tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Problem configuring a resource link after Fixed CVE-2016-6797
Date Thu, 22 Dec 2016 18:48:53 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Per,

On 12/22/16 11:45 AM, Per Newgro wrote:
> no we don't see the same problems with a 7.0.64 installation. But
> what can we do with our debian version. I think it shall be
> possible to configure the datasource somehow.

It's possible that there was an imperfect patch released by Debian.

I don't believe I've heard anyone else complain yet, but that may just
be dumb luck.

- -chris

> On 16 December 2016 09:12:24 GMT+00:00, Per Newgro
> <per.newgro@gmx.ch> wrote:
>>> Hello,
>>> 
>>> i've just updated my debian server with a update for tomcat 
>>> 7.0.28-4+deb7u6 to 7.0.28-4+deb7u7.
>> Do you see the same problem with the latest 7.0.x obtained
>> directly from the ASF?
>> 
>> Mark
>> 
>> 
>>> In the release notes 
>>> (https://packages.qa.debian.org/t/tomcat7/news/20161201T223017Z.html
)
>>> i found
>>> 
>>>> * Fixed CVE-2016-6797: The ResourceLinkFactory did not limit
>>>> web
>>> application
>>>> access to global JNDI resources to those resources
>>>> explicitly
>>> linked to the
>>>> web application. Therefore, it was possible for a web
>>>> application
>>> to access
>>>> any global JNDI resource whether an explicit ResourceLink
>>>> had
>>> been
>>>> configured or not.
>>> I configured the the resource and resource link as described in
>>> the tomcat-howtos. So far it worked. But after the update my
>>> webapp can not determine the appropriate datasource.
>>> 
>>> I couldn't find any advice in the web how to configure the
>>> resource accordingly. Can someone please give me an advice how
>>> to solve this. Thanks Per
>>> 
>>> <pre> conf/server.xml <Server...> <!-- Global JNDI resources 
>>> Documentation at /docs/jndi-resources-howto.html --> 
>>> <GlobalNamingResources> <!-- Editable user database that can
>>> also be used by UserDatabaseRealm to authenticate users --> 
>>> <Resource name="UserDatabase" auth="Container" 
>>> type="org.apache.catalina.UserDatabase" description="User
>>> database that can be updated and saved" 
>>> factory="org.apache.catalina.users.MemoryUserDatabaseFactory" 
>>> pathname="conf/tomcat-users.xml" />
>>> 
>>> <Resource name="jdbc/foo" auth="Container" 
>>> type="javax.sql.DataSource" description="Foo Datasource" 
>>> username="foo" password="bar" 
>>> url="jdbc:sqlserver://11.211.255.3;databaseName=FOO;" 
>>> driverClassName="com.microsoft.sqlserver.jdbc.SQLServerDriver" 
>>> intitalSize="5" maxWait="5000" maxActive="120" maxIdle="5" 
>>> validationQuery="select 1" poolPrepareStatements="true" /> 
>>> </GlobalNamingResources> </Server>
>>> 
>>> 
>>> webapps/foo/META-INF/context.xml <Context> <!-- If the
>>> application has to run on tomcat this context can be used to
>>> include files outside of the war in the classpath. So these 
>>> files can be configured with a custom war deployment. All
>>> required resources of the src/test/resources folder have to be 
>>> copied to that folder.
>>> 
>>> --> <Loader
>>> className="org.apache.catalina.loader.VirtualWebappLoader" 
>>> virtualClasspath="${catalina.base}/conf/application/foo" />
>>> 
>>> <ResourceLink name="jdbc/foo" global="jdbc/foo" 
>>> type="javax.sql.DataSource"/> </Context>
>>> 
>>> webapps/foo/WEB-INF/web.xml
>>> 
>>> <resource-ref> <description>DB Connection</description> 
>>> <res-ref-name>jdbc/foo</res-ref-name> 
>>> <res-type>javax.sql.DataSource</res-type> <!-- was: Application
>>> --> <res-auth>Container</res-auth> </resource-ref>
>>> 
>>> Spring configuration public @Bean(destroyMethod="") DataSource
>>> applicationDb( @Value("${database.driver}") String
>>> driverClassName, @Value("${database.url}") String url, 
>>> @Value("${database.username}") String username, 
>>> @Value("${database.password}") String password) throws 
>>> NamingException { InitialContext ctx = new InitialContext(); 
>>> DataSource ds = (DataSource) 
>>> ctx.lookup("java:comp/env/jdbc/foo"); // this logs a
>>> BasicDataSource instance LOG.debug("Datasource=" + ds); return
>>> ds == null ? devDataSource(driverClassName, url, username, 
>>> password) : ds; }
>>> 
>>> Exception stack at 
>>> org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean.c
reateNativeEntityManagerFactory(LocalContainerEntityManagerFactoryBean.j
ava:343)
>>>
>>>
>>> 
at
>>> org.springframework.orm.jpa.AbstractEntityManagerFactoryBean.afterPr
opertiesSet(AbstractEntityManagerFactoryBean.java:318)
>>>
>>>
>>> 
at
>>> org.springframework.beans.factory.support.AbstractAutowireCapableBea
nFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1637)
>>>
>>>
>>> 
at
>>> org.springframework.beans.factory.support.AbstractAutowireCapableBea
nFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1574)
>>>
>>>
>>> 
... 40 more
>>> Dez 16, 2016 10:08:06 AM
>>> org.apache.catalina.core.StandardContext listenerStart 
>>> SCHWERWIEGEND: Exception sending context initialized event to
>>> listener instance of class
>>> org.springframework.web.context.ContextLoaderListener 
>>> org.springframework.beans.factory.BeanCreationException: Error
>>> creating bean with name 'supportedLocaleDao': Injection of
>>> persistence dependencies failed; nested exception is 
>>> org.springframework.beans.factory.BeanCr eationException: Error
>>> creating bean with name 'applicationEntityManagerFactory'
>>> defined in class de.itcompany.config.AppctxJeeHb: Invocation of
>>> init method failed; nested exception is
>>> org.hibernate.HibernateExcepti on: Unable to determine
>>> appropriate DataSource to use at 
>>> org.springframework.orm.jpa.support.PersistenceAnnotationBeanPostPro
cessor.postProcessPropertyValues(PersistenceAnnotationBeanPostProcessor.
java:357)
>>>
>>>
>>> 
at
>>> org.springframework.beans.factory.support.AbstractAutowireCapableBea
nFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1214)
>>>
>>>
>>> 
at
>>> org.springframework.beans.factory.support.AbstractAutowireCapableBea
nFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:543)
>>>
>>>
>>> 
at
>>> org.springframework.beans.factory.support.AbstractAutowireCapableBea
nFactory.createBean(AbstractAutowireCapableBeanFactory.java:482)
>>>
>>>
>>> 
at
>>> org.springframework.beans.factory.support.AbstractBeanFactory$1.getO
bject(AbstractBeanFactory.java:306)
>>>
>>>
>>> 
at
>>> org.springframework.beans.factory.support.DefaultSingletonBeanRegist
ry.getSingleton(DefaultSingletonBeanRegistry.java:230)
>>>
>>>
>>> 
at
>>> org.springframework.beans.factory.support.AbstractBeanFactory.doGetB
ean(AbstractBeanFactory.java:302)
>>>
>>>
>>> 
at
>>> org.springframework.beans.factory.support.AbstractBeanFactory.getBea
n(AbstractBeanFactory.java:197)
>>>
>>>
>>> 
at
>>> org.springframework.beans.factory.support.DefaultListableBeanFactory
.preInstantiateSingletons(DefaultListableBeanFactory.java:772)
>>>
>>>
>>> 
at
>>> org.springframework.context.support.AbstractApplicationContext.finis
hBeanFactoryInitialization(AbstractApplicationContext.java:839)
>>>
>>>
>>> 
at
>>> org.springframework.context.support.AbstractApplicationContext.refre
sh(AbstractApplicationContext.java:538)
>>>
>>>
>>> 
at
>>> org.springframework.web.context.ContextLoader.configureAndRefreshWeb
ApplicationContext(ContextLoader.java:446)
>>>
>>>
>>> 
at
>>> org.springframework.web.context.ContextLoader.initWebApplicationCont
ext(ContextLoader.java:328)
>>>
>>>
>>> 
at
>>> org.springframework.web.context.ContextLoaderListener.contextInitial
ized(ContextLoaderListener.java:107)
>>>
>>>
>>> 
at
>>> org.apache.catalina.core.StandardContext.listenerStart(StandardConte
xt.java:4827)
>>>
>>>
>>> 
at
>>> org.apache.catalina.core.StandardContext.startInternal(StandardConte
xt.java:5321)
>>>
>>>
>>> 
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
>>> at 
>>> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBas
e.java:899)
>>>
>>>
>>> 
at
>>> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:8
75)
>>>
>>> 
at
>>> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:618
)
>>>
>>> 
at
>>> org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:963
)
>>>
>>> 
at
>>> org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java
:1600)
>>>
>>>
>>> 
at
>>> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:5
11)
>>>
>>> 
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
>>> at 
>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor
.java:1142)
>>>
>>>
>>> 
at
>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecuto
r.java:617)
>>>
>>>
>>> 
at java.lang.Thread.run(Thread.java:745)
>>> Caused by:
>>> org.springframework.beans.factory.BeanCreationException: Error
>>> creating bean with name 'applicationEntityManagerFactory'
>>> defined in class de.itcompany.config.AppctxJeeHb: Invocation of
>>> init method failed; nested exception is
>>> org.hibernate.HibernateException: Unable to determine
>>> appropriate DataSource to use at 
>>> org.springframework.beans.factory.support.AbstractAutowireCapableBea
nFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1578)
>>>
>>>
>>> 
at
>>> org.springframework.beans.factory.support.AbstractAutowireCapableBea
nFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:545)
>>>
>>>
>>> 
at
>>> org.springframework.beans.factory.support.AbstractAutowireCapableBea
nFactory.createBean(AbstractAutowireCapableBeanFactory.java:482)
>>>
>>>
>>> 
at
>>> org.springframework.beans.factory.support.AbstractBeanFactory$1.getO
bject(AbstractBeanFactory.java:306)
>>>
>>>
>>> 
at
>>> org.springframework.beans.factory.support.DefaultSingletonBeanRegist
ry.getSingleton(DefaultSingletonBeanRegistry.java:230)
>>>
>>>
>>> 
at
>>> org.springframework.beans.factory.support.AbstractBeanFactory.doGetB
ean(AbstractBeanFactory.java:302)
>>>
>>>
>>> 
at
>>> org.springframework.beans.factory.support.AbstractBeanFactory.getBea
n(AbstractBeanFactory.java:197)
>>>
>>>
>>> 
at
>>> org.springframework.orm.jpa.EntityManagerFactoryUtils.findEntityMana
gerFactory(EntityManagerFactoryUtils.java:130)
>>>
>>>
>>> 
at
>>> org.springframework.orm.jpa.support.PersistenceAnnotationBeanPostPro
cessor.findNamedEntityManagerFactory(PersistenceAnnotationBeanPostProces
sor.java:556)
>>>
>>>
>>> 
at
>>> org.springframework.orm.jpa.support.PersistenceAnnotationBeanPostPro
cessor.findEntityManagerFactory(PersistenceAnnotationBeanPostProcessor.j
ava:538)
>>>
>>>
>>> 
at
>>> org.springframework.orm.jpa.support.PersistenceAnnotationBeanPostPro
cessor$PersistenceElement.resolveEntityManager(PersistenceAnnotationBean
PostProcessor.java:707)
>>>
>>>
>>> 
at
>>> org.springframework.orm.jpa.support.PersistenceAnnotationBeanPostPro
cessor$PersistenceElement.getResourceToInject(PersistenceAnnotationBeanP
ostProcessor.java:680)
>>>
>>>
>>> 
at
>>> org.springframework.beans.factory.annotation.InjectionMetadata$Injec
tedElement.inject(InjectionMetadata.java:169)
>>>
>>>
>>> 
at
>>> org.springframework.beans.factory.annotation.InjectionMetadata.injec
t(InjectionMetadata.java:88)
>>>
>>>
>>> 
at
>>> org.springframework.orm.jpa.support.PersistenceAnnotationBeanPostPro
cessor.postProcessPropertyValues(PersistenceAnnotationBeanPostProcessor.
java:354)
>>>
>>>
>>> 
... 26 more
>>> Caused by: org.hibernate.HibernateException: Unable to
>>> determine appropriate DataSource to use at 
>>> org.hibernate.engine.jdbc.connections.internal.DatasourceConnectionP
roviderImpl.configure(DatasourceConnectionProviderImpl.java:119)
>>>
>>>
>>> 
at
>>> org.hibernate.boot.registry.internal.StandardServiceRegistryImpl.con
figureService(StandardServiceRegistryImpl.java:111)
>>>
>>>
>>> 
at
>>> org.hibernate.service.internal.AbstractServiceRegistryImpl.initializ
eService(AbstractServiceRegistryImpl.java:234)
>>>
>>>
>>> 
at
>>> org.hibernate.service.internal.AbstractServiceRegistryImpl.getServic
e(AbstractServiceRegistryImpl.java:206)
>>>
>>>
>>> 
at
>>> org.hibernate.engine.jdbc.internal.JdbcServicesImpl.buildJdbcConnect
ionAccess(JdbcServicesImpl.java:260)
>>>
>>>
>>> 
at
>>> org.hibernate.engine.jdbc.internal.JdbcServicesImpl.configure(JdbcSe
rvicesImpl.java:94)
>>>
>>>
>>> 
at
>>> org.hibernate.boot.registry.internal.StandardServiceRegistryImpl.con
figureService(StandardServiceRegistryImpl.java:111)
>>>
>>>
>>> 
at
>>> org.hibernate.service.internal.AbstractServiceRegistryImpl.initializ
eService(AbstractServiceRegistryImpl.java:234)
>>>
>>>
>>> 
at
>>> org.hibernate.service.internal.AbstractServiceRegistryImpl.getServic
e(AbstractServiceRegistryImpl.java:206)
>>>
>>>
>>> 
at
>>> org.hibernate.cfg.Configuration.buildTypeRegistrations(Configuration
.java:1887)
>>>
>>>
>>> 
at
>>> org.hibernate.cfg.Configuration.buildSessionFactory(Configuration.ja
va:1845)
>>>
>>>
>>> 
at
>>> org.hibernate.jpa.boot.internal.EntityManagerFactoryBuilderImpl$4.pe
rform(EntityManagerFactoryBuilderImpl.java:857)
>>>
>>>
>>> 
at
>>> org.hibernate.jpa.boot.internal.EntityManagerFactoryBuilderImpl$4.pe
rform(EntityManagerFactoryBuilderImpl.java:850)
>>>
>>>
>>> 
at
>>> org.hibernate.boot.registry.classloading.internal.ClassLoaderService
Impl.withTccl(ClassLoaderServiceImpl.java:425)
>>>
>>>
>>> 
at
>>> org.hibernate.jpa.boot.internal.EntityManagerFactoryBuilderImpl.buil
d(EntityManagerFactoryBuilderImpl.java:849)
>>>
>>>
>>> 
at
>>> org.springframework.orm.jpa.vendor.SpringHibernateJpaPersistenceProv
ider.createContainerEntityManagerFactory(SpringHibernateJpaPersistencePr
ovider.java:60)
>>>
>>>
>>> 
at
>>> org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean.c
reateNativeEntityManagerFactory(LocalContainerEntityManagerFactoryBean.j
ava:343)
>>>
>>>
>>> 
at
>>> org.springframework.orm.jpa.AbstractEntityManagerFactoryBean.afterPr
opertiesSet(AbstractEntityManagerFactoryBean.java:318)
>>>
>>>
>>> 
at
>>> org.springframework.beans.factory.support.AbstractAutowireCapableBea
nFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1637)
>>>
>>>
>>> 
at
>>> org.springframework.beans.factory.support.AbstractAutowireCapableBea
nFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1574)
>>>
>>>
>>> 
... 40 more
>>> 
>>> </pre>
>>> 
>>> --------------------------------------------------------------------
- -
>>>
>>> 
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>> 
>> 
>> ---------------------------------------------------------------------
>>
>> 
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>> 
>> 
> 
> 
> ---------------------------------------------------------------------
>
> 
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYXCAVAAoJEBzwKT+lPKRY2SoP/3Uy2b/VfLPr+pvmFsDqMmXt
a86P2Xdg2t+qtjEIjpL5luIac4YvkxdLGTvV92ZmAo36VzTYbdIxMsOB1EtSa3Fy
K5LFE3QPYdmVKiFcPh6cZadndzg0vjOg4ShCze8Z2b5OM96ky0KuUxoQyYTQUTrb
P9H2dvzTk7hGmtNL/h8CyttBTgYZNdJP1wLJCZzItjMFQBQrUYss+Czb3qQqvgsL
EeQgo57B5+sw1gidHMtwgO64uFYt2nekD4OxD1vLzWPTELBkHzOtmuR+iu1So7KY
kXdIIQQeHrbRKOmdFWbibxtFXubnqOMCVpIwLAHIH5OeaRLgciUKLAsX+RUM0gka
Z0O11bIaWyUicWJ1wXqeZKyqt2DejjZZfKdJzAHK3eeK3RBn0C966ANuxYw3I3Zv
IDN9b6Q3fSuWa0BWHFYuZYxYqjFvpEwCBrhA1p6XBJcpycbYL9wacMF/9EGMj9uv
fy7InbS2KEvXUnP3dqoHIQMUPpMXVuf4GWKexN0Q0kyEfKS4OZsLPsMIduN1RTDq
JWpS4GRfrhaabwZDS1iILsIBUcNbKX0dE1og478xgpzZ2nQZy/37T6wvwhdssST0
iCnzNNvbqduMmCiDYMMTpwYXdVp+YrfTDt97ab818N8BVDoBFBfVg7P0pDh62MEx
09j7l84otjldK9wMbonJ
=mxOI
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message