalina.session.StandardSessionFacade.setAttribute(StandardSessionFacade.java:154)
	at org.apache.catalina.filters.CsrfPreventionFilter.doFilter(CsrfPreventionFilter.java:173)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:240)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:164)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:591)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:562)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
	at org.apache.catalina.ha.tcp.ReplicationValve.invoke(ReplicationValve.java:333)
	at org.apache.catalina.ha.session.JvmRouteBinderValve.invoke(JvmRouteBinderValve.java:218)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:394)
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:243)
	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:188)
	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:166)
	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:302)
	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
	at java.lang.Thread.run(Thread.java:680)
Mar 21, 2011 2:47:18 PM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [HTMLManager] in context with path [/manager] threw
exception
java.lang.IllegalArgumentException: setAttribute: Non-serializable attribute org.apache.catalina.filters.CSRF_NONCE
	at org.apache.catalina.session.StandardSession.setAttribute(StandardSession.java:1440)
	at org.apache.catalina.ha.session.DeltaSession.setAttribute(DeltaSession.java:626)
	at org.apache.catalina.ha.session.DeltaSession.setAttribute(DeltaSession.java:610)
	at org.apache.catalina.session.StandardSessionFacade.setAttribute(StandardSessionFacade.java:154)
	at org.apache.catalina.filters.CsrfPreventionFilter.doFilter(CsrfPreventionFilter.java:173)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:240)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:164)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:591)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:562)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
	at org.apache.catalina.ha.tcp.ReplicationValve.invoke(ReplicationValve.java:333)
	at org.apache.catalina.ha.session.JvmRouteBinderValve.invoke(JvmRouteBinderValve.java:218)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:394)
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:243)
	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:188)
	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:166)
	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:302)
	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
	at java.lang.Thread.run(Thread.java:680)

<nyassz>

What can I do to avoid it ?

Thanks ahead,

Here is the server.xml from one of the tomcats:
<nyissz>
<?xml version='1.0' encoding='utf-8'?>
<Server port="8305" shutdown="SHUTDOWN">
  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
  <Listener className="org.apache.catalina.core.JasperListener" />
  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
  <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />

  <GlobalNamingResources>
    <Resource name="UserDatabase" auth="Container"
              type="org.apache.catalina.UserDatabase"
              description="User database that can be updated and saved"
              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
              pathname="conf/tomcat-users.xml" />
  </GlobalNamingResources>

  <Service name="Catalina">
  
   <Connector port="8380" protocol="HTTP/1.1" 
               connectionTimeout="20000" 
               redirectPort="8343" />

    <Connector port="8343" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
		keystoreFile="/Users/administrator/.keystore" keystorePass="ITAccess"
               clientAuth="false" sslProtocol="TLS" />
    

    <Connector port="8309" protocol="AJP/1.3" redirectPort="8343" />


    <Engine name="Catalina" defaultHost="localhost" jvmRoute="tomcat3">

      <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
              

      <Realm className="org.apache.catalina.realm.LockOutRealm">
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase"/>
      </Realm>

      <Host name="localhost"  appBase="webapps"
            unpackWARs="true" autoDeploy="true">

        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" 

               prefix="localhost_access_log." suffix=".txt"
               pattern="%h %l %u %t &quot;%r&quot; %s %b" resolveHosts="false"/>

      </Host>
    </Engine>
  </Service>
</Server>

<nyassz>

The <distributable/> tag is right now in the main web.xml.  It will be moved to the
concrete webapps web.xml when the cluster is ok.

Here is the workers.properties from one machine:

<nyissz>
bml0065:local administrator$ cat apache2/conf/workers.properties 
worker.list = lb,jkstatus

worker.lb.type=lb
worker.lb.balance_workers=tomcat1,tomcat2,tomcat3,tomcat4
worker.lb.sticky_session = True
worker.lb.sticky_session_force = False

worker.jkstatus.type=status

worker.tomcat1.type = ajp13
worker.tomcat1.host = bml0066.yalepath.org
worker.tomcat1.port = 8109
worker.tomcat1.lbfactor = 1
worker.tomcat1.redirect=tomcat3

worker.tomcat2.type = ajp13
worker.tomcat2.host = bml0066.yalepath.org
worker.tomcat2.port = 8209
worker.tomcat2.lbfactor = 1
worker.tomcat2.redirect=tomcat4

worker.tomcat3.type = ajp13
worker.tomcat3.host = localhost
worker.tomcat3.port = 8309
worker.tomcat3.lbfactor = 1
worker.tomcat3.redirect=tomcat2

worker.tomcat4.type = ajp13
worker.tomcat4.host = localhost
worker.tomcat4.port = 8409
worker.tomcat4.lbfactor = 1
worker.tomcat4.redirect=tomcat1

<nyassz>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message