Return-Path: 
 <users-return-242358-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org>
X-Original-To: apmail-tomcat-users-archive@www.apache.org
Delivered-To: apmail-tomcat-users-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 1C94110227
	for <apmail-tomcat-users-archive@www.apache.org>;
 Thu, 20 Jun 2013 18:25:43 +0000 (UTC)
Received: (qmail 23485 invoked by uid 500); 20 Jun 2013 18:25:39 -0000
Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org
Received: (qmail 23375 invoked by uid 500); 20 Jun 2013 18:25:39 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 23366 invoked by uid 99); 20 Jun 2013 18:25:38 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 20 Jun 2013 18:25:38 +0000
X-ASF-Spam-Status: No, hits=1.5 required=5.0
	tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of demablogia@gmail.com
 designates 209.85.214.176 as permitted sender)
Received: from [209.85.214.176] (HELO mail-ob0-f176.google.com)
 (209.85.214.176)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 20 Jun 2013 18:25:34 +0000
Received: by mail-ob0-f176.google.com with SMTP id v19so7416422obq.7
        for <users@tomcat.apache.org>; Thu, 20 Jun 2013 11:25:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :content-type;
        bh=6bBUbMh4jBmLRCzRDAyQhRm+IHg0tGqExa6ANG/tAkQ=;
        b=mx3Ke+IYh2KdgkZMloxx2T6A1Ru0Mxlbv1aDoAPHIV00xrERVG/feKh2vbfN/O3e69
         2sk3PN2LQPBUiN6kIVNwc+Oe097vZVUdYWprvwXIi4dRoJO3d7zuIziIEdjRx8rz8vKj
         VP6RF22jNLLHPKiXTwDD7PWT0+Ckh/s0vKrBP1IkKgBka0AoaeOkeW+QarQ2yUQ0f+CB
         rdgCMW63/2wx9PELh9SByzP4sU7MFBV8SCDWt9+cOwDESUvfHaquXiRczPQigqsSrvdX
         JQ7I2/ZyHqogxU6unwQmU70ekgaVlvFZmQKhb+30TgYBd24ob83n3bPHJP6eeI8xRxgS
         Q/Zw==
X-Received: by 10.60.137.163 with SMTP id qj3mr5091174oeb.84.1371752713990;
 Thu, 20 Jun 2013 11:25:13 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.76.33.197 with HTTP; Thu, 20 Jun 2013 11:24:53 -0700 (PDT)
In-Reply-To: <51C25F4F.1010709@christopherschultz.net>
References: 
 <CABOBwRgGygJoSvyPY4yy8Qr24dgMQkAjQkrG9Sj89SHES2FnGA@mail.gmail.com>
 <51C210B4.7080909@christopherschultz.net>
 <CABOBwRi5XGMFiD9y4H4bnmsGiqxkhCH=TjM3p4_zgNBhDh2CoA@mail.gmail.com>
 <51C25F4F.1010709@christopherschultz.net>
From: =?ISO-8859-1?Q?Jose_Mar=EDa_Zaragoza?= <demablogia@gmail.com>
Date: Thu, 20 Jun 2013 20:24:53 +0200
Message-ID: 
 <CABOBwRg+CAo-YWkHQ71A+nf7anyayhwqpeFRcw-XmUzL2y+MYA@mail.gmail.com>
Subject: Re: Tomcat 6.x leak with WSS4J library
To: Tomcat Users List <users@tomcat.apache.org>
Content-Type: multipart/alternative; boundary=047d7b33c95a3cbb0a04df9a1103
X-Virus-Checked: Checked by ClamAV on apache.org

--047d7b33c95a3cbb0a04df9a1103
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Thanks you very much, Christopher :

1)

Finally

-
-Dorg.apache.catalina.loader.WebappClassLoader.ENABLE_CLEAR_REFERENCES=3Dfa=
lse

worked for me, but I want to find out the root cause for leaking. I afraid
to accelerate OOM in PermGen  with many redeploys

2)


>Perhaps a container-loaded component (wss4j?) is being configured to
>use a webapp-loaded component (log4j?). Have you placed anything that
>didn't come with Tomcat into Tomcat's lib/ directory?


I don't use log4j.jar and I guess neither another library in my WEB-INF/lib
( looking at Maven dependences ).

I don't have log4j.jar in $TOMCAT_HOME\lib



My web application uses slf4j + logback and I've got jcl-over-slf4j as a
Maven dependence

and I exclude that another library uses commons-logging with Maven
exclusion option

<exclusions>
<exclusion>
 <groupId>commons-logging</groupId>
   <artifactId>commons-logging</artifactId>
</exclusion>
</exclusions>

So, if logging system leaks, should be slf4j + logback, but I'm not sure




























2013/6/20 Christopher Schultz <chris@christopherschultz.net>

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Jose,
>
> On 6/19/13 5:02 PM, Jose Mar=EDa Zaragoza wrote:
> > Thanks !
> >
> >> You should at least upgrade to 6.0.37. 6.0.24
> >
> > I agree with you but I can't. Anyway, I tested my webapp in Tomcat
> > 6.0.37 and it throws the same error; it only works in latest Tomcat
> > 7.x
>
> You really need to. Tell your bosses that you are vulnerable to a
> number of "important" security vulnerabilities that have been
> published for years, now.
>
> >> Why is your web application attempting to get a message's
> >> signature
> > during shutdown?
> >
> > I explained myself  badly . I wanted to say "after my webapp  is
> > redeployed and without any restart, the next requests to my webapp
> > throws that exception.
>
> This suggests that some component is being de-configured on webapp
> shutdown but then you are still trying to use it after the webapp
> shutdown (when the next version of the webapp).
>
> Perhaps a container-loaded component (wss4j?) is being configured to
> use a webapp-loaded component (log4j?). Have you placed anything that
> didn't come with Tomcat into Tomcat's lib/ directory?
>
> >> I think you have to use a ServletContextListener to properly
> >> tear-down your resources, otherwise they may be torn-down after
> >> Tomcat does things such as nulling-out static field references,
> >> which is likely to be the problem you are encountering, here.
> >
> > I agree but I have no idea how free resources managed by wss4j
> > library . I'm not an expert in JVM profiling but I can investigate
> > about it.
> >
> >> That's because the "log" reference is null. -
> >> -Dorg.apache.catalina.loader.
> >> WebappClassLoader.ENABLE_CLEAR_REFERENCES=3Dfalse
> >
> > Great ! It could be a solution. I hope don't have collateral
> > effects ...
>
> The collateral effect is likely to be that your webapp doesn't crash
> (at least for this issue) but you might end up with a webapp-reload
> memory leak if you don't already have one.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJRwl9PAAoJEBzwKT+lPKRYMFoQAJ4CZa4iwUItpl8VlizLfaBE
> idgDbjWrZEEUp78iqo3+aJKnrLZpJIiHpx80PvXgJ8Dc9ifZS5jiObkfzcCdxwZj
> DMNCctEAIg6fmtnttFY5m8f73geLA8QBY2agie6BaxdfnXqFRPyGwefeVcuymnbv
> wkVu4W6XPXPSAZJhYaF3vS+L3hD3CUtStwg2/TEAlxaWtFgH+rDcmdwJsAQPkUxI
> FEYJTk5asTyQE/9Voq+wzHG3ygu9ZW48EgvHQAKtjPWpDk7FhYbiK0uVfB7W5F7F
> UbixxonlNO+KMW/zPqtDt9+wPXux9T1m8c3iflek/Oai9LfFflb+mw4x2UhSFx+d
> nN518ZsBB6mUyoOxgllGQECZSTT8xB/JFX7VxAMhTtpIn2ltFMhKhPKSKamRPKZb
> nwQcxHf7PC/AxXaZT429Qj1d0+rPi0MMeLhYShleestWnuYdM733fYwdru8rBRjx
> HWxDpFsJtp/LOKkJGTbw/0AT8yxkVXLKRjTxGOB7NWxSO/VCNq2l0H9711ECUAAK
> ki6MdbPog7nXgMwVAmegtJjSjg124Q8iGw9YiKSuRRWeZ6FuInLB7umlijUac81Z
> apZu1G8gfbpcQM36//cVEsFShCAKION2h+n9KE/bhLvYyBvS03u6tTyUS65VR9EY
> j9mkawDqdULHtGYNiv8V
> =3D2NOw
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

--047d7b33c95a3cbb0a04df9a1103--