From darran.lofthouse at jboss.com  Wed Nov  1 04:28:45 2017
From: darran.lofthouse at jboss.com (Darran Lofthouse)
Date: Wed, 01 Nov 2017 08:28:45 +0000
Subject: [undertow-dev] WildFly 8.2.1 EJB Security and Custom Auth
	Mechanism.
In-Reply-To: <CAE=-AhALX2hLLW4dE=AA18ySV0YutoYGKTo=A-asvNXc2RMmAw@mail.gmail.com>
References: <CA+FvxKhsAr2aNO0R5rXA2yNoU24Xz4KZH66ZNnzMNfjbRTEN6w@mail.gmail.com>
	<CAE=-AhALX2hLLW4dE=AA18ySV0YutoYGKTo=A-asvNXc2RMmAw@mail.gmail.com>
Message-ID: <CAMxVf4PNuWHmG3faxdToaF6JUR141Hc05+-V68JCwef8NuTF3A@mail.gmail.com>

FYI I am just in the process of planning the WildFly Elytron / JASPIC
implementation, this doc is far from complete but I am currently assembling
my thoughts and plans here: -

https://developer.jboss.org/wiki/AnalysisDesign-JASPICIntegrationWithWildFlyElytron

Most importantly this will also be a move to support true config provider
matching without requiring a deployment to be artificially associated to a
security domain just to switch on JASPIC support.

Regards,
Darran Lofthouse.


On Tue, 31 Oct 2017 at 23:12 arjan tijms <arjan.tijms at gmail.com> wrote:

> Hi,
>
> On Tue, Oct 31, 2017 at 3:04 PM, Nick Stuart <nick at portlandwebworks.com>
> wrote:
>
>> Hello all, having an issue with a
>> custom io.undertow.security.api.AuthenticationMechanism implementation and
>> EJB security on WildFly 8.2 and hoping someone can think of a work around.
>>
>> Basic problem, user is authenticated via the AuthenticationMechanism, and
>> the web context sees the user just fine and their roles, but when we get to
>> the EJB calls the user is seen as 'anonymous'. The mechanism calls:
>>
>> sc.authenticationComplete(ac, mechanismName, true);
>> and returns:
>> AuthenticationMechanismOutcome.AUTHENTICATED;
>>
>
> This looks quite similar to a number of different fixes that were being
> done for WildFly when the caller authenticates via JASPIC. See some of the
> links here:
> https://jaspic.zeef.com/arjan.tijms#block_63051_implementations-issue-tracking
>
> You could try authenticating via JASPIC instead of AuthenticationMechanism
> to see if that makes a difference. JASPIC should really work, as I have
> been specifically testing WildFly for that. See
> http://arjan-tijms.omnifaces.org/2016/12/the-state-of-portable-authentication-in.html
>
>
> Any ideas would be greatly appreciated. Upgrading is going to be
>> considered a worst case scenario right now, and would like avoid it right
>> now if at all possible.
>>
>
> Just curious, but why would you want to avoid that? WildFly 8 corresponds
> to a very early version of JBoss EAP 7, while WildFly 10 is very close to
> the final release.
>
> Kind regards,
> Arjan Tijms
>
>
>
>>
>>
>> Thanks for the help!
>> -Nick
>>
>> _______________________________________________
>> undertow-dev mailing list
>> undertow-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/undertow-dev
>>
> _______________________________________________
> undertow-dev mailing list
> undertow-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/undertow-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20171101/d6ef2ea7/attachment-0001.html 

From nick at portlandwebworks.com  Wed Nov  1 08:41:35 2017
From: nick at portlandwebworks.com (Nick Stuart)
Date: Wed, 1 Nov 2017 08:41:35 -0400
Subject: [undertow-dev] WildFly 8.2.1 EJB Security and Custom Auth
	Mechanism.
In-Reply-To: <CAD+L2czkOFJjpMB-8NAaAE-f5AW=TFuR4Byc_VYDWVRm988o2Q@mail.gmail.com>
References: <CA+FvxKhsAr2aNO0R5rXA2yNoU24Xz4KZH66ZNnzMNfjbRTEN6w@mail.gmail.com>
	<CAD+L2czkOFJjpMB-8NAaAE-f5AW=TFuR4Byc_VYDWVRm988o2Q@mail.gmail.com>
Message-ID: <CA+FvxKg-SCB3ahfXGOptZ3YbDHmPQTmrwyCH419Ps-5pNCvhvg@mail.gmail.com>

Correct, and after digging around in the source for WildFly came to near
enough the same conclusion. And yes I agree, and personally, I would LOVE
to upgrade to 11, or even 10 at this point, but out of my hands at the
moment.

One other thing I discovered, once I turned on trace logging for JBoss
security items, was that my calls to sc.login() were actually failing, but
not being reported at all, and this was actually causing the infinite
recursion.

I did manage to come up with what seems like a more appropriate solution,
so I'll run down what I did and see if it's a terrible idea.

Setup:
Application is configured with a security domain in the WildFly config.
The web.xml has normal security and roles defined in there, as well as the
custom auth method.
Deployed an an EAR with an EJB project. EJBs have @SecurityDomain on them
and @RolesAllowed annotations defined

Custom Auth Mechnanism:
Simple class reading a JWT based cookie to get auth info.
Calls SecurityContext.authenticationComplete with Account details.  (no use
of IdentityManager or anything else as other posts have mentioned)
Works with this at web layer, but not in EJB layer.
So...

Solution:
Write a custom login module and add it to security domain config, extending
AbstractServerLoginModule.
<hack?>
In AuthMechanism, on successful auth a ThreadLocal variable is set with the
account info
SecurityContext.login() is called which calls the login module which reads
the ThreadLocal variable from the auth mechanism.
Roles are pulled from the getRoleSet method implementation.
User is now logged in as far the security domain is concerned with the
correct roles.
</hack?>

I feel more comfortable now that I least know whats going on and the
complete flow, but it still doesn't feel very nice. Reading through the
code I can kind of see why the 'extra' SecurityContext.login is required,
but would be nice if this was not a requirement. Not very intuitive that
you are completing the authentication, but are not seen as completely
logged in. It looks like changes would be required at the configuration
level to somehow be aware of the customer auth mechanism for something like
this to work.

Does this feel like a completely unreasonable request? I'm an (obvious)
novice on JAAS side of things, but if this is not completely of base I'll
be happy to file a feature request for this type of setup. I feel like it's
already so close.

Thoughts? Feedback?

Thanks for the time!
-Nick


On Tue, Oct 31, 2017 at 5:51 PM, Stuart Douglas <sdouglas at redhat.com> wrote:

> I assume you are not using the IdentityManager in your custom impl?
>
> This is what causes the Wildfly issues, as the Wildfly SecurityContext
> setup is done there. You will probably need to duplicate some of the
> code in org.wildfly.extension.undertow.security.JAASIdentityManagerImpl
> into your custom auth mechanism (the bit in
> org.wildfly.extension.undertow.security.JAASIdentityManagerImpl#
> verifyCredential
> that sets up the context).
>
> I would recomment upgrading to Wildfly 11, there have been a *lot* of
> fixes since 8.1.
>
> Stuart
>
> On Wed, Nov 1, 2017 at 1:04 AM, Nick Stuart <nick at portlandwebworks.com>
> wrote:
> > Hello all, having an issue with a custom
> > io.undertow.security.api.AuthenticationMechanism implementation and EJB
> > security on WildFly 8.2 and hoping someone can think of a work around.
> >
> > Basic problem, user is authenticated via the AuthenticationMechanism, and
> > the web context sees the user just fine and their roles, but when we get
> to
> > the EJB calls the user is seen as 'anonymous'. The mechanism calls:
> >
> > sc.authenticationComplete(ac, mechanismName, true);
> > and returns:
> > AuthenticationMechanismOutcome.AUTHENTICATED;
> >
> > The resources I'm calling are configured as being protected through the
> > web.xml and all of that is working as expected.
> >
> > Another note, I am able to get this to work in WildFly 10.1, but only
> with
> > (what I think is) a bit of hack. The following code is required for EJB
> > Security to work:
> >
> >     sc.authenticationComplete(ac, mechanismName, true);
> >     sc.login(ac.getUsername(), "");
> >     sc.authenticate();
> >
> > This same code in 8.2 causes an infinite recursion issue. Even working
> > around that (with another hack) this still doesn't work.
> >
> > Any ideas would be greatly appreciated. Upgrading is going to be
> considered
> > a worst case scenario right now, and would like avoid it right now if at
> all
> > possible.
> >
> > Thanks for the help!
> > -Nick
> >
> > _______________________________________________
> > undertow-dev mailing list
> > undertow-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/undertow-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20171101/c372e641/attachment.html 

From nick at portlandwebworks.com  Wed Nov  1 08:48:41 2017
From: nick at portlandwebworks.com (Nick Stuart)
Date: Wed, 1 Nov 2017 08:48:41 -0400
Subject: [undertow-dev] WildFly 8.2.1 EJB Security and Custom Auth
	Mechanism.
In-Reply-To: <CAE=-AhALX2hLLW4dE=AA18ySV0YutoYGKTo=A-asvNXc2RMmAw@mail.gmail.com>
References: <CA+FvxKhsAr2aNO0R5rXA2yNoU24Xz4KZH66ZNnzMNfjbRTEN6w@mail.gmail.com>
	<CAE=-AhALX2hLLW4dE=AA18ySV0YutoYGKTo=A-asvNXc2RMmAw@mail.gmail.com>
Message-ID: <CA+FvxKgzsXFurZ1VF0fbvyuuUvVOR+NS5vapUVCZyKxjv0VEBw@mail.gmail.com>

Thanks for the info Arjan, this is something I'll also look into. I have a
working solution at the moment (see other reply to Stuart), but as noted
still not 100% comfortable with it.

Luckily(?) we were already using a SecurityDomain configuration, so
modifying that to use JASPIC is not a huge difference from what we have
now. And as stated, the upgrade to wildfly 10/11 would be nice, but not in
my control at the moment.

-Nick

On Tue, Oct 31, 2017 at 5:55 PM, arjan tijms <arjan.tijms at gmail.com> wrote:

> Hi,
>
> On Tue, Oct 31, 2017 at 3:04 PM, Nick Stuart <nick at portlandwebworks.com>
> wrote:
>
>> Hello all, having an issue with a custom io.undertow.security.api.AuthenticationMechanism
>> implementation and EJB security on WildFly 8.2 and hoping someone can think
>> of a work around.
>>
>> Basic problem, user is authenticated via the AuthenticationMechanism, and
>> the web context sees the user just fine and their roles, but when we get to
>> the EJB calls the user is seen as 'anonymous'. The mechanism calls:
>>
>> sc.authenticationComplete(ac, mechanismName, true);
>> and returns:
>> AuthenticationMechanismOutcome.AUTHENTICATED;
>>
>
> This looks quite similar to a number of different fixes that were being
> done for WildFly when the caller authenticates via JASPIC. See some of the
> links here: https://jaspic.zeef.com/arjan.tijms#block_63051_
> implementations-issue-tracking
>
> You could try authenticating via JASPIC instead of AuthenticationMechanism
> to see if that makes a difference. JASPIC should really work, as I have
> been specifically testing WildFly for that. See http://arjan-tijms.
> omnifaces.org/2016/12/the-state-of-portable-authentication-in.html
>
>
> Any ideas would be greatly appreciated. Upgrading is going to be
>> considered a worst case scenario right now, and would like avoid it right
>> now if at all possible.
>>
>
> Just curious, but why would you want to avoid that? WildFly 8 corresponds
> to a very early version of JBoss EAP 7, while WildFly 10 is very close to
> the final release.
>
> Kind regards,
> Arjan Tijms
>
>
>
>>
>>
>> Thanks for the help!
>> -Nick
>>
>> _______________________________________________
>> undertow-dev mailing list
>> undertow-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/undertow-dev
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20171101/f0bac3b5/attachment.html 

From paroczizs at gmail.com  Sun Nov  5 14:02:37 2017
From: paroczizs at gmail.com (paroczizs .)
Date: Sun, 5 Nov 2017 20:02:37 +0100
Subject: [undertow-dev] Using the RequestBufferingHandler properly
Message-ID: <CACb-xVXWyuC-HH-ZRE5Gf7POsmmLdx9Z8kdRPFE+kABXca+U6g@mail.gmail.com>

Hi Undertow dev,

I would like to use the RequestBufferingHandler in our proxy application. I
found the following in a privious post:

"RequestBufferingHandler is a performance enhancing handler that is
designed to be used for blocking requests, basically
it allows you to fully read the request before the request gets dispatched
to a (potentially limited) thread pool."



I have to do the following:

- read the full request body or first limit size of the body e.g max 1MB if
larger there is no need for the whole body.
- do some check on the body content
- forward the whole request towards the business backend using a proxy
handler if the check was successful


I use the Undertow with Wildfly, the RequestBufferingHandler cannot be
configured in the standalone.xml the error refer an unimplemented
constructor.
I can clone the RequestBufferingHandler into an own class and I suppose it
works but I am not able to access the bufferd bytes due to the attachment
key belongs HttpServerExchange and the attachment key is package private so
I cannot use it.

Some more detail:

- I also would like to log the full in/out contents with conduits. With
this I got an error if the RequestBufferingHandler registered and fired
before the handler that wants to add the conduits. The problem here that I
need some info from the request in the log (request id / correlation id /
etc.). I can create callbacks towards the own conduit but it is not clear
for me how the conduits and the RequestBufferingHandler work together.

Any help is appreciated.

Regards, Zsolt





<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
Mentes
a v?rusokt?l. www.avast.com
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
<#m_6878925675556719771_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20171105/61da2d65/attachment-0001.html 

From sdouglas at redhat.com  Sun Nov  5 19:00:59 2017
From: sdouglas at redhat.com (Stuart Douglas)
Date: Mon, 6 Nov 2017 11:00:59 +1100
Subject: [undertow-dev] Using the RequestBufferingHandler properly
In-Reply-To: <CACb-xVXWyuC-HH-ZRE5Gf7POsmmLdx9Z8kdRPFE+kABXca+U6g@mail.gmail.com>
References: <CACb-xVXWyuC-HH-ZRE5Gf7POsmmLdx9Z8kdRPFE+kABXca+U6g@mail.gmail.com>
Message-ID: <CAD+L2cyjzHWOmFqOySM3Qm7FS9dp2op-SmouH4uVFw8HHNt--A@mail.gmail.com>

On Mon, Nov 6, 2017 at 6:02 AM, paroczizs . <paroczizs at gmail.com> wrote:

> Hi Undertow dev,
>
> I would like to use the RequestBufferingHandler in our proxy application.
> I found the following in a privious post:
>
> "RequestBufferingHandler is a performance enhancing handler that is
> designed to be used for blocking requests, basically
> it allows you to fully read the request before the request gets dispatched
> to a (potentially limited) thread pool."
>
>
>
> I have to do the following:
>
> - read the full request body or first limit size of the body e.g max 1MB
> if larger there is no need for the whole body.
> - do some check on the body content
> - forward the whole request towards the business backend using a proxy
> handler if the check was successful
>
>
> I use the Undertow with Wildfly, the RequestBufferingHandler cannot be
> configured in the standalone.xml the error refer an unimplemented
> constructor.
>

It can, but you need to use the expression-filter and use
'buffer-request(10)' (10 is the number of buffers, the number you want will
depend on your buffer size).

That said I don't think you really want to use request buffering handler
here, like it says in the javadoc it is intended to provide some
performance enhancements in a specific situation.

Instead your should write a handler that:

- Reads all the bytes, up to your specified maximum amount (and I assume
rejects if it is too large, which request buffering handler will not do)
- Performs your checks
- Use Connectors.ungetRequestBytes() and Connectors.resetRequestChannel to
make the data availble to later handlers (basically just copy the buffering
handler and adapt it to your needs).



> I can clone the RequestBufferingHandler into an own class and I suppose it
> works but I am not able to access the bufferd bytes due to the attachment
> key belongs HttpServerExchange and the attachment key is package private so
> I cannot use it.
>
>
You are not supposed to directly access that attachment, it to enable the
exchange to re-read the bytes. If you want to perform verification either
use a different attachment or do the verification directly in your handler.


> Some more detail:
>
> - I also would like to log the full in/out contents with conduits. With
> this I got an error if the RequestBufferingHandler registered and fired
> before the handler that wants to add the conduits. The problem here that I
> need some info from the request in the log (request id / correlation id /
> etc.). I can create callbacks towards the own conduit but it is not clear
> for me how the conduits and the RequestBufferingHandler work together.
>

Just attach all the data in your handle, and log from the attached buffered
data, rather than using a conduit.

Stuart


>
> Any help is appreciated.
>
> Regards, Zsolt
>
>
>
>
>
>
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> Mentes
> a v?rusokt?l. www.avast.com
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
> <#m_-3186565349216403654_m_6878925675556719771_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>
> _______________________________________________
> undertow-dev mailing list
> undertow-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/undertow-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20171106/b5d48d6a/attachment.html 

From bdw429s at gmail.com  Wed Nov 29 16:15:23 2017
From: bdw429s at gmail.com (Brad Wood)
Date: Wed, 29 Nov 2017 15:15:23 -0600
Subject: [undertow-dev] CAC certifications with Undertow
Message-ID: <CALbQ1omHqvx8TuRiK5AybLmyL5C5OKZPsWaBnwgQM5OR+sx8Nw@mail.gmail.com>

I'm interested in implementing CAC certs (like what the DoD uses) with
Undertow but I'm not finding a lot of info right off.  Everyone I know
who's using this is doing it via IIS.

I did find this nice guide, but it's for Wildfly:
https://github.com/wildfly/quickstart/tree/10.x/helloworld-war-ssl

Does anything like this exist but just for direct Undertow usage?  Or maybe
someone can help me find the Undertow equivalents for the Wildfly
configuration bits.  I'm just getting started into looking at this so any
links are helpful.

Thanks!

~Brad

*Developer Advocate*
*Ortus Solutions, Corp *

E-mail: brad at coldbox.org
ColdBox Platform: http://www.coldbox.org
Blog: http://www.codersrevolution.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20171129/76970bd0/attachment.html 

From marc.boorshtein at tremolosecurity.com  Wed Nov 29 16:45:24 2017
From: marc.boorshtein at tremolosecurity.com (Marc Boorshtein)
Date: Wed, 29 Nov 2017 16:45:24 -0500
Subject: [undertow-dev] CAC certifications with Undertow
In-Reply-To: <CALbQ1omHqvx8TuRiK5AybLmyL5C5OKZPsWaBnwgQM5OR+sx8Nw@mail.gmail.com>
References: <CALbQ1omHqvx8TuRiK5AybLmyL5C5OKZPsWaBnwgQM5OR+sx8Nw@mail.gmail.com>
Message-ID: <CAH2S7UD3AJ7s3=0FwxxXPs-0LeXB2qqYE=iHO54OBVVwmTB01A@mail.gmail.com>

Take a look at

https://github.com/TremoloSecurity/OpenUnison/blob/1.0.12/unison/openunison-on-undertow/src/main/java/com/tremolosecurity/openunison/undertow/OpenUnisonOnUndertow.java

I used this code with PIV cards (which work the same way as CAC)

Marc Boorshtein
CTO, Tremolo Security, Inc.


On Nov 29, 2017 4:23 PM, "Brad Wood" <bdw429s at gmail.com> wrote:

> I'm interested in implementing CAC certs (like what the DoD uses) with
> Undertow but I'm not finding a lot of info right off.  Everyone I know
> who's using this is doing it via IIS.
>
> I did find this nice guide, but it's for Wildfly:
> https://github.com/wildfly/quickstart/tree/10.x/helloworld-war-ssl
>
> Does anything like this exist but just for direct Undertow usage?  Or
> maybe someone can help me find the Undertow equivalents for the Wildfly
> configuration bits.  I'm just getting started into looking at this so any
> links are helpful.
>
> Thanks!
>
> ~Brad
>
> *Developer Advocate*
> *Ortus Solutions, Corp *
>
> E-mail: brad at coldbox.org
> ColdBox Platform: http://www.coldbox.org
> Blog: http://www.codersrevolution.com
>
>
> _______________________________________________
> undertow-dev mailing list
> undertow-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/undertow-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20171129/7e3d1da8/attachment.html 

From bdw429s at gmail.com  Wed Nov 29 17:20:15 2017
From: bdw429s at gmail.com (Brad Wood)
Date: Wed, 29 Nov 2017 16:20:15 -0600
Subject: [undertow-dev] CAC certifications with Undertow
In-Reply-To: <CAH2S7UD3AJ7s3=0FwxxXPs-0LeXB2qqYE=iHO54OBVVwmTB01A@mail.gmail.com>
References: <CALbQ1omHqvx8TuRiK5AybLmyL5C5OKZPsWaBnwgQM5OR+sx8Nw@mail.gmail.com>
	<CAH2S7UD3AJ7s3=0FwxxXPs-0LeXB2qqYE=iHO54OBVVwmTB01A@mail.gmail.com>
Message-ID: <CALbQ1onR5rcsxkykrs9Swokf9NZr25fQVaDSCPHv5Fkhf5M0Yg@mail.gmail.com>

Thanks for the example code Marc!

Thanks!

~Brad

*Developer Advocate*
*Ortus Solutions, Corp *

E-mail: brad at coldbox.org
ColdBox Platform: http://www.coldbox.org
Blog: http://www.codersrevolution.com


On Wed, Nov 29, 2017 at 3:45 PM, Marc Boorshtein <
marc.boorshtein at tremolosecurity.com> wrote:

> Take a look at
>
> https://github.com/TremoloSecurity/OpenUnison/
> blob/1.0.12/unison/openunison-on-undertow/src/main/java/com/
> tremolosecurity/openunison/undertow/OpenUnisonOnUndertow.java
>
> I used this code with PIV cards (which work the same way as CAC)
>
> Marc Boorshtein
> CTO, Tremolo Security, Inc.
>
>
> On Nov 29, 2017 4:23 PM, "Brad Wood" <bdw429s at gmail.com> wrote:
>
>> I'm interested in implementing CAC certs (like what the DoD uses) with
>> Undertow but I'm not finding a lot of info right off.  Everyone I know
>> who's using this is doing it via IIS.
>>
>> I did find this nice guide, but it's for Wildfly:
>> https://github.com/wildfly/quickstart/tree/10.x/helloworld-war-ssl
>>
>> Does anything like this exist but just for direct Undertow usage?  Or
>> maybe someone can help me find the Undertow equivalents for the Wildfly
>> configuration bits.  I'm just getting started into looking at this so any
>> links are helpful.
>>
>> Thanks!
>>
>> ~Brad
>>
>> *Developer Advocate*
>> *Ortus Solutions, Corp *
>>
>> E-mail: brad at coldbox.org
>> ColdBox Platform: http://www.coldbox.org
>> Blog: http://www.codersrevolution.com
>>
>>
>> _______________________________________________
>> undertow-dev mailing list
>> undertow-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/undertow-dev
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20171129/0af69606/attachment-0001.html 

From me at christophsturm.com  Thu Nov 30 11:20:21 2017
From: me at christophsturm.com (Christoph Sturm)
Date: Thu, 30 Nov 2017 17:20:21 +0100
Subject: [undertow-dev] no error logged when running out of files.
Message-ID: <0BE11796-B53A-47F0-BD1D-B1ABF4781CED@christophsturm.com>

Hello Undertow developers!

Lately my undertow server sometimes just stopped listening on its http port. I found out that the reason was that it ran out of files. The really strange thing about it is that it just stopped listening on the http port without logging any error. 

I have now reproduced it locally by setting the file limit to a low value  (ulimit -H -n 400) before starting the server, and then sending it some traffic with wrk. 

I totally understand that running out of file handles is a big deal and that the server can act strange in that case. but its really suprising to see not a single log entry about that (also not to stdout) 

thanks, regards
 chris