Jiri Nejedly

Ranch Hand
+ Follow
since Oct 22, 2002
Merit badge: grant badges
For More
Cows and Likes
Cows
Total received
0
In last 30 days
0
Total given
0
Likes
Total received
2
Received in last 30 days
0
Total given
0
Given in last 30 days
0
Forums and Threads
Scavenger Hunt
expand Ranch Hand Scavenger Hunt
expand Greenhorn Scavenger Hunt

Recent posts by Jiri Nejedly

Hello. We have an J2EE application installed on Tomcat (many instances both on Linux and Windows) . On one particular Linux installation have this specific problem:
That Tomcat application writes files to some Linux storage (directory). Then exist some other Web application (written in php) which via Apache server (on the same Linux) can download those files.
But on this particulart Linux, this php app gets the message, that it has not the read privileges for those files.  As we see, those files  have R & X privileges for owner, R for group and none for others .
Strange, other apps on other Linuxes are ok. Can we somehow manage the user which runs the tomcat ? Could it be the way ? Thanks.
2 months ago
Hi,

we have a J2EE application using spring/hibernate. We also use Quartz scheduler.
We have these dependencies in pom.xml
quartz 2.3.0 and quartz-oracle 2.1.7
We have many istallations deployed on Tomcat 8 both on Windows and Linux.
Now we encountered problem on one Linux. Something with Quartz.

this i get by using StdScheduler (getJobGroupNames(), getJobKeys(...)


and this trying to write cron settings via quartz api


I think there's some communication problem between quartz library and its tables such as QRTZ_JOB_DETAILS and QRTZ_TRIGGERS. Both reading and writing.
The problem with  StdScheduler (getJobGroupNames(), getJobKeys(...)) I overcame by direct access via hibernate using plain sql.
It worked, but writng cron settings via quartz api led to above error. I am at the end, I cannot rewrite whole quartz api logic.

My environment settings
The server is Debian GNU/Linux 12 (bookworm)
Apache Tomcat/8.0.14
JDBC lib is ojdbc8.jar (in Tomcat's lib folder]
Oracle Database 12c Release 12.1.0.1.0 - 64bit Production

Any ideas what can be wrong ? Thanks.
4 months ago
Hi. We are developeing some java utility using a few  government provided web services (few simple https urls returning some json data). Everything works ok, but one customer uses proxy server. We would like to give him tested and working solution not any trials and errors.

But we don't use proxy server, so we tried to find some solution how to simulate it. We googled utility Fiddler (https://www.telerik.com/fiddler) with this recommended setting
(https://superuser.com/questions/180480/how-to-simulate-corporate-proxy-server-on-my-development-machine)
1. Download and run Fiddler proxy (it's free). It will automatically set itself as a system proxy in Windows on each run. Also click Rules -> Require Proxy Authentication in the top menu if you want to test authentication to the proxy (username and password are "1").
2. Open Windows Firewall, then Advanced settings -> Windows Firewall Properties. Block all outbound connections for all profiles you need (domain, private, public) and click OK.
3. Add new outbound firewall rule to allow all access for 8888 port (default Fiddler port) or "%LOCALAPPDATA%\Programs\Fiddler\Fiddler.exe" app.

We did everything listed, tried first chrome. It itself turned the proxy setting on, the address set to http=127.0.0.1:8888;https=127.0.0.1:8888

But connection ends with ERR_TUNNEL_CONNECTION_FAILED

We're not 100% sure how to setup the rule in point 3) Maybe is the problem here and not in Fiddler ?
We set this:

Protocol type TCP
Local port all
Remote port 8888

this gives ERR_TUNNEL_CONNECTION_FAILED

If we set only local, only remote or both 8888 , it still gives ERR_TUNNEL_CONNECTION_FAILED

I know this is not 100% java question, but we get to java right after solving this.

Maybe there's other utiliy emulating proxy.

Any suggestions? Thanks.
5 months ago
I'll do that. But the behavior is really strange.  The same application running on the same Tomcat version using the same java works filne on one Linux server and on the other Linux server not. (copied file by file 1:1).
1 year ago
Hi, we have a web application (Hibernate, Spring, Ember).
We have a few working instalations on Tomcat 9 anad Java 13. Some on windows, some on Linux.
In one single case (Linux only, java doesn't matter) we obtain this error


I searched high and low and found this:
- the jaxws-rt library is the key. It contains the ClientTransportException class, which inherits the
method from JAXWSExceptionBase class

- but only in version 3.0.0 and above. The versions below have this method too, but whithout parameter.
- I have the jaxws-rt-2.2.10 library bundled in my application, but nowhere listed in pom.xml dependencies. It is probably needed by some other library
- I cannot forcefully replace it with 3.0.0 . The application won't start then at all.
Strange, this is the only Linux instalation which causes the trouble.
Any ideas? Thanks.

1 year ago
I solved the SSL error. It was something in handshake. The communication librarary (which luckily has sources available) has some certificates (valid) inserterd into keystore but was unable to make the connection. I was recommended another pair of certificates. I raplaced the former ones with these and conection has been established. This solution works with all other customers.

P.S. As far as the ClientTransportException is concerned, it seems to be completely different problem. I'll open separate thread.
1 year ago
Finally I decided to rewrite the utility using BouncyCastle jdk18on 1.72  
I didn't edit java.security or added any libraries into  ext dir.
Just started the whole code with
Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());

I needed to write three needed nethods - encrypt, sign and verify some xml content.
It meant sometimes to use



No matter, how I tried to write my code using examples found on the internet,
the were places where the .setProvider("BC") invoked
"JCE cannot authenticate the provider BC" again.

After many googling and  trials and errors I found out that this behavior is only
present in development (I use JDeveloper).
The production library is Ok, but must follow these rules:

- The final jar (containg all classes from all dependencies) mustn't include the BouncyCastle libraries  
It is done by maven-surefire-plugin and AssemblyDescriptor.xml



- when running the utility, the BC libraries bust be used BEFORE the main jar libray

java -classpath bcprov-jdk18on-1.72.jar;bcpkix-jdk18on-1.72.jar;bcutil-jdk18on-1.72.jar;myUtility-0.1-dependencies.jar <classWithMainMethod>

Now the utility works OK. However I never found out what changed in java 1.8.0_351 and caused all the problems.
1 year ago
I tried this :
The data boxes service has url. When i paste it into web browser i see the lock icon, so there's certificate on their side and can be exported.
Actually there are two certificates:

  • ESET ESS Filter CA
  • mydatabox.cz


  • It seems that there is relationship between them (Root-Subordinate)
    I exported both of them and imported them into Tomcat's keystorex file (by Keystore Explorer utility)
    Strange thing - I don't see the hierachy there anymore (?)
    Then i edited the server.xml in Tomcat


    It didn't help .SSLHandshakeException remains.
    1 year ago
    In Java 1.8.0.151 ext directory  there are several jars. All of them have sun folder in them. I think it is releated to 10 providers listed in  java.security. I scanned ext folder and then all the java including content of jars for word 'bouncy' but found nothing. So I think bouncy castle is loaded by the utility - yes, i found



    So the question must be put like this: What changed in java, that disabled loading BouncyCastleProvider in our utility.
    1 year ago
    Hi,

    w4 have a small java utility which sends xml document (encrypted, signed) to some government portal.
    Problem started wehen our customer upgraded java from JDK 1.8.0.151 to JDK 1.8.0.351. Only this minor upgrade caused this error

    error constructing MAC: java.security.NoSuchProviderException: JCE cannot authenticate the provider BC



    Our utility uses BouncyCastle libraries version jdk16-1.38. and also jdk15on-1.68.
    I googled a lot, but adding  

    to java.security didn't help.
    I have no time enough to rewrite all this utility to use some latest BC library. I am not the author and the API changed considerably.

    Any other ideas ? Thanks
    1 year ago
    Hi,

    w4 have a web appliaction (Hibernate, Spring, Ember) which communicates with so called Data Boxes - it is our government project, it is something like better email for enterpreneurs.  
    You log in into it only by user id and password. No certificate.
    We have a few working instalations on Tomcat 9 anad Java 13. All on windows.
    But we need to operate also on Linux. Applicatiction is ok, but connecting to Data Boxes not.
    We have two different errors on two different customers (both Linux, both Tomcat 9 and both Java 13):
    a)

    com.sun.xml.ws.client.ClientTransportException: HTTP transport error: javax.net.ssl.SSLHandshakeException: PKIX path building failed:
    sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target



    - as I said, no certificate is nedded. Do we need to disable something on Tomcat ?

    b)

    {"errorMessage":"* Handler dispatch failed; nested exception is java.lang.AbstractMethodError: Receiver class com.sun.xml.ws.client.ClientTransportException does not define or inherit an implementation of the resolved method 'abstract java.util.ResourceBundle getResourceBundle(java.util.Locale)' of interface com.sun.istack.localization.Localizable.
    * Receiver class com.sun.xml.ws.client.ClientTransportException does not define or inherit an implementation of the resolved method 'abstract java.util.ResourceBundle getResourceBundle(java.util.Locale)' of interface com.sun.istack.localization.Localizable.","errorStack":"org.springframework.web.util.NestedServletException: Handler dispatch failed; nested exception is java.lang.AbstractMethodError: Receiver class com.sun.xml.ws.client.ClientTransportException does not define or inherit an implementation of the resolved method 'abstract java.util.ResourceBundle getResourceBundle(java.util.Locale)' of interface com.sun.istack.localization.Localizable.



    - stranger than a) This error doesn't log to Tomcat logs at all. I Found it in URL response calling the data box method (in Chrome console)  

    Any ideas ? Thanks
    1 year ago
    Hi. We have some J2EE application and we are implementing 'data mailboxes' in it.  They are the way our government communicates with entrepreneurs.
    The data mailboxes are implemented in some public jar libray (source available) and the BouncyCastle library bcpkix-jdk15on.jar (version important!) dependency is needed
    and put in maven pom.xml. So far so good. Problem starts with this code



    The class DefaultAlgorithmNameFinder is in bcpkix-jdk15on.jar, but

    Could not initialize class org.bouncycastle.operator.DefaultAlgorithmNameFinder NoClassDefFoundError

    is thrown.

    I listed all libraries deployed with application and I see there are more older BouncyCastle libraries: bcmail-jdk14.jar, bcprov-jdk14.jar and bctsp-jdk14.jar.
    None of them are listed as dependency in pom.xml and none of them contains DefaultAlgorithmNameFinder class. But those libraries are probably dynamically loaded
    as a dependecty of Jasper library. But bcpkix-jdk15on.jar is placed way before jasper in pom.xml

    I don't understand the confusion, why class loader seeks the class only in '14' libraries and then not in '15' ?

    Please can somebody explain this and suggest some solution? Thanks.



    1 year ago
    Hi.
    We have a medium complex J2EE aplication (Spring, Hibernate, Ember) deployed in Tomcat.
    Our customer warned us about vulnerability in Apache Log4j library (CVE-2021-44228). Vulnerabele are these versions Apache log4j from 2.0 to 2.14.1.
    We use older version 1.2.17. but it has security issues too (CVE-2019-17571) .
    I don't understand how serious is this threat:
    "Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted
    network traffic for log data."
    Please can somebody explain and simplify the meaning of the quoted sentence to me?
    I cannnot imagine how anybody could intercept the direct write operation between our app and log file (catalina.out) in Tomcat. The is no "network traffic for log data", there is direct write.

    Thanks for any comments.
    2 years ago
    Thanks everybody for your comments. Our customer made some concessions. It will suffice for him, if in the moment of second signing, the first signature will be removed and then second added. It was solvable for us to do it in java code. But another requirement came - to change digital signature (by certificate) appearance.  Would it be possible to NOT show validity state icon at all, meaning the red cross or green check mark but mainly the yellow question mark which is showed in internet browsers ?  Thanks.
    2 years ago
    I see, it makes sense, it is really digital signature.

    Our customer argues, that he has a document which has two digital signatures and both are valid. But I see one big difference - his document has a few prepared signing fields.
    Probably his document was created by some sophisticated PDF editing application. I am afraid that Jasper Server won't be able to do that.

    Otherwise I googled this https://stackoverflow.com/questions/62271473/multiple-signings-in-pdf-file-using-itext and from the communication there
    I had a notion that multiple digital signing is possible.
    2 years ago