Re: problems with web.xml and security
Rosaria Silipo wrote: Thanks Carl, Yes, I tried to see /secure as first thing and I can see it without authentication. I tried to close browser and restart it and I still could see it. Maybe the problem is on the web.xml of /secure. Is it possible? -- Rosaria If I'm reading your sentence correctly, then yes. If /secure is a different web application than / (or ROOT) then the different contexts will process different web.xml files. The /* is relative to the root of the web application, not to the Tomcat installation. Cheers, -- jon -- Jon Eaves [EMAIL PROTECTED] http://www.eaves.org/jon Co-Author of Apache Tomcat Bible, Wiley 2003 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: problems with web.xml and security
You need 2 web.xml files. In / (or ROOT) for the context that maps to http://my.domain.com/ and in the web application defined by the context /secure which may be in the subdirectory webapps/secure, or it may be webapps/secure.war, or it may be webapps/somethingelse and have Context element in conf/server.xml point to the appropriate web application. This will map to http://my.domain.com/secure Remember, we're talking about web applications, and *not* directories. So, in the web application that you have defined to be the context /secure, put the security constraint of /* That will apply to all file *in that context*. Different contexts have different web.xml files. Directories are only relevant _within_ a web application. Cheers, -- jon Rosaria Silipo wrote: Sorry, my mistake! It worked because in the meantime I removed /secure. If I rebuild /secure, I can still access it without being authenticated. Summary: I have web.xml for / and web.xml for /secure. Without web.xml in /secure/web/WEB-INF I can not build /secure in the web application. How do I include /secure in the root web application? Thanks -- Rosaria -Original Message- From: Jon Eaves [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 17, 2003 3:04 PM To: Tomcat Users List Subject: Re: problems with web.xml and security Rosaria Silipo wrote: Thanks Carl, Yes, I tried to see /secure as first thing and I can see it without authentication. I tried to close browser and restart it and I still could see it. Maybe the problem is on the web.xml of /secure. Is it possible? -- Rosaria If I'm reading your sentence correctly, then yes. If /secure is a different web application than / (or ROOT) then the different contexts will process different web.xml files. The /* is relative to the root of the web application, not to the Tomcat installation. Cheers, -- jon -- Jon Eaves [EMAIL PROTECTED] http://www.eaves.org/jon Co-Author of Apache Tomcat Bible, Wiley 2003 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Redirect and Tomcat
Hi all, And just to follow up on that, you should always serve your login page under SSL as otherwise the bad guys can change the FORM action parameter and use it to grab your usernames and passwords. So, the initial GET to grab the login page can trigger the http-https redirect rather than doing it under the POST of the FORM. Which is the best course of action anyway. Cheers, -- jon Daniel Brown wrote: This was news to me too. But, from the horse's mouth: RFC 2616HTTP/1.1 June 1999 If the 302 status code is received in response to a request other than GET or HEAD, the user agent MUST NOT automatically redirect the request unless it can be confirmed by the user, since this might change the conditions under which the request was issued. [ snip ] -- Jon Eaves [EMAIL PROTECTED] http://www.eaves.org/jon - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: (Urgent) SSL Error!
Anish Mehta wrote: Hi, I am in urgent need to solve a problem. When attempting to connect from a Java GUI application to a servlet using the following URL: http://localhost:8443/examples/servlet/MyUploadServlet? This should be: https://localhost:8443/examples/servlet/MyUploadServlet? ^ Cheers, -- jon -- Jon Eaves [EMAIL PROTECTED] http://www.eaves.org/jon - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Pri-Compiled jsp and war files
Hi Tony, Here's an Ant task that will do what you want. Please be aware that this will delete all the JSP files from the build directory as part of the processing. It also creates a web.xml fragment that represents all the servlets (that were the jsp files) that needs to be included in the web.xml prior to creating the WAR file. It runs jasper first, and expects to find the JSP files in ${web.home} and will output the java files in ${basedir}/gensrc. These java files are then compiled and put into the build directory (where all the servlet files are) !-- jspc target -- taskdef classname=org.apache.jasper.JspC name=jasper classpath refid=compile.classpath / /taskdef target name=jspc depends=compile description=Invoke Jasper JSP compiler mkdir dir=${basedir}/gensrc / jasper verbose=0 uriroot=${web.home} webXmlFragment=${basedir}/web.inc outputDir=${basedir}/gensrc / javac srcdir=${basedir}/gensrc destdir=${build.home}/WEB-INF/classes classpath refid=compile.classpath / /javac !-- remove any *.jsp files in the build directory -- delete fileset dir=${build.home} includes=**/*.jsp / /delete /target Now, just WAR it up. target name=dist depends=compile,javadoc description=Create binary distribution !-- Copy documentation subdirectories -- mkdir dir=${dist.home}/docs/ copytodir=${dist.home}/docs fileset dir=${docs.home}/ /copy !-- Create application JAR file -- jar jarfile=${dist.home}/${app.name}-${app.version}.war basedir=${build.home}/ !-- Copy additional files to ${dist.home} as necessary -- /target So, this creates the war file. ant compile jspc dist Will do all the good things. If you want the actual build.xml that does all this, then let me know. If you're using an IDE this should give you the general idea, but you're on your own. Cheers, -- jon Tony Colson wrote: After reading the documentation I am unclear how to package the precompiled jsp pages with a war file so that Tomcat will see and use them. Also, do I need to include the actual jsp files themselves? When I tried that, Tomcat recompiled them anyways and put them in the work directory as normal. I am running Tomcat 4.1.18. Thanks Tony __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- Jon Eaves [EMAIL PROTECTED] http://www.eaves.org/jon/ -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Require a secure connection
Hi Neal, security-constraint display-nameWeb Booking/display-name web-resource-collection web-resource-nameWeb Booking /web-resource-name url-pattern/web/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection user-data-constraint transport-guarantee CONFIDENTIAL /transport-guarantee /user-data-constraint /security-constraint Will do what you want. This will switch the transport to HTTPS. You can also check programatically using request.isSecure() in the servlet to make sure the administrator has installed your application and SSL correctly. neal wrote: Does anyone know how to *require* that a page be accessed only via a secure connection? For instance, I *can* request a secure connection to a page by going to https://; and the url ... but how do I prevent a user from going to http://; to request that same page? Would this be a proxy thing or is something I can set in Tomcat? Is there something that wouldn't require the overhead of reflecting upon every single request at the Java level? Thanks. neal -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- Jon Eaves [EMAIL PROTECTED] http://www.eaves.org/jon/ -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: [ OT ] what source code control system?
Noel J. Bergman wrote: Despite the fact that it is widely used, the list of problems with CVS is long and distinguished. I'll disagree here. CVS is missing some features that other people find very desirable in a source control system. This doesn't mean it has a long list of problems. The only thing that I'd consider a problem with CVS is the lack of an atomic commit. Having said that, I've been using it for over 10 years, nearly always in client-server mode or remotely tunnelling over SSH and I have _never_ had a problem. Since you can't use SourceSafe, I would recommend that you look at Subversion (http://subversion.tigris.org). Subversion is self-hosting, works with database and apache, has an API, and there is a GUI interface (http://rapidsvn.tigris.org). Subversion uses WebDAV, and there is even a Wiki using Subversion. If you were in a corporate environment, perhaps Subversion might not be ready for you (but then again, you could afford SourceSafe), but in your environment you might like the possibilities in Subversion. There is always CVS if you need it, and don't mind the problems (like the inability to rename something). Renaming things is trivial, just get the administrator to rename it for you. mv $CVSROOT/src/foo.java,v $CVSROOT/src/bar.java,v. Or if you don't care about losing your log history, then just delete and add it. Sure, it's not the most user friendly approach, but it can be done. I'm a big, big fan of CVS, it's very stable and it's been used in technical teams and I've also taught graphic designers to use it. Throughout that time, I've never had an issue with files being corrupted, magically deleted or anything else. Cheers, -- jon -- Jon Eaves [EMAIL PROTECTED] http://www.eaves.org/jon/ -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: [OFF-TOPIC] RE: RewriteRules and Standalone Tomcat
Hiya Neal (and others) As a counterpoint to your argument about search engines and small sites I have some real numbers: From my website referrer stats: (For an Apache HTTP: http://www.eaves.org) Direct requests : 28% Google.com : 1.5% Google images : 0.7% search.yahoo.com : 0.3% Google.ca : 0.15% Google.co.uk : 0.15% Google.it : 0.11% Google.de : 0.09% Google.com.au : 0.08% Google.co.nz : 0.06% Google.fr : 0.03% Google.pl : 0.03% Google.nl : 0.03% altavista.com : 0.03% au.altavista.com : 0.02% The rest of the traffic is from a whole load of Java MIDlet portals. Total search engines combined: ~4% Now, I'm not running java.sun.com or anything like that but for a personal website I get an average of 30,000 hits a month, and I suspect that the only way that people find my site would be: 1. Signature links in email 2. Search engines It's not like anybody is going to be trying to guess my URL just to see what is there ;-) And the best thing is that I have a site that is just running Tomcat, on a wacky URL to compare this against: (Tomcat: http://www.eaves.org:28080/) Direct requests : 55% looksmart.com : 15% eaves.org : 9% google : 6% search.msn.com : 5% yahoo.com : 1% google.ca : 1% Now, I don't trust these numbers as much because the hits are so much lower 2000 hits a month, but it's clear in my case that there is no, or little penalty for whatever behaviour Tomcat might have. Of course, YMMV, batteries not includes, offer void where prohibited by law. Cheers, -- jon neal wrote: You're comparing apples and oranges .. and pears (staying with the analogies ;-)). A high profile site of course does not need the engines to the same extent as a small site. Additionally, a small site with a mature link base (100s or 1000s of grade A links) will not recieve as much traffic from them either. For a new site (first year or so) its just the opposite. Besides, I was including places like Yahoo!, AOL, when I refer to search engine. Granted these are CPCs (fake search engines) but nonetheless google probably has 80% of the search engine market ... as for the 80% of traffic coming from search engines - its a statistic I recently read in a book. I can look it up for you if interested. If sounds though like the truth of this statistic has a lot to do with whether you're comparing apples ... oranges ... or pears. As for switching to Apache with 1hr work ... I'm also bucking that just because (a) my ISP will want to get involved and charge me hourly for the setup of an addt'l app and (b) I will have to get another $300 SSL cert from Trawte if I go that road. Sigh. Neal -- Jon Eaves [EMAIL PROTECTED] http://www.eaves.org/jon/ -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: HTTPS to HTTP
Jacob Kjome wrote: It is my understanding that if Tomcat allowed you use the same session and the session was created under https for a particular user, then once it gets to http the session id is now in clear text. This is what, I believe, Craig is talking about when he says that using SSL in this manner only creates the appearance of security, not true security. All I'd have to do to wreak some serious havoc is sniff packets, hijack the session, and browse back into the secure sections of the site under the guise of the user whose session I hijacked. How is that security? I'll bite on this one. But first I'll say that I agree mostly with your and Craig's position on this because in general most people aren't experienced enough with security to make good decisions about what is going on. However this particular issues that has been raised can make use of the HTTPS-HTTP switch securely but with fairly bogus user experience. (My opinion on the user experience, nothing more) Security is made of a number of components, these are generally: Authentication, Access Control,Data Integrity and Confidentiality. Rather than boring people about this,the two important parts to this discussion are essentially Authentication and Confidentiality. We want to use Authentication to allow the right person to access the data and we want to use Confidentiality to make sure that bad people can't see things in transit. _Normally_ authentication is handled once and then confidentiality is used to ensure the tokens remain private. However this is not the only way to do it. Here's an example scenario which I believe matches the desired result and why HTTPS-HTTP _is desirable and secure in this instance_. 1. There are 2 areas of the website, secret stuff and public stuff. 2. Requests and responses from secret stuff is handled by HTTPS 3. Requests and responses from public stuff is handled by HTTP 4. To access the secret stuff, each and every time you try to access the secret stuff from the public stuff you are forced to authenticate. 5. The authentication mechanism uses confidentiality to protect the tokens and any transfer of secret stuff 6. There is nothing in the public stuff that matters if a session is hijacked. This is desirable under the circumstances where you might wish to initially authenticate under HTTPS to protect the tokens _only_, switch to HTTP and keep the session valid either for tracking purposes or merely to display the user name on the page. Given that it is possible to force re-presentation of the authentication tokens each time then I cannot see the security related problem with this scenario. (User experience problems, however) I am happy to have people poke holes in the scenario and tell me what I've done wrong, but it seems correct to me. Would I build it this way ? Probably not, but I generally don't like to double-guess the constraints or problems my customers might have. I could see that this might be useful if there is an enormous user base that accesses a lot of public content and very, very occasionally needs to access very secret information. If 99.9% of the traffic doesn't need to be secured, _and your user base is huge_ and you want the results of the authentication to be available in the public area then this seems like a reasonable request. I will stress however that I feel that providing HTTPS-HTTP session migration within Tomcat is a highly dangerous thing as it will be utilised in the single authentication continued session approach by most people because they will not be able to understand why it's a bad thing. After having said all that, I'm sure it can't be hard to write a SessionMigration object that can contain the data you want to throw over the wall store it in the web application context and pass a parameter through the URL redirection so it can be recovered on the other side. Maybe that's the workaround that's required in this situation. Cheers, -- jon Jake At 08:17 PM 1/9/2003 -0800, you wrote: I'm aware of that. The tomcat-specific issue is that it won't let you make the transition from https to http on the same session. That's frustrating. -- Jon Eaves [EMAIL PROTECTED] http://www.eaves.org/jon/ -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: unsubscribing to this mailing list
Hi Mark, John These lists are using ezmlm. You can unsubscribe from a wrong address by sending a blank email to this address: [EMAIL PROTECTED] That should end up with the right mail address being sent to ezmlm and your confirmation email hopefully will end up in your inbox. Then reply to that and it should work. If it doesn't then you will need to get a moderator to send an email using the same To field and that will not require confirmation. Disclaimer: I've never tried this, but that's what the manual says to do. Cheers, -- jon Mark Goking wrote: yes. when i first joined this mailing list, i had no problem at all. i was even able to unsubscribe directly. but when i subscribed for the 2nd time, i had problems. it took me about 2 days to subscribe again. i didnt have any idea why it acted that way. within those 2 days i emailed the admin to manually add me and he said no because my email uses exchange server and the mailing list has problems dealing with email addresses that uses the ms exchange server. still, after 2 days i was able to subscribe myself here. the problem now is unsubscribing. since i couldnt unsubscribe myself, i dont think it's impossible for the admin to manually remove me from the mailing list. unsubscribing is as simple as 1 2 3 but the process just doesnt work for me anymore. mark -Original Message- From: Turner, John [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 07, 2003 9:23 AM To: 'Tomcat Users List ' Subject: RE: unsubscribing to this mailing list Are you sure you are using the correct from address? I was able to unsubscribe and resubscribe myself twice in the past 6 weeks when going on vacation. -- Jon Eaves [EMAIL PROTECTED] http://www.eaves.org/jon/ -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Console output in Tomcat
Hi all, (and Happy New Year) If you want the System.[out|err] messages use the following: Logger className=org.apache.catalina.logger.SystemErrLogger / Logger className=org.apache.catalina.logger.SystemOutLogger / Cheers, -- jon Shrotriya, Sumit wrote: Vlad, Yes you are right on that. When running as a service your output does get logged to those files but when trying to run Tomcat as an application it doesn't log the output. My comments in my previous mail were not to get into an argument of any sort. I take any words back if you felt anything like that. Cheers, Sumit [ snip ] -- Jon Eaves [EMAIL PROTECTED] http://www.eaves.org/jon/ -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Servlet/Session/Attribute Listeners not very useful ?
Jason Jonas - ATTBI wrote: Jon, Hi Jason, I've used the SessionListener interface once to write usage stats to a database when a user logs out explicitly or implicitly when the session times out. Haven't used it since and not too sure if I would again. However, the mechanism worked well enough to satisfy our requirement. Yeah. That is also a use. Again, it's anonymous in that you can't identify exactly what session expired, just that a session expired. If you're trying to access your application objects bound into the session, perhaps you could wrap them in a single application object. While this is a kludge, it means the object references are readily available and would eliminate the IllegalStateExceptions you're encountering now. Just a thought. It's more that I want to clean up some application wide data when the session expires. I can't even work out how to map the session that has just expired to anything useful either. If I could get the session id of the session that expired then it could store the information in application scope and use the ID as a key. From my reading of the Servlet Specs and the API documentation it appears that the intention of the expert group was along those lines, but it doesn't seem to have carried through in the implementation. SRV.10.7 Session Events Listener classes provide the developer with a way of tracking sessions within a web application. ... session became invalid because the container timed out the session, or because a web component .. called the invalidate() method. The disctinction may be determined indirectly using listeners and the HTTPSession API methods and javax.servlet.http.HttpSessionListener public void sessionDestroyed(HttpSessionEvent se) Notification that a session was invalidated. javax.servlet.http.HttpSessionEvent only has 1 method, to get the session. Which at that time is invalid. I might have to try some more obscure options like trying to use an HttpSessionAttributeListener and the HttpSessionBindingEvent to see if when a session is invalidated a BindingEvent is emitted. I'm not thinking I'm going to be all that successful though. I was half hoping that Craig might be able clarify after he's finished with his Festive cheer ;-) Cheers, -- jon Jason -Original Message- From: Jon Eaves [mailto:[EMAIL PROTECTED]] Sent: Saturday, December 28, 2002 6:08 AM To: Tomcat Users List Subject: Servlet/Session/Attribute Listeners not very useful ? Hi all, Can anybody tell me what possible use these particular interfaces are ? After thinking that they would be a good idea to use for web app session management enhancements (session timeout etc) it turns out that the invocations of valueUnbound(), sessionDestroyed(), attributeRemoved() all occur _after_ the event has occurred, and the values that would possibly be useful are all gone throwning IllegalStateExceptions left right and centre. What gives ? Did the Servlet Spec people have some other use for these Interfaces that I'm not smart enough to work out, or are they only useful for printing object added|removed|replaced without being able to actually obtain the object? The specifications for 2.4 for javax.servlet.http.HttpSession still say the same things as 2.3, and if implemented in the same way don't appear to be useful at all Or is there some special magic that I'm not invoking the right way ? Help me, I'm confused .. Cheers, -- jon -- Jon Eaves [EMAIL PROTECTED] http://www.eaves.org/jon/ -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- Jon Eaves [EMAIL PROTECTED] http://www.eaves.org/jon/ -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Servlet/Session/Attribute Listeners not very useful ?
Hi all, Can anybody tell me what possible use these particular interfaces are ? After thinking that they would be a good idea to use for web app session management enhancements (session timeout etc) it turns out that the invocations of valueUnbound(), sessionDestroyed(), attributeRemoved() all occur _after_ the event has occurred, and the values that would possibly be useful are all gone throwning IllegalStateExceptions left right and centre. What gives ? Did the Servlet Spec people have some other use for these Interfaces that I'm not smart enough to work out, or are they only useful for printing object added|removed|replaced without being able to actually obtain the object? The specifications for 2.4 for javax.servlet.http.HttpSession still say the same things as 2.3, and if implemented in the same way don't appear to be useful at all Or is there some special magic that I'm not invoking the right way ? Help me, I'm confused .. Cheers, -- jon -- Jon Eaves [EMAIL PROTECTED] http://www.eaves.org/jon/ -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: RES: Is there a problem with tomcat JNDI resources (I don't thinkso)
Iran Marcius wrote: If I'm not mistaken, I read somewhere that using GlobalNamingResource with ResourceLink (inside Context) make unnecessary to put resource-ref in web.xml. Tomcat naming examples didn't use it too. I may have been the perpetrator of that particular piece of information. It was while asking a question to Craig. Is that correct? His answer was; functionally it is not needed, but you should have it because it's the right thing to do to make your web application portable. Cheers, -- jon -- Jon Eaves [EMAIL PROTECTED] http://www.eaves.org/jon/ -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Tomcat Administration Tool
Hi all, The Tomcat Admin Tool uses a UserDatabaseRealm for authentication and for editing as part of the configuration options. This uses the conf/tomcat-users.xml file for the source of information I was interested in knowing if anybody has configured Tomcat _and_ the Admin tool to use an alternate Realm, like JDBCRealm or a close cousin that the Admin Tool can manage ? I'd be interested in hearing from anybody who has gone down this path Cheers, -- jon -- Jon Eaves [EMAIL PROTECTED] http://www.eaves.org/jon/ -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
HTML Manager Application FAIL - Invalid application URL was specified
Hi all, First, the preamble: Tomcat 4.1.12, Windows 2k. I've searched the archives to no avail. I've had a million monkeys typing in URLs without success. I've even read the documentation, but that didn't help. Can anybody tell me the magic combination that I need to type into either the Config URL or the WAR URL ? (Can somebody confirm that Config URL = context.xml URL ?) WAR works for a foo.war and an unpacked foo.war so I guess that's the only choice left. I suspect the HTML Manager App is broken because after it whines at me (or my monkeys) for what was typed in I can edit the URL in the browser and generate a line that is valid and actually install my web application. Here's how I can make it work... 1. Path: /hello Config URL: [ empty ] WAR URL: file:c:\devel\jon\hello\build Results in : FAIL - Encountered exception java.net.MalformedURLException: no protocol: 2. Edit the browser URL and remove the installConfig= Results in : OK - Installed application at context path /hello So, broken, or is there some magic that I'm missing. Please hurry, my monkeys are getting tired and I suspect they will faint from hunger before getting the right combination. ;-) Cheers, -- jon -- Jon Eaves [EMAIL PROTECTED] http://www.eaves.org/jon/ -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Tomcat dies
If that is the cause, what's wrong with using 'nohup' ? (Or am I missing something here?) Cheers, -- jon Matthew Ritenburg wrote: The logs say nothing. Tomcat is dying because it is not backgrounding properly on solaris 8. The process never detaches it self from the controlling tty. You close the console/xterm and Tomcat dies. My question is: Why doesn't tomcat background properly on Solaris 8? Thanks again! Matt [ snip ] -- Jon Eaves [EMAIL PROTECTED] http://www.eaves.org/jon/ -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: where is stderr sent? AND ALSO 'System.err'
Hi all, Try these: Logger className=org.apache.catalina.logger.SystemErrLogger / Logger className=org.apache.catalina.logger.SystemOutLogger / Cheers, -- jon Patrick Kosiol wrote: Hi, this is a good question. In Java there is also a System.err. So I am also interested where the Messages were written. How does Tomcat handle those errormessages? Are them be logged in a special file oder easiely given out through the console. Are there differences between Linux and Windows systems where the Tomcat runs? thx Patrick Fabien Roy wrote: Hi! Where is stderr sent? Where is this defined? I have the following line in my application log (the path is defined in server.xml) 2002-12-11 12:45:42 cgi: runCGI: 1 lines received on stderr And I would like to know what that line is... Thanx Fabien -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- Jon Eaves [EMAIL PROTECTED] http://www.eaves.org/jon/ -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Need help using manager of tomcat
Hi all, Provided my memory serves me correctly, you can't use the manager application to deploy. Deploy requires the use of POST, and the ant task is the only way to do that. Use install instead, or the ant deploy task, or copy a context.xml into the webapps dir, or package up a war and put it into webapps. So many options, so little time Cheers, -- jon Boris Folgmann wrote: Sherif D Mohamad wrote: Dear All, I successfully installed tomcat standalone on rehat linux 7.3 and seems working ok, I am trying to use the manager to I can make changes to sites without restarting server When I try the command : http://www.myserver.com/manager/deploy?path=/firsttest I have the following error FAIL - Unknown command /deploy Although docs says it should respond with : OK - Deployed application at context path /firsttest For my local tomcat installation I use the install command for deploying WAR files: http://www.myserver.com:8080/manager/install?path=/firsttestwar=jar:file:/home/yourname/firsttest.war!/ And it works. IIRC I had also problems with deploy. There's also this page: http://www.myserver.com:8080/manager/html/list The list of installed apps is nice, but I never managed to use the install form provided on this page. Does anybody know what has to be entered in the text fields? -- Jon Eaves [EMAIL PROTECTED] http://www.eaves.org/jon/ -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Need help using manager of tomcat
Boris Folgmann wrote: Jon Eaves wrote: Hi all, Provided my memory serves me correctly, you can't use the manager application to deploy. If you're right, the documentation should be changed. Well, maybe. Remember the manager application is talking about the /manager web application and not only the /manager/html functionality. (And I was quite sloppy with my response above, as I should have said Manager Application HTML Interface) Sorry for adding to the confusion. It probably needs further highlighting on the actual web application to assist people in not confusing themselves. ;-) But what about the text input fields on /manager/html/list? Is it simply unfinished? The form action missing? The deploy task takes a war file and places that in a special place using the HTTP PUT. It's simply not possible from a web page. This is all described quite well in the documentation: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/manager-howto.html Have a look in the section Deploy a New Application and read the big NOTE: section. Cheers, -- jon -- Jon Eaves [EMAIL PROTECTED] http://www.eaves.org/jon/ -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Custom Valves and Administration Tool
Hi all, Thanks to Bill Barker, my custom valves now are installed happily within Tomcat and are valving away nicely without spewing MBean exceptions into the log. I was hoping to manage the valves via the Administration tool. Q1. Is this possible ? Q2. Do I have to modify the Admin tool ? Q3. How do I configure it ? (what needs to be in server.xml ?) I would have thought it was possible, as the Admin tool appears to parse the server.xml and generate stuff based on that, and my Valves have implemented the LifecycleListener interfaces so I'm a tad confused about where to go from here. Cheers, -- jon PS: I've said it before, and I'll say it again, the documentation in Tomcat for general users/administrators is first rate. This stuff is a bit thin, but what they heck, most people don't need or want to do this. -- Jon Eaves [EMAIL PROTECTED] http://www.eaves.org/jon/ -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Custom Valves and Administration Tool
Craig R. McClanahan wrote: First of all as there's been so much beating on the Tomcat developers I'd like to offer my whole-hearted congratulations to each and every one of you. You've done a great job, and what's more, in spite of the (unwarranted) vitriol that is spewed in your direction, you keep coming back for more. You guys and gals are legends. Secondly, the community here is fantastic and the way that users came to the defense of the Tomcat team was phenomenal. Good work one and all. As an author involved in a similar effort (www.bouncycastle.org) there are very few people who take the time to say Thanks, but the effect on the developers morale is worth it. Remember everybody on the list, that's all they get paid in, and it doesn't cost anything to say it Now, if you don't mind, I've got just one more question ;-) On Wed, 11 Dec 2002, Jon Eaves wrote: I was hoping to manage the valves via the Administration tool. Q1. Is this possible ? Yes, with some work. Aha. I was hoping this wasn't going to be the answer. Oh well. [ snip ] If this is the case, why does the code for the Valve recommend implementing the Lifecycle interface ? What was the design reason for that ?h Additionally, why does the MBeans server barf when loading custom beans without the mbeans-descriptor.xml file ? Is this due to the Lifecycle interface being implemented, or just purely because of the Valve definition in server.xml it is expecting to find a bean that it can manage. The reason I ask is because it seems bit of dicking around just to implement a new Valve. Writing the code took about 2 hours, it then took 2 days to get the exception stuff sorted out. What is the additional information used for ? And was there a better (read simpler and less mucking around) way to solve my get rid of the exception than addition of the descriptor, or is that required for all additional components in Tomcat ? Cheers, -- jon -- Jon Eaves [EMAIL PROTECTED] http://www.eaves.org/jon/ -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Custom Valves and Administration Tool
Hi again Bill, Aha. I was hoping this wasn't going to be the answer. Oh well. [ snip ] If this is the case, why does the code for the Valve recommend implementing the Lifecycle interface ? What was the design reason for that ?h By implementing Lifecycle, you get well-defined states to allocate and release any resources that your Valve may need. Since the order of setting attributes is undefined, it makes it much easier to determine resources that depend on multiple attribute values. It's pretty much independent of the MBeans. Excellent, so the Valves can then conform to an defined servlet/applet/midlet like behaviour. I noticed the use of the start() etc methods in the Valve and guessed that was something to do with it, but also guessed wrong that it was relating to the MBeans. It's purely because of the Valve definition in server.xml, when it can't find the MBean to manage it. Actually, the Valve should function fine even with the error: It's just noise in the log. Yup. My Valves were all working just fine with the errors, but I wanted to be neat and tidy ;-) The reason I ask is because it seems bit of dicking around just to implement a new Valve. Writing the code took about 2 hours, it then took 2 days to get the exception stuff sorted out. What is the additional information used for ? And was there a better (read simpler and less mucking around) way to solve my get rid of the exception than addition of the descriptor, or is that required for all additional components in Tomcat ? With the MBean info, it is possible to use other JMX-enabled tools to manage Tomcat (including your Valve). The admin web-app is only one example of such a tool. It is also likely that JMX support will improve in Tomcat 5.x. Of course, the simplest way to get rid of the exception is to disable (aka comment out) the MBeans Listeners in server.xml. OK. I'll have a play around with that. I think I tried that originally, and when I did, the Administration application stopped working, but that may just have been co-incidence. Thanks very much Bill and Craig for your patience. Cheers, -- jon -- Jon Eaves [EMAIL PROTECTED] http://www.eaves.org/jon/ -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Custom Valve
Hi all, I've implemented a custom Valve which wasn't a major effort, but would like to try and resolve some strange effects that are part of the standard installation of Tomcat. I'm using TC 4.1.12, JDK 1.3.1 (just for the record). When using the custom Valve, (which also has a custom path, not an org.apache.* path) I get the following exception on start of Tomcat. --- ServerLifecycleListener: createMBeans: MBeanException java.lang.Exception: ManagedBean is not found with MyCustomValve at org.apache.catalina.mbeans.MBeanUtils.createMBean(MBeanUtils.java:783) at org.apache.catalina.mbeans.ServerLifecycleListener.createMBeans(ServerLifecycleListener.java:583) [ rest snipped ] - Now, I presume this is because my server.xml is including the mbeans.ServerLifecycleListener as part of the configuration. The code for various valves, and the ValveBase class recommends implementing the Lifecycle interface, so clearly it should support that. However, there doesn't seem to be able to be a way to include an additional mbeans-descriptors.xml file so that the MBeanUtils doesn't barf. The Registry class seems to be loaded with a hard-wired path for the XML. Additionally, I'd like to be able to manage MyCustomValve from within the GUI Administration application, so this support would be very, very nice. So, my questions are: 1. Can I prevent the exception, and if so how ? 2. Can I implement something to allow the Valve to be configured using the GUI, and if so what ? 3. Is this just an error with TC 4.1.12 and is fixed in 4.1.16 ?? Thanks to anybody who can shed some light on these questions... Cheers all, -- jon -- Jon Eaves [EMAIL PROTECTED] http://www.eaves.org/jon/ -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Custom Valve
Bill, Two words: You legend ! 1. Can I prevent the exception, and if so how ? You can create your own mbeans-descriptor file, package it in the jar with your Valve, and set the descriptors=/com/myfirm/mypackage/mbeans-descriptor.xml attribute on the ServerLifecycleListener element in server.xml. Thanks, I didn't think to look for additional attributes here. 2. Can I implement something to allow the Valve to be configured using the GUI, and if so what ? 3. Is this just an error with TC 4.1.12 and is fixed in 4.1.16 ?? In 4.1.12, your Valve has to extend o.a.c.valves.ValveBase to work with the admin app. In 4.1.16 this has been relaxed to only requiring that it implements o.a.c.Contained. I saw this in the CVS log entries and realised that I was on the right track, but didn't quite know exactly what to do with that information. Cheers, -- jon -- Jon Eaves [EMAIL PROTECTED] http://www.eaves.org/jon/ -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: SUCCESS w. Tomcat execution!
Congratulations, I'm very happy for you. It's a great feeling to achieve something you've struggled with for so long. Seriously Steve, unless you are a sadist and a masochist then please go and buy a book on Java Servlet development. You'll make everybody, including yourself much happier and much less likely to be snippy towards you. If you've had that much trouble getting Tomcat running which I must say basically installs without trouble, then I shudder to think of the grief you're going to suffer when trying to debug a Servlet or JSP page. Maybe everybody on the list could chip in a get Steve an Amazon voucher for a Servlet book ? I know it would save me the cost of downloading all the help me messages. ;-) Cheers, -- jon Steve R Burrus wrote: Yes, SUCCESS is what I have finally met with in trying/attempting to get Tomcat activated!!! I make a thunderous declaration that I have finally done it, and of course I thank all those who helped me out, and that even includes Micael!! Now, I need some help with trying to see a JSP/Servlet in my browser, a long time problem with me!! I have just now installed Ant. Does that aid me in trying to get a JSP going or not? -- Jon Eaves [EMAIL PROTECTED] http://www.eaves.org/jon/ -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Logging to catalina logger
Hi Peter, I'm rapidly coming to the conclusion that Tomcat is the Perl of the web application development environments. For those who aren't familiar with Larry Wall's quote on doing things in Perl, it's There's always more than one way to do it. Starting at the top: 1. Use the log() method 2. Use System.out/err and set Context.swallowOutput to true 3. Use the Standard Error Logger and Standard Output Logger I suspect you probably want to use 2 or 3. All this information is available in the wonderful documentation provided by the Tomcat developers when you download the Tomcat installation. It's just a matter of reading them . The log() method is defined in the ServletContext class in the J2EE documentation. #2 is documented in the Reference/Context section of the Tomcat documentation. #3 is documented in the Reference/Logger section of the Tomcat documentation. Cheers, -- jon Peter Lee wrote: How do I produce log output to the catalina loggerwhen my program wants to print out some exceptions or messages? Any documents on this? Thanks -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- Jon Eaves [EMAIL PROTECTED] http://www.eaves.org/jon/ -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: tomcat 4.1.12 log of pages hit
Unless you have implemented an AccessLogValve in the Engine, Host or Context they will be nowhere. By default they end up in the logs directory. Oh, and all that information is in the Tomcat documentation. Have a look here: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/config/index.html That's a good starting point, and the specific page to have a look at is any of the links under Containers. Each of them has a section called Access Logs under a heading Special Features that describes how to use it. Under that is a hyperlink which describes how the AccessLogValve works. That is found on this page: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/config/valve.html The attribute that is important is the 'directory' attribute. Cheers, -- jon Hanasaki JiJi wrote: I dont seem to find the web hit logs? The ones that can be run through webtrends. Where are they? -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- Jon Eaves [EMAIL PROTECTED] http://www.eaves.org/jon/ -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: reloadable
Hi Raja, The default behaviour setting for the class reloading is a touch on the slow side, so include a Loader in the Context that looks like this one: Context path=/myapp docBase=myapp reloadable=true Loader className=org.apache.catalina.loader.WebappLoader loaderClass=org.apache.catalina.loader.WebappClassLoader checkInterval=1 / /Context And you'll find that it will now check every second, rather than the default 15 seconds. Cheers, -- jon Raja Nasrallah wrote: Hello, I set the attribute reloadable to true in a sample context tag(Context in the sever.xml) to monitor the the WEB-INF/classes. But it didn't affect. I make change in a sample class and the server don't load this class again. I am using jakarta-tomcat-4.0.6 in winow2000 server. Should I have to do other setting to make the reloadable work. Thanks, raja -- Jon Eaves [EMAIL PROTECTED] http://www.eaves.org/jon/ -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: File Path Problem...
Use ServletContext.getResourceAsStream() and store the XML file in WEB-INF/classes Using a file path is very, very bad for web applications as the web application may be deployed as a WAR where the file path just doesn't exist, or it may be deployed into an environment (such as a database) where a file path makes no sense. The Servlet specification is quite clear on this topic. The only thing you can rely on is that you can deploy your application as a WAR file, and that you can get access to a temporary bit of filesystem via the javax.servlet.context.tempdir context attribute. Anything else you may want to do is application server specific and therefore not portable. Cheers, -- jon Harsha Yalagach wrote: Hi Andreas, That doesnt solve my problem as our client wants the application without any configuration hassles and moreover the deployment platform is also not specific. It may be deployed on win32 machines or Solarix machines or Linux machines... :( Any more ideas... Regards, Harsha -Original Message- From: Andreas Probst [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 21, 2002 17:50 To: Tomcat Users List Subject: Re: File Path Problem... Hello, maybe you could save the absolute path inside a properties file or pass it as an init parameter in web.xml. For each location of your app you would have to set this path appropriately. You could use absolute paths and wouldn't need to change the source code of the application. Regards, Andreas On 21 Nov 2002 at 14:31, Harsha Yalagach wrote: Hello, I am running Tomcat 4.1 on Windows 2000 as a service. I have written a JSP page where in I am trying to read an XML. If I try to access the file using absolute path, for eg. c:\abc\xyz.xml, the page works without any problem. But if i try to access it thru relative path, for eg. ../data/xyz.xml, the tomcat will throw a FileNotFoundException saying that xyz.xml doesnt exist in SYSTEM-ROOT\System32 dir. The reason behind this is that the JSP is tring to access the file from where JVM was started according to Java Documentation, ie SYSTEM-ROOT\System32 directory where the Service Control Manager starts the Tomcat service which in turn starts the JVM. So the question is, is there any other way I can use a relative path inside my application to access a file? (I dont want to use absolute path as my application has to be distributed in many places). Thanks in advance... Warm Regards, Harsha Yalagach -- Cerebra Integrated Technologies Ltd., Bangalore, India -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- Cerebra Integrated Technologies Ltd., Bangalore, India -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- Jon Eaves [EMAIL PROTECTED] http://www.eaves.org/jon/ -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: logging versus ant tasks
Benson Margulies wrote: I can't figure out how to specify context options such as the existence of a logger for a context established with the ant tasks. This does require a little bit of magic, but at the end of the day, isn't too hard. Thanks to Jacob Kjome for helping me when I had the same questions. Create a file (let's call it context.xml) and in it put something like this: Context path=/myapp docBase=myapp reloadable=true debug=99 Logger className=org.apache.catalina.logger.FileLogger prefix=myapp_log suffix=.txt debug=99 timestamp=true / /Context And in your build.xml add in the following task target name=cinstall depends=compile description=Install to container using context.xml install url=${manager.url} username=${manager.username} password=${manager.password} config=file:///${build.home}/context.xml/ /target Where manager.url is the url to the manager app (http://localhost:8080) and obviously ${build.home} is where the file was created. Now, start up Tomcat, and use the command: ant cinstall and it will install the application with all the context elements and configuration that are in the context file. You can also do this with DB connection pools, as well as adding in specific Loader elements for use during development (to get faster class change checking). Removing it with : ant remove An important note is that the deploy task *DOES NOT* support the context element. However, what you can do is just copy the context.xml into $CATALINA_BASE/webapps and you will end up with the same result. This is how the admin and manager applications are deployed in the default Tomcat. Naming it something better than context.xml is probably a good idea, or if you have two web applications, bad things will happen if you try to copy both into the webpps directory. Cheers, -- jon -- Jon Eaves [EMAIL PROTECTED] http://www.eaves.org/jon/ -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: problem with Classloader and symbolic links in 4.1.12
it would make my life so much easier since I am trying to develop an app with thousands of classes and hundreds of packages, modifying my build system to send all the classes to the tomcat dir would be a hassle. The simplest way is to setup the context so that it points to your development environment. There is plenty of great examples of exactly how to do this here: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/appdev/index.html ** Which everybody who is developing web applications really should read. ** The context element should end up looking something like this: Context path=/myapp docBase=/full/path/to/my/build reloadable=true debug=99 Loader className=org.apache.catalina.loader.WebappLoader debug=0 loaderClass=org.apache.catalina.loader.WebappClassLoader checkInterval=1 reloadable=true delegate=false/ Logger className=org.apache.catalina.logger.FileLogger prefix=myapp_log suffix=.txt debug=99 timestamp=true / /Context With the Loader element included, once the configuration is done once, you can just recompile your application directly into /full/path/to/my/build/WEB-INF/classes and it will update the classes nicely. Cheers, -- jon -- Jon Eaves [EMAIL PROTECTED] http://www.eaves.org/jon/ -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: welcome-file-list
Andoni wrote: Yes, it is, in as much as any .jsp file IS a servlet. A servlet may not be specified as a welcome-file. I suppose you could re-write your servlet as a JSP and then use that, but that certainly wouldn't be my recommended course of action. There's a fairly simple way to solve this and I posted a workaround for this a couple of days ago. Here's the article thread: http://www.mail-archive.com/tomcat-user@jakarta.apache.org/msg73666.html Cheers, -- jon Why don't you describe more about what you want to achieve. For example what URL do you want your users to type in and what do you want served first? Andoni. -- Jon Eaves [EMAIL PROTECTED] http://www.eaves.org/jon/ -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: spec compliants vs implementation specific parts?
Hi, (B (BWithout being too flippant, everything in web.xml (Bis "standard" and everything in server.xml is (BTomcat specific. (B (BYou can rely on most J2EE/Servlet containers to (Bbe able to provide access to connection pools, and (Bpotentially JNDI resources and things that Tomcat (Bprovides in server.xml, however the manner for (Bconfiguration is generally different (not much) (Bbetween the various vendors. (B (BThe only "code specific" things have generally (Bbeen: (B (B. getting an InitialContext (B. getting a database connection (B (BHowever, if you're really fired up about it, you (Bcan abstract a lot of that out, or parameterise it. (B (BWe've found that the 3 or 4 lines of code that need (Bto be changed generally haven't been worth the effort. (B (BHowever, YMMV. (B (BCheers, (B-- jon (B (BPierre-Laurent Ribault wrote: (B Hi, (B (B I'm in the process of developping a Web application using Tomcat as the (B development testbed. However, I'd like to be able later to deploy the (B application on another servlet engine with the same specs level. (B I know that Tomcat is the reference implementation of the servlet/JSP (B spec, but is there an easy way (i.e. without reading the whole spec) to (B know what is part of the spec and what is implementation specific in (B Tomcat? For example, among the server settings (datasource, realms, etc). (B (B $B!=!=!=!=!=!=!=!=!=!=!=!=!=!=!=!=!=!=!=!=!=!=!=(B (B Pierre-Laurent Ribault (B Fujitsu Info Software Technologies Ltd. (B (B (B (B (B (B (B (B (B (B (B (B (B (B -- (B To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] (B For additional commands, e-mail: mailto:[EMAIL PROTECTED] (B (B (B-- (BJon Eaves [EMAIL PROTECTED] (Bhttp://www.eaves.org/jon/ (B (B (B-- (BTo unsubscribe, e-mail: mailto:[EMAIL PROTECTED] (BFor additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Coyote Source Code
Hi Scott, You can get instructions from here: http://jakarta.apache.org/site/cvsindex.html and the CVS-WEB access is here: http://cvs.apache.org/viewcvs.cgi/jakarta-tomcat-connectors/ Cheers, -- jon Scott Goldstein wrote: Is the Coyote source code available? If so, where can I get it? Thanks. Scott -- Jon Eaves [EMAIL PROTECTED] http://www.eaves.org/jon/ -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
Re: Servlet Mapping to /
Trevor MacPhail wrote: Craig R. McClanahan wrote: [ big snip ] Ok, then the question I have now is, how do I set up a welcome-file to be a servlet instead of a static file? You can't. I've tried welcome-fileHomePage/welcome-file but that didnt work. I've also tried welcome-fileindex.html/welcome-file combined with: servlet-mapping servlet-nameHomePage/servlet-name url-pattern/index.html/url-pattern /servlet-mapping but that didnt work either. Try this: welcome-fileredirect.jsp/welcome-file and redirect.jsp contains a single line: jsp:forward page=myservlet / Cheers, -- jon -- Jon Eaves [EMAIL PROTECTED] http://www.eaves.org/jon/ -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Session Cookie
Hiya Neal, You could use 2 cookies. TEN_MINUTE_COOKIE and TRANSIENT_COOKIE and then check for the existence of both, rather than just checking for one. That should do the trick. Cheers, -- jon neal wrote: Is it possible to set a cookie at does not last any longer that 10 minutes *and* will terminate when the browser is closed? [ snip ] -- Jon Eaves [EMAIL PROTECTED] http://www.eaves.org/jon/ -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
Re: T 3.2.1 - Single JVM?
And also, just because they are different web apps doesn't mean they are different hosts. Provided it's all addressed by: www.myhost.com/webapp1 www.myhost.com/webapp2 and www.myhost.com/webapp3 Then you should be fine. Caveat: I've not used the Tomcat 3.x series in recent times. Cheers, -- jon Ralph Einfeldt wrote: You don't have to install 3 JRE's. You can use several instances of the same JRE. -Original Message- From: Andoni [mailto:andoni;indigo.ie] Sent: Tuesday, November 12, 2002 11:21 AM To: Tomcat Users List Subject: T 3.2.1 - Single JVM? I have not come across a problem because of this yet but as I go to put 3 applications (web-apps) live at the same time I begin to panic when I see things like this. Does this mean that I have to install 3 JRE's on my live server? Andoni. -- Jon Eaves [EMAIL PROTECTED] http://www.eaves.org/jon/ -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
Re: WAR fails to auto expand ?
Check that the Host element is supporting the expanding of WAR files. (in server.xml) Host name=myhostname unpackWARs=true ... stuff ... /host Paul Campbell wrote: I have an context entry in server.xml where I specify debug=9 and logging to unique log file: This is the log file: Cheers, -- jon -- Jon Eaves [EMAIL PROTECTED] http://www.eaves.org/jon/ -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
Re: [tomcat java.io.File] Reading a file from /WEB-INF/classes
Hiya Garrett, You're not guaranteed to have a filesystem to read files from. The WAR file may not be unpacked, or it may be stored in the brains of a million monkeys which are not directly addressable using a java.io.File call. All you know is that you can access this file using: getResourceAsStream(/confirmation.txt) Have a look at the javadoc for ServletContext Cheers, -- jon Garrett Smith wrote: Hello Everyone, I want to read the file /WEB-INF/classes/confirmation.txt The file is read from /WEB-INF/classes/com/dhtmlkitchen/reg/mail/FileFormatter.java -- Jon Eaves [EMAIL PROTECTED] http://www.eaves.org/jon/ -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
Re: Installing and using manager app in 4.1.12
Turner, John wrote: This is my first foray into the world of the Tomcat manager app. Any help is appreciated. [ snip of great example of a good request for help ] When I access http://some.host.name:8080/manager, I get prompted with a standard auth request pop-up. I type in the username and password of the admin user. The result is a blank white page and an error message that says FAIL - Unknown command /. If you look at : http://some.host.hame:8080/ From a fresh install, the default page gives you the clue you need. There are 2 links on the LHS of the page to the Administration and the Manager applications. You'll find that: http://some.host.name:8080/manager/html Does exactly what you need in this case. Cheers, -- jon -- Jon Eaves [EMAIL PROTECTED] http://www.eaves.org/jon/ -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
Re: Ant Deploy Task
Jacob Kjome wrote: Yep, target name=deploy depends=compile,manager.init description=Deploy web-app war deploy url=${manager.url} username=${manager.username} password=${manager.password} config=${app.ccf} path=${app.path} / /target the path attribute is moderately redundant since you specify it in the Context Configuration File, but, oh well. I just tried it. Buildfile: c:\usr\devel\jon\tomcat-book\book\hello\build.xml cdeploy: [copy] Copying 1 file to C:\usr\devel\jon\tomcat-book\book\hello\dist BUILD FAILED file:c:/usr/devel/jon/tomcat-book/book/hello/build.xml:549: The deploy task doesn't support the config attribute. My task looks like this: target name=cdeploy description=Deploy web application filter token=context.docbase value=${dist.home}/${app.name}-${app.version}.war / filter token=context.path value=${app.path} / copy todir=${dist.home} filtering=true fileset dir=${basedir} present present=srconly targetdir=${basedir} mapper type=glob from=sample.* to=* / /present /fileset mapper type=glob from=sample.* to=* / /copy deploy url=${manager.url} username=${manager.username} password=${manager.password} path=${app.path} config=file:///${dist.home}/context.xml/ /target I'm using Ant 1.5.1 and Tomcat 4.1.12 Clues ? Cheers, -- jon Check out the Barracuda project to see this stuff integrated pretty transparently into the build. http://barracuda.enhydra.org/software/cvs/cvsweb.cgi/Projects/EnhydraOrg/toolsTech/Barracuda/src/ Jake At 05:06 PM 10/29/2002 +1100, you wrote: Hi all, The Tomcat Ant deploy task can take a WAR file to be installed which is just great, but I want to be able to configure the Context as part of the deployment. Does the deploy task have the capability of taking an optional config=foo.xml in the same way as the install task ? Cheers, -- jon -- Jon Eaves [EMAIL PROTECTED] http://www.eaves.org/jon/ -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org -- Jon Eaves [EMAIL PROTECTED] http://www.eaves.org/jon/ -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
Ant Deploy Task
Hi all, The Tomcat Ant deploy task can take a WAR file to be installed which is just great, but I want to be able to configure the Context as part of the deployment. Does the deploy task have the capability of taking an optional config=foo.xml in the same way as the install task ? Cheers, -- jon -- Jon Eaves [EMAIL PROTECTED] http://www.eaves.org/jon/ -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
Re: multiple servlet instances?
Craig R. McClanahan wrote: On Mon, 21 Oct 2002, Nick Wesselman wrote: Date: Mon, 21 Oct 2002 18:07:42 -0500 From: Nick Wesselman [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Subject: Re: multiple servlet instances? the book was actually referring to the case where isThreadSafe=false ... it uses misleading wording, however. ... you also need to be aware that, even if a JSP page sets the isThreadSafe attribute to false, JSP implementations are still permitted to create multiple instances of the corresponding servlet... (my emph) Web Development with Java Server Pages by Duane Fields and Mark Kolb ... p. 62 ... I just got a fax of the page in reference to a question from a client. Thanks for your help! I would need one of the authors to substantiate where in the JSP specs they see the support for the assertion that multiple instances are allowed. I cannot find any evidence to support this in the JSP 1.2 specification (which the current edition purports to cover). Further, I'm *very* skeptical about any claim that multiple instances of the servlet running behind your JSP page would actually provide any performance benefits, even if it were allowed by the specification. Servlet Specification p22-23 SRV2.2 Number of Instances The servlet declaration which is part of the deployment descriptor of the web application containing the servlet, as described in Chapter SRV.13, “Deployment Descriptor”, controls how the servlet container provides instances of the servlet. For a servlet not hosted in a distributed environment (the default), the servlet container must use only one instance per servlet declaration. However, for a servlet implementing the SingleThreadModel interface, the servlet container may instantiate multiple instances to handle a heavy request load and serialize requests to a particular instance. I took that section of the specification to mean that multiple instances of servlets can be created iff the SingleThreadModel interface is implemented. Of course, that's just a reading of the spec and I'm not part of that JSR so I could be interpreting it incorrectly. I would be interested in a clarification though. Cheers, -- jon -- Jon Eaves [EMAIL PROTECTED] http://www.eaves.org/jon/ -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
Re: problem with session tracking and redirection http--- https
Henrik Bentel wrote: One of my problems is that I can't find anything in the servlet or tomcat documentation that mentiones any of this behaviour. If there is any, please send me the link. Hi Henrik, I couldn't find anything specific in the Servlet Spec, but in general it's just not a good idea, as you may as well not use https at all. It's not just the servlet spec that you need to be aware of, but this is a more general HTTP/HTTPS problem. RFC2109 is not really clear on the topic, other than section 8.3 which talks about Unexpected Cookie Sharing. However there is an extension to this RFC, RFC2965 Port Sensitive Cookies. Basically, you can't guarantee that the browser is going to send back the cookie if the ports are different Also, since any time session tracking is used it can be picked up by someone, all use of https should stay strictly under https(ok, I'm over doing it). So basically if a webapp has any sensitive information, it should solely use https protocol for all transmissions, if using session tracking? You're not over doing it. If you want to provide some security or protection of authentication then the entire session _must_ be encrypted or you may as well not bother. I don't see why the servlet container should force this behaviour. You can do your own session tracking if you want to. Just set your own cookies and use that. The servlet container provides a very convenient way of doing it. Of course, you'll have the same transition problems that the inbuild session management has. Shouldn't it be up to the developer to determine what is a security issue and not? Just like JSP doesn't neccesseraly force the separation of business logic and content, just allowing it, should the servlet container force a restrictive behaviour of session tracking? A lot of web sites don't want the over head of sending everything over https. Only parts of it for secure user validation. But they still want session tracking. They may do, but they're broken if they don't keep an authentication session safe under ssl. Of course the session tracking can be used at different times for non crucial session tracking. Just as a simple example: So let's say you use the existence of an http session as a validation for a logged in user, but you don't store any vital information. And you only allow http sessions to be created under https protocol to secure the submition of password. Beyond that point, no sensitive data is shared, so users can be redirected back to http protocol. You really need to read up on how HTTP and the servlet spec says sessions are done. Basically HTTP is stateless and sessions are faked by transferring chunks of data between the client and the server. This may be via cookies or URL rewriting. For the sake of convenience, we'll use the cookie method in the example, but this is _not_ necessarily the only way that sessions may be tracked. So, you login securely under username and password admin/secret and those pieces of information are gone and lost forever. However, to maintain the session over the stateless protocol the server sets a cookie in the browser SECRET_COOKIE=aaa56722derf. Now, as you transition to HTTP that piece of information is sent to the server in plain text that anybody can read. So, me being the evil wily hacker grabs that information, and sets a cookie in my evil hacked mozilla browser which will allow me to set arbitrary cookies and bingo, I'm now you. With tomcat 4, the only way to use the same method would be to create a http seesion for every http request, then redirect to https, add some kind of validation flags in the session object, then redirect back. This to me is worse, as a DoS attack could force the servlet container to create a http session for every Request, really putting a strain on your container. I can't possibly think of any circumstance where you would need to perform such a contrived mechanism. In fact, I can't even understand what you're trying to do here. [ snip of rest of post ] -- Jon Eaves [EMAIL PROTECTED] http://www.eaves.org/jon/ -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
Re: TC4.1.12 on W2K = service doesn't start!
unwanted e-mail and address any problems to the MIM Holdings Limited Support Centre. For general enquires: ++61 7 3833 8000 Support Centre e-mail:[EMAIL PROTECTED] Support Centre phone: Australia 1800500646 International ++61 7 38338042 ** -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- Jon Eaves [EMAIL PROTECTED] http://www.eaves.org/jon -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: nobody processes
Hi all, Look in the apache configuration files (normally /etc/httpd/conf) at the file httpd.conf There is a stanza in it: (about line 135) - # User/Group: The name (or #number) of the user/group to run httpd as. # On SCO (ODT 3) use User nouser and Group nogroup # On HPUX you may not be able to use shared memory as nobody, and the # suggested workaround is to create a user www and use that user. # NOTE that some kernels refuse to setgid(Group) or semctl(IPC_SET) # when the value of (unsigned)Group is above 6; # don't use Group nobody on these systems! User nobody Group nobody - Mystery solved. Can we kill this thread now ? It's not even remotely related to Tomcat. Cheers, -- jon Nikola Milutinovic wrote: Skorupski Pawe ,(PZUZ) wrote: Thanks for advice, I find out and processes with 'user nobody' are created by process with command inetd. Aha, we are getting somewhere. I don't know if the processes with command httpd can be started by process 'inetd' if service http doesn't exist in inetd.conf. Usually, this is not the case. I don't think that Apache can even work this way. Anyway, big servers, like Sendmail, Apache, Cyrus IMAP (since 2.0) will run as standalone daemons, not from InetD. Take a look at your /etc/inetd.conf and see what servers are run from it as user nobody and you'll be one step closer to finding your problem source. Nix. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- Jon Eaves [EMAIL PROTECTED] http://www.eaves.org/jon/ -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: AW: How to validate email address in JSP by using javax.mail?
Hi Ralph, (and others) Ralph Einfeldt wrote: But keep in mind that this isn't completly safe, as you won't know if the address really exists or the administrator (the fallback receiver) acted as the receiver. If the administrator isn't the person who initiated the transaction, he's going to ignore it and the email is never sent. (Assuming they have an IQ above ambient room temperature, and if not, then they are obviously happy to take responsibility for the words) So this depends on what you really want to achieve and what requirements you have. Indeed. That's why there is the long answer in my original email. However, it appears the original poster wanted a way to validate people sending content. Some of this content was, let us say, indelicate, and they wanted be reasonably sure that the content was from the owner of the email address. Under those circumstances it will work just fine. In fact, I'm not sure of any circumstances where it will not work, unless the person who gets the email just goes ahead and follows the instructions without thinking. You can't do much about that. Cheers, -- jon -- Jon Eaves [EMAIL PROTECTED] http://www.eaves.org/jon/ -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: How to validate email address in JSP by using javax.mail?
This isn't really a Tomcat question, but more of a general protocol question. The long answer is that you should look at mailing list software and see how they do it using acknowledgements. A good example of this is ezmlm which uses qmail as it's transport. Of course, you'll have to hold onto the message they wanted to send until they are validated. Also, have a look at places like slashdot (www.slashdot.org) to see how they deal with the anonymous user problem. The short answer is, send an email to that address with a magic number in it. Tell the user to go somewhere and use the magic number which will validate them. Exactly how is left as an exercise to the reader. There really is a very large body of established code on this, so searching Google is probably a good start. Cheers, -- jon Kunal Shah wrote: suppose there is an domain xyz.com accepting mails for its user say there are a, b and c users and administrator which will recieve mails for unresolve members i am sending one mail at [EMAIL PROTECTED] dummy is not valid mailbox still the mesg will be delivered to administrator of xyz.com. so there will be not send fail exception. what should be done in this case ? --kunal -Original Message- From: Turner, John [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 09, 2002 7:33 PM To: 'Tomcat Users List' Subject: RE: How to validate email address in JSP by using javax.mail? [ big snip ] -- Jon Eaves [EMAIL PROTECTED] http://www.eaves.org/jon/ -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Documentation
Hiya Gustavo (and others) I'm going to disagree. The Tomcat docs for the most part are very good. I was able to read them and setup Tomcat to do all the normal things. I can create different contexts, map servlets, create database pools, custom error pages etc. The 4.1.x documentation is updated from the 3.x and 4.0.x documentation and I can't remember it being broken in any real way due to bitrot. Some of the newer features are a little terse, but you have to expect that, then again, there aren't that many How do I configure and create Filters type questions. I haven't tried to use mod_jk yet, but there seems to be a lot of questions about that, but I suspect it's because people haven't read that documentation to start with. Frankly, my rule of mailing lists are that people would rather ask a question because they are too lazy to find the answer themselves. Most of the questions that are asked do exist in the Tomcat documentation, and those that aren't there have generally been answered very clearly by list members. The list is searchable, and Google (www.google.com) is _always_ your friend. This list is certainly one of the most friendly and helpful that I've been on. Sadly that tends to be to it's detriment as people abuse that help. There are definitely areas of the documentation that need work, and potentially others that need cleaning up, but in general they are pretty damn good. Cheers, -- jon Gustavo Vegas wrote: I agree with Jeff. The Tomcat documentation reminds me of the old times when I had to compile TeX. A lot of the information for things I have needed to configure in my installation have come from the docs from version 3.3, although I am using 4.0.5. This also makes me worry that some of the things I am using may be deprecated. Cheers, -- Gustavo Vegas. Jeff Wishnie wrote: A pretty high percentage seem to be becuase the docs really are lousy. Wouldn't it be nice to answer 'RTFM' to most of them? When my time frees up on this project I plan on submitting several documentation changes. - Jeff -- Jon Eaves [EMAIL PROTECTED] http://www.eaves.org/jon/ -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]