pki icon indicating copy to clipboard operation
pki copied to clipboard
verified publisher icon dogtagpki

Add support for Tomcat 10

Open edewata opened this issue 2 years ago • 9 comments

Currently PKI only supports Tomcat 9. Tomcat 10 will eventually replace Tomcat 9 and the API might change. To simplify the transition there should be a separate module for Tomcat 10 (i.e. base/tomcat-10.0). The upstream CI should build and test PKI against both Tomcat 9 and 10, but the RPM spec will only need to support one Tomcat version (depending on availability).

edewata avatar Aug 24 '23 15:08 edewata

This relates to https://github.com/dogtagpki/tomcatjss/issues/68

ckelleyRH avatar Aug 24 '23 15:08 ckelleyRH

Any news here? Dogtag is getting removed from Ubuntu 24.04 (due to release next month) because of this.

tjaalton avatar Mar 19 '24 13:03 tjaalton

rawhide has tomcat 10.1 now: https://bodhi.fedoraproject.org/updates/FEDORA-2024-341e4c19d6

tjaalton avatar May 31 '24 18:05 tjaalton

I guess this a better place to keep the comments from the Fedora update linked above as they are more applicable to the PKI project :) Tomcat 10.1 is current incompatible with this application. I dug into the automated testing which are failing and found a few things to get you started on updates.

  1. The catalina.properties file needs to add a few more jars to the exclusion list so that scanning them won't fail. Failures look like:
May 31 10:20:20 ipa002.test.openqa.fedoraproject.org server[4859]: WARNING: Failed to scan [file:/usr/share/java/tomcat-jakartaee-migration/bcel-6.8.1.jar] from classloader hierarchy
May 31 10:20:20 ipa002.test.openqa.fedoraproject.org server[4859]: java.nio.file.NoSuchFileException: /usr/share/java/tomcat-jakartaee-migration/bcel-6.8.1.jar
May 31 10:20:20 ipa002.test.openqa.fedoraproject.org server[4859]:         at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:92)
....

and can be fixed with a patch such as:

--- conf/catalina.properties.orig   2024-05-31 19:45:43.846548383 -0400
+++ conf/catalina.properties    2024-05-31 19:46:22.194548383 -0400
@@ -139,7 +139,7 @@ junit.jar,junit-*.jar,hamcrest-*.jar,eas
 objenesis-*.jar,ant-launcher.jar,\
 cobertura-*.jar,asm-*.jar,dom4j-*.jar,icu4j-*.jar,jaxen-*.jar,jdom-*.jar,\
 jetty-*.jar,oro-*.jar,servlet-api-*.jar,tagsoup-*.jar,xmlParserAPIs-*.jar,\
-xom-*.jar
+xom-*.jar,bcel*.jar,commons-compress*.jar,jakartaee-migration-*.jar

 \# Default list of JAR files that should be scanned that overrides the default
 \# jarsToSkip list above. This is typically used to include a specific JAR that

Note: this is not a complete list and will probably need others.

  1. Tomcat 10.1 supports jakartaee instead of javaee, so there's failures such as:
May 31 10:20:22 ipa002.test.openqa.fedoraproject.org server[4859]: SEVERE: Begin event threw exception
May 31 10:20:22 ipa002.test.openqa.fedoraproject.org server[4859]: java.lang.NoClassDefFoundError: javax/servlet/http/HttpServletResponse
May 31 10:20:22 ipa002.test.openqa.fedoraproject.org server[4859]:         at java.base/java.lang.Class.getDeclaredConstructors0(Native Method)
....
  1. The last item that I noticed are issues with tomcatjss and the API changes in tomcat 10:
May 31 10:20:23 ipa002.test.openqa.fedoraproject.org server[4859]: SEVERE: Error reading request, ignored
May 31 10:20:23 ipa002.test.openqa.fedoraproject.org server[4859]: java.lang.AbstractMethodError: Receiver class org.dogtagpki.jss.tomcat.JSSImplementation does not define or inherit an implementation of the resolved method 'abstract org.apache.tomcat.util.net.SSLSupport getSSLSupport(javax.net.ssl.SSLSession, java.util.Map)' of abstract class org.apache.tomcat.util.net.SSLImplementation.
May 31 10:20:23 ipa002.test.openqa.fedoraproject.org server[4859]:         at org.dogtagpki.jss.tomcat.JSSSecureNioChannel.getSSLSupport(JSSSecureNioChannel.java:327)
....
May 31 10:20:23 ipa002.test.openqa.fedoraproject.org server[4859]:         at java.base/java.lang.Thread.run(Thread.java:1583)
May 31 10:20:23 ipa002.test.openqa.fedoraproject.org server[4859]: SEVERE: Error running socket processor
May 31 10:20:23 ipa002.test.openqa.fedoraproject.org server[4859]: java.lang.NullPointerException: Cannot invoke "java.nio.ByteBuffer.limit(int)" because "this.byteBuffer" is null
May 31 10:20:23 ipa002.test.openqa.fedoraproject.org server[4859]:         at org.apache.coyote.http11.Http11InputBuffer.recycle(Http11InputBuffer.java:262)
....

csutherl avatar Jun 03 '24 15:06 csutherl

This needs bumping a priority because it does fail in Fedora 40 after an upgrade, so this is not just a rawhide problem anymore.

abbra avatar Jul 03 '24 06:07 abbra