PLEASE HELP ME!!!
After autorization on http server occure this problem. What's happened, who know? Please help me. HTTP Status 500 - type Exception report message description The server encountered an internal error () that prevented it from fulfilling this request. org.apache.jasper.JasperException: null org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:460) org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:373) org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:329) org.apache.jasper.servlet.JspServlet.service(JspServlet.java:265) javax.servlet.http.HttpServlet.service(HttpServlet.java:729) ftc.budget.common.tomcat.CharsetFilter.doFilter(CharsetFilter.java:41) root cause java.lang.NumberFormatException: null java.lang.Integer.parseInt(Unknown Source) java.lang.Integer.parseInt(Unknown Source) org.apache.jsp.check_005fenter_jsp._jspService(check_005fenter_jsp.java:61) ftc.budget.servlet.BudgetJspPage.service(BudgetJspPage.java:71) org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:331) org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:329) org.apache.jasper.servlet.JspServlet.service(JspServlet.java:265) javax.servlet.http.HttpServlet.service(HttpServlet.java:729) ftc.budget.common.tomcat.CharsetFilter.doFilter(CharsetFilter.java:41) note The full stack trace of the root cause is available in the Apache Tomcat/5.5.27 logs. Apache Tomcat/5.5.27 Anton Chudesnikov.
Re: PLEASE HELP ME!!!
root cause java.lang.NumberFormatException: null java.lang.Integer.parseInt(Unknown Source) java.lang.Integer.parseInt(Unknown Source) org.apache.jsp.check_005fenter_jsp._jspService(check_005fenter_jsp.java:61) ftc.budget.servlet.BudgetJspPage.service(BudgetJspPage.java:71) Go to the /work directory of your Tomcat installation and find check_005fenter_jsp.java file somewhere there. It is Java source for your JSP page (check/enter.jsp). Somewhere there (on line 61 of java code) is a Integer.parseInt() call. The exception was thrown because the argument to that call was null. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Comet response is set to empty HTTP 200 reply by the framework problem
Hi, After some late night debugging yesterday I got it stable. The magic spell was to put event.getHttpServletRequest().setAttribute(org.apache.tomcat.comet.support , Boolean.TRUE); in my BEGIN event handler. After that I had to follow the advice to put the event.close() in the END/ERROR handling section, flush regularly and all the strange behaviour I was seeing is gone. Funny enough this is not mentioned anywhere... Something that most probably is important - I am on jboss 4.2.3. Any explanation why I had to put that myself? Filip, I don't have the logs the dump saved. If you need it, I will reproduce the problem and provide them. Best Regards, Georgi On 11.11.09 08:08, Filip Hanik - Dev Lists devli...@hanik.com wrote: 200 OK is immediate, but the body is left open. meaning, the chunk is left. you can share your tcpdump and tomcat logs Filip On 11/10/2009 07:08 AM, georgi danov wrote: Hi, I have a CometProcessor servlet that receives events and queues them for processing by separate thread pool (a.k.a. asynchronous processor). I do that because I could get 1000s of concurrent requests for job that includes IO wait and I don¹t want to have 1000s of threads lying around waiting for IO. My IO signals me when the response is ready, so I pull the respective CometEvent instance, write to the reply and gracefully close the message. I¹ve read number of documents and posts on this mail list and I think I am doing the things correctly, however 1 out of 500 messages gives me problem. The problem is that the client immediately gets HTTP 200 reply with empty body from the server without my application having a chance to write to the outputStream. This happens both using the NIO and the regular (with ARP) connectors. Both using persistent and non-persistent connections. When looking at tcp dump I see that the response is given practically immediately. Setting the event timeout to 1 sec does not help. I can see also that the client is behaving well, because when I use persistent connection, the conversation goes on after the faulty message and the next messages are OK. I am pretty sure I am doing something wrong with handling the cometevent, but not sure where to start. For one thing I am confused where and when should the event.close() invocation be I've seen on this mailing list both the advice to put it in the end event handling and right after I finish writing to the stream. Thanks Georgi - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: PLEASE HELP ME!!!
achudesni...@btabank.ru wrote: After autorization on http server occure this problem. What's happened, who know? Please help me. HTTP Status 500 - type Exception report message description The server encountered an internal error () that prevented it from fulfilling this request. org.apache.jasper.JasperException: null org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:460) org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:373) org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:329) org.apache.jasper.servlet.JspServlet.service(JspServlet.java:265) javax.servlet.http.HttpServlet.service(HttpServlet.java:729) ftc.budget.common.tomcat.CharsetFilter.doFilter(CharsetFilter.java:41) root cause java.lang.NumberFormatException: null java.lang.Integer.parseInt(Unknown Source) java.lang.Integer.parseInt(Unknown Source) org.apache.jsp.check_005fenter_jsp._jspService(check_005fenter_jsp.java:61) ftc.budget.servlet.BudgetJspPage.service(BudgetJspPage.java:71) That, sir, looks to me like another serious financial crisis in the making. I think you should immediately report this higher up. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] WebappClassLoader and undeploy
Elli Albek wrote: Sorry Mark. Well this class loading scheme (context class loader - static variable) sounds little like a bug. Indeed. Thanks for that startup class. I think it will solve a problem that we have (using imageio). So you just add it as high up as possible in the server.xml hierarchy? It should be added alongside the other lifecycle listeners at the start of server.xml Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Identifying Clients via SSL Certificates
Hi..
Form Last few days Even I am also working on SSL Implementation.
I am Using Jboss 5.1.0 GA.
I had implemented server certificate but i dont knwo how to implement
Client / Server Mutual Authentication.
Do U work On that part ? can u help me .?
another Issue I have is I can access my application from server but if i
access the same application from Client Machine I am getting following
exception
{http://xml.apache.org/axis/}stackTrace:javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed: }
Thanks an advance..
Please Replay
On Tue, Nov 10, 2009 at 3:59 AM, Jorge Medina jmed...@e-dialog.com wrote:
OpenSSL hashes the subject name.
This is used in OpenSSL to form an index to allow certificates in a
directory to be looked up by subject name.
but that seems weak.
http://www.openssl.org/docs/apps/x509.html#http://www.openssl.org/docs/apps/verify.html#
-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: Monday, November 09, 2009 2:06 PM
To: Tomcat Users List
Subject: Identifying Clients via SSL Certificates
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
All,
I've been playing around with client SSL certificates, not for
authentication per se, but as a gateway to a relaxed authentication
mechanism for one of our webapps.
I have a client SSL cert working (see my previous thread mod_jk Client
SSL Certificates) and successfully verifying the signature of the client
cert by the server.
I'd like to be able to uniquely identify the client certificate being used
to authenticate via SSL, but I'm a newbie at this sort of thing and I'd
appreciate some suggestions as to how to do that. A few ideas I've had are:
1. Use a directory-style 'CN' attribute like UID=myuniqueid
2. Use the fingerprint of the client certificate
3. Use the full text of the client certificate
All 3 of the above can be used to then link to appropriate records in the
database for limited authentication.
Does anyone have any suggestions or preferred techniques?
Thanks,
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkr4aBwACgkQ9CaO5/Lv0PDIFgCfb69oibXH3GAwQ1R4z40eux+w
lQcAoL5rFQHQX2rSWjh1LVoptUHXCQLt
=gPOY
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Secure login only, not rest of app
Thanks everyone for your help, I'll take a look at this and then let everyone know how I get on. Christopher, thanks for your patient reply, sorry I missed your earlier post, I guess my googling skills aren't what I think they are! R. On 10 Nov 2009, at 20:26, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Robert, On 11/10/2009 7:48 AM, Robert Denison wrote: If the Valve acts before the filter then I would guess my idea can't work because the login will have already happened before I get chance to redirect to https. Therefore meaning the login process will have happened unencrypted... Remember that your login page is allowed to do stuff, too. See my other post for details. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkr5zHYACgkQ9CaO5/Lv0PD0fACbBRvCADlgHACBQNgeUG+Z7Tcw FzkAoJ9zbS3Y2RvGRn0UuTHbDp4VnPc8 =ld17 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat: bandwidth limiter / transfer rate limit ?
Using a filter, it should be fairly easy to write something like that. 2009/11/11 Christopher Schultz ch...@christopherschultz.net -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cae, On 11/10/2009 6:36 PM, Cae Fernandes wrote: I wanna do a per-user basis transfer rate limit. My business core sort of depends on this. It could be like a rapidshare type of business. If you can't do this with a piece of network hardware, I think you might have to write it yourself. I have no experience or familiarity whatsoever with Tomcat's Comet interfaces, but use of that type of connector might improve your throughput if you are intentionally stalling your response (or request) streams. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkr6DycACgkQ9CaO5/Lv0PD2igCdHL0ZYhVAqbshfdKFIMY5+jjV Ck8AnAleVwRi7783zmWd3HPWI833Mn0j =eUnf -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- -- pieroxy
Re: tomcat 5.5.25 - Multiple Connectors and performance lost
Hello again, The 2 applications being used serve different purposes, one presents a terms search in a index, the other application is meant to show archived pages, similar to what happens in internet archive (internetarchive.org). For the second application to work is needs to contact the first so that it can locate the required files to show the user. But my main problem is the increase in response time, does having a lot of connectors cause thread synchronization issues? Does any one have a reason for such an increase in time, from 1 sec to 16 ? Thanks for the help Simão Fontes Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 André, On 11/10/2009 4:02 PM, André Warnier wrote: Caldarale, Charles R wrote: From: Simão Fontes [mailto:simao.fon...@fccn.pt] Subject: tomcat 5.5.25 - Multiple Connectors and performance lost I have 4 web applications that communicate with each other. My problem consists in getting the information form the various applications when the number of threads is reached only by one application. Perhaps you could create a filter for each webapp that monitors the number of concurrent threads for its webapp and rejects (or queues) requests that exceed some pre-defined limit. But somehow this sounds to me like a problem in the design of the application. If A must call B to get a full response to the client, but A and B compete for a single resource pool, then why not combine them into one single A+B process and be done with the competition ? In addition to saving the overhead of A calling up B. Wait... are you suggesting that the OP replace a method call via HTTP with a straight-up Java method call? That's crazy! Haven't you ever heard of SOA? If he didn't use an HTTP call, he wouldn't be able to say that he's got services. ;) - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkr52QEACgkQ9CaO5/Lv0PCwOgCbB6CSu0wyn+R3bbpn8Fd/jDrQ 9YgAoKQz0t+bJtWroDFtA8x+POBX3pft =SKmx -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Arquivo da Web Portuguesa | FCCN Av. do Brasil, n.º 101 1700-066 Lisboa Tel.: +351 21 8440100 (facultativo) Fax: +351 21 8472167 www.arquivo.pt | www.fccn.pt - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: PLEASE HELP ME!!!
On 11/11/2009 08:57, André Warnier wrote: achudesni...@btabank.ru wrote: After autorization on http server occure this problem. What's happened, who know? Please help me. HTTP Status 500 - type Exception report message description The server encountered an internal error () that prevented it from fulfilling this request. org.apache.jasper.JasperException: null org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:460) org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:373) org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:329) org.apache.jasper.servlet.JspServlet.service(JspServlet.java:265) javax.servlet.http.HttpServlet.service(HttpServlet.java:729) ftc.budget.common.tomcat.CharsetFilter.doFilter(CharsetFilter.java:41) root cause java.lang.NumberFormatException: null java.lang.Integer.parseInt(Unknown Source) java.lang.Integer.parseInt(Unknown Source) org.apache.jsp.check_005fenter_jsp._jspService(check_005fenter_jsp.java:61) ftc.budget.servlet.BudgetJspPage.service(BudgetJspPage.java:71) That, sir, looks to me like another serious financial crisis in the making. I think you should immediately report this higher up. ... and lose 10 points for not using a descriptive subject line. p - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat: bandwidth limiter / transfer rate limit ?
I wonder if Comet would be of any help. I don't have any experience with that. A filter/servlet solution would be easy to implement, but I'm afraid it could hurt performance to be sleeping threads .. On Wed, Nov 11, 2009 at 8:11 AM, pieroxy pier...@gmail.com wrote: Using a filter, it should be fairly easy to write something like that. 2009/11/11 Christopher Schultz ch...@christopherschultz.net -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cae, On 11/10/2009 6:36 PM, Cae Fernandes wrote: I wanna do a per-user basis transfer rate limit. My business core sort of depends on this. It could be like a rapidshare type of business. If you can't do this with a piece of network hardware, I think you might have to write it yourself. I have no experience or familiarity whatsoever with Tomcat's Comet interfaces, but use of that type of connector might improve your throughput if you are intentionally stalling your response (or request) streams. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkr6DycACgkQ9CaO5/Lv0PD2igCdHL0ZYhVAqbshfdKFIMY5+jjV Ck8AnAleVwRi7783zmWd3HPWI833Mn0j =eUnf -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- -- pieroxy
Re: remote debug
2009/11/11 Christopher Schultz ch...@christopherschultz.net -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 To whom it may concern, On 11/10/2009 2:18 AM, maven apache wrote: hi: I am so sorry to ask this problem again but I do can not make it work. I have seen the faq, and the doc pages,also I go to the goole to search but .. I am using tomcat6.0.zip,and my project is managed by maven,so the web module I do not know how to debug,although I know how to debug a common dynamic web project and add breakpoints . But the web module is not a common web project.I have no idea. Someone tell me I can use remote debug for the web module ,however when I try to connect the server,it can not connect . So I want to know if the remote debug can be used for the web module in maven,if it is,how to config the debug? It's not at all clear what you are doing, here. If you are using some kind of Maven-specific webapp deployment, I would ask the Maven folks if they have any ideas. Yes, I send to the maven maillist,and they suggest me try the remote debug, but nomatter how to config the tocmat6.0,I can not connect it through the IDE,please check the annex. Tomcat.jpg, elcipse.jpg and the conn.jpg My tomcat is 6.0.zip/ - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkr52l0ACgkQ9CaO5/Lv0PB5twCgt7kekyiZoXcfcRkaYWqAiSqR a+YAoKgbZ6wBEKY0O2UXzFnO8zHRadgh =Aua2 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: remote debug
On 11/11/2009 13:23, maven apache wrote: 2009/11/11 Christopher Schultz ch...@christopherschultz.net mailto:ch...@christopherschultz.net -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 To whom it may concern, On 11/10/2009 2:18 AM, maven apache wrote: hi: I am so sorry to ask this problem again but I do can not make it work. I have seen the faq, and the doc pages,also I go to the goole to search but .. I am using tomcat6.0.zip,and my project is managed by maven,so the web module I do not know how to debug,although I know how to debug a common dynamic web project and add breakpoints . But the web module is not a common web project.I have no idea. Someone tell me I can use remote debug for the web module ,however when I try to connect the server,it can not connect . So I want to know if the remote debug can be used for the web module in maven,if it is,how to config the debug? It's not at all clear what you are doing, here. If you are using some kind of Maven-specific webapp deployment, I would ask the Maven folks if they have any ideas. Yes, I send to the maven maillist,and they suggest me try the remote debug, but nomatter how to config the tocmat6.0,I can not connect it through the IDE,please check the annex. Tomcat.jpg, elcipse.jpg and the conn.jpg My tomcat is 6.0.zip/ So you're using Eclipse, and your problem is with Eclipse's configuration? You didn't mention that before, in your somewhat confusing email. Please read the following: http://catb.org/~esr/faqs/smart-questions.html p - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkr52l0ACgkQ9CaO5/Lv0PB5twCgt7kekyiZoXcfcRkaYWqAiSqR a+YAoKgbZ6wBEKY0O2UXzFnO8zHRadgh =Aua2 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org mailto:users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org mailto:users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: A question about mod_jk 1.2.28 configuration
Is the log message the same when running without socket_timeout? Without socket_timeout the log message looks as follow: [code] [Wed Nov 11 14:25:13 2009] [1976:2537062720] [info] ajp_handle_cping_cpong::jk_ajp_common.c (865): timeout in reply cpong [Wed Nov 11 14:25:15 2009] [1976:2537062720] [error] ajp_connect_to_endpoint::jk_ajp_common.c (957): (worker_portfolio_son1) cping/cpong after connecting to the backend server failed (errno=110) [Wed Nov 11 14:25:15 2009] [1976:2537062720] [error] ajp_send_request::jk_ajp_common.c (1507): (worker_portfolio_son1) connecting to backend failed. Tomcat is probably not started or is listening on the wrong port (errno=110) [Wed Nov 11 14:25:15 2009] [1976:2537062720] [info] ajp_service::jk_ajp_common.c (2447): (worker_portfolio_son1) sending request to tomcat failed (recoverable), because of error during request sending (attempt=1) [Wed Nov 11 14:25:25 2009] [1976:2537062720] [info] ajp_handle_cping_cpong::jk_ajp_common.c (865): timeout in reply cpong [Wed Nov 11 14:25:27 2009] [1976:2537062720] [error] ajp_connect_to_endpoint::jk_ajp_common.c (957): (worker_portfolio_son1) cping/cpong after connecting to the backend server failed (errno=110) [Wed Nov 11 14:25:27 2009] [1976:2537062720] [error] ajp_send_request::jk_ajp_common.c (1507): (worker_portfolio_son1) connecting to backend failed. Tomcat is probably not started or is listening on the wrong port (errno=110) [Wed Nov 11 14:25:27 2009] [1976:2537062720] [info] ajp_service::jk_ajp_common.c (2447): (worker_portfolio_son1) sending request to tomcat failed (recoverable), because of error during request sending (attempt=2) [Wed Nov 11 14:25:27 2009] [1976:2537062720] [error] ajp_service::jk_ajp_common.c (2466): (worker_portfolio_son1) connecting to tomcat failed. [Wed Nov 11 14:25:27 2009] worker_portfolio_son1 citibank-extranet-ru-test.civ-versicherung.de 24.106692 [Wed Nov 11 14:25:27 2009] [1976:2537062720] [info] jk_handler::mod_jk.c (2615): Service error=-3 for worker=worker_portfolio_son1 [/code] Please provide details on your OS, web server and configuration (e.g Jk directives for Apache). The OS is: Linux version 2.6.9-78.0.13.ELsmp (mockbu...@hs20-bc2-5.build.redhat.com) (gcc version 3.4.6 20060404 (Red Hat 3.4.6-10)) #1 SMP Wed Jan 7 17:45:52 EST 2009 The httpd version is: Server version: Apache/2.0.52 mod_jk version is: 1.2.28 The Jk directive is (I am not sure is this you mind): Listen 172.23.17.33:80 VirtualHost 172.23.17.33:80 ServerName mycompamny.com:80 ServerAdmin r...@localhost DocumentRoot /opt/content/ru-extranet IfModule mod_weblogic.c debug ALL WLLogFile /var/log/httpd/wl-proxy-ru.log DebugConfigInfo ON /IfModule CustomLog /var/log/httpd/logfile ErrorLog /var/log/httpd/error_log Directory /opt/content/ru-extranet Options Indexes FollowSymLinks AllowOverride All Order allow,deny Allow from all /Directory # Send everything for context /examples to worker JkMount /myWeb/* worker_portfolio_son1 /VirtualHost -- View this message in context: http://old.nabble.com/A-question-about-mod_jk-1.2.28-configuration-tp26264069p26302185.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Hand Authentication to Apache
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ivan, On 11/11/2009 2:43 AM, Ivan Eulaers wrote: Tomcat 6 has been installed by my hosting provider, and I don't know how it is connected to Apache. That's going to be a problem: it looks like they mapped more URI patterns to Tomcat than they should have. Your .htaccess file does not include any relevant information. You either need to get access to the httpd configuration, or ask your provider to tell you what's been mapped to Tomcat. The error message you are receiving is a 404 NOT FOUND for a particular path, and the error is coming from Tomcat, not httpd. If you didn't expect Tomcat to serve that particular path, then the httpd configuration is forwarding too much traffic to Tomcat. You will have to take that up with your hosting provider. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkr6y9cACgkQ9CaO5/Lv0PAvqwCcCOaw+QtdKvSDb6gwXQYBSQej RkYAnAxe/BPpfIW9wzAG+bHhARGnXYL6 =CLgO -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: A question about mod_jk 1.2.28 configuration
20-40 minutes is an unreasonable amount of time to wait for an HTTP request to complete. I recommend changing your architecture so that HTTP requests don't have to take so long. Surely is a good idea. But the situation is we just host the application for our customer who will do not want to change their program. They said it works by mod_jk 1.2.26, why not by 1.2.28? I am not able to give them a satisfied answer. -- View this message in context: http://old.nabble.com/A-question-about-mod_jk-1.2.28-configuration-tp26264069p26302415.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: A question about mod_jk 1.2.28 configuration
Without socket_timeout the log message looks as follow: [code] [Wed Nov 11 14:25:13 2009] [1976:2537062720] [info] ajp_handle_cping_cpong::jk_ajp_common.c Please ignog my post. The log message is wrong. -- View this message in context: http://old.nabble.com/A-question-about-mod_jk-1.2.28-configuration-tp26264069p26302454.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: remote debug
Please read the following: http://catb.org/~esr/faqs/smart-questions.html Fine , I organized the problem I asked again: 1 related to maven. My project is created by eclipse IDE(through the m2eclipse), and managed by maven. It contains three modules: module MT-server, MT-io and MT-webapps. The MT-webapps is a web module which is to be deployed under the tomcat(see annex project-struct.jpg). Under the directory MT-webapp\src\main\webapp\WEB-INFO\, I config the web.xml with a servlet named MTServlet under the MT-server module. Now I want to add some breadpoints in the MTServlet to debug. But the MT-webapps module is not a common dynamic web project,so I can not found the debug on server meun. I have try my best to found the resolution through friends,search enginer and so on but got nothing. Then I post it to the maven maillist, they tell me I should use the remote debug. 2 realated to tocmat So I start to config remot debug in tomcat . After modify the catalina.bat,and start it ,I can not connet it through the IDE(eclipse),but I just followed the faq,so I post it to this maillist. The annex tomcat.jpg is the start infomation when I start the tomcat with debug modal,the eclipse.jpg is the configuration in my IDE to connect, and the conn.jpg is the error message I got . I hope someone can check them and give some advise.Thanks. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: remote debug
On 11/11/2009 14:52, maven apache wrote: Please read the following: http://catb.org/~esr/faqs/smart-questions.html Fine , I organized the problem I asked again: 1 related to maven. My project is created by eclipse IDE(through the m2eclipse), and managed by maven. It contains three modules: module MT-server, MT-io and MT-webapps. The MT-webapps is a web module which is to be deployed under the tomcat(see annex project-struct.jpg). Under the directory MT-webapp\src\main\webapp\WEB-INFO\, I config the web.xml with a servlet named MTServlet under the MT-server module. Now I want to add some breadpoints in the MTServlet to debug. But the MT-webapps module is not a common dynamic web project,so I can not found the debug on server meun. That is an Eclipse problem, then, yes? I have try my best to found the resolution through friends,search enginer and so on but got nothing. Then I post it to the maven maillist, they tell me I should use the remote debug. 2 realated to tocmat So I start to config remot debug in tomcat . After modify the catalina.bat,and start it ,I can not connet it through the IDE(eclipse),but I just followed the faq,so I post it to this maillist. Is Eclipse definitely using that config file to start Tomcat? What steps have you taken to check what you're doing is correct? The annex tomcat.jpg is the start infomation when I start the tomcat with debug modal,the eclipse.jpg is the configuration in my IDE to connect, and the conn.jpg is the error message I got . I hope someone can check them and give some advise.Thanks. The list strips attachments, I'm unable to see those images. p - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
How to set up tomcat and truststore
Hello, In the platform I am currently working on, we have to set up tomcat to require client certificate authentication. The main difference from the standard settings as described in (http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html) is that we wish to accept any client certificates, including self-signed ones. The main reason for that is that we perform a second verification on the application layer as our truststore is dynamic. We have a JAASRealm class extension which basically extends the hasResourcePermission method setting it to always return true. Bellow you can see the configuration we added to the server.xml Realm className=com.privasphere.privalope.security.auth.ClientCertInAppRealm debug=99/ Nevertheless, I believe this method is only called after the initial handshake and after the client certificate has been accepted or refused (this is a guess). In addition, I am not entirely sure of what I should put in the truststoreFile property. As we want to accept all certificates this file would probably be empty. Any suggestions or best practices for this problem? Best regards, Luciana Moreira -- This message has been signed by the PrivaSphere Mail Signature Service. smime.p7s Description: S/MIME cryptographic signature
RE: How to set up tomcat and truststore
Doesn't accepting any certificate defeats the purpose of authentication? If you want to accept any certificate, then you are not doing any authentication. If you have written your own Realm, then do the verification on your realm against your dynamic truststore. -Original Message- From: more...@privasphere.com [mailto:more...@privasphere.com] On Behalf Of Luciana Moreira Sa de Souza Signed by - PrivaSphere AG Sent: Wednesday, November 11, 2009 10:25 AM To: users@tomcat.apache.org Cc: Ralf Hauser Subject: How to set up tomcat and truststore Hello, In the platform I am currently working on, we have to set up tomcat to require client certificate authentication. The main difference from the standard settings as described in (http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html) is that we wish to accept any client certificates, including self-signed ones. The main reason for that is that we perform a second verification on the application layer as our truststore is dynamic. We have a JAASRealm class extension which basically extends the hasResourcePermission method setting it to always return true. Bellow you can see the configuration we added to the server.xml Realm className=com.privasphere.privalope.security.auth.ClientCertInAppRealm debug=99/ Nevertheless, I believe this method is only called after the initial handshake and after the client certificate has been accepted or refused (this is a guess). In addition, I am not entirely sure of what I should put in the truststoreFile property. As we want to accept all certificates this file would probably be empty. Any suggestions or best practices for this problem? Best regards, Luciana Moreira -- This message has been signed by the PrivaSphere Mail Signature Service. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to set up tomcat and truststore
Hi Jorge, thx for your quick reply. Maybe I did not explain my problem well enough, so let me elaborate it a bit more. In our platform clients can upload their self-signed certificates to allow them to login to our platform. If we add all client certificates to the static truststore file as per |truststoreFile| of http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html#Edit%20the%20Tomcat%20Configuration%20File we end up having a scalability problem during handshake. This happens since the server must inform which client certificates issuers are accepted by the server, so having 50'000 self-signed DNs concatenated as a string doesn't really vouch for a quick TLS handshake. This is the reason why we do a second level authentication in our own realm implementation or the application layer against our own dynamic truststore. But for this to be possible, an initial handshake must occur where the client provides his certificate to the platform. So, we split authentication into two steps: i) establish a secure tunnel without the harmful renegotiation to someone ii) once that is done, ensure the someone is who we like without the need for TLS-renegotiation On the application layer we can get the client certificate chain through: X509Certificate certs[] = (X509Certificate[]) request.getAttribute(org.apache.catalina.Globals.CERTIFICATES_ATTR); And then we validate it against our own truststore. The main problem is reaching this stage with any client certificate. So my question is: 1) is the above mentioned |truststoreFile| attribute mandatory or not? 2) is there a way to tell the JSSESupport class not to send the issuer-DN list, but a wildcard for any issuer? (perhaps this could just be a * in the |truststoreFile| attribute, anyway it would be great to know whether this is a mandatory attribute or an optional one == pls document in the above cited howto.html) Best regards, Luciana Moreira -- This message has been signed by the PrivaSphere Mail Signature Service. smime.p7s Description: S/MIME cryptographic signature
Tomcat: two context path for one webapp
Hi, I have been trying to solve a problem, but I have not found any good solution yet. The problem is: I have a web app and this web app is deployed to the $TOMCAT_HOME/webapps/XXX directory. I can reach that on the http://localhost:8080/XXX address BUT, I would like to reach the web app on the http://localhost:8080/YYY address too. I added the following to the server.xml: Server Service Engine Host ... Context path=/YYY docBase=XXX/Context /Host /Engine /Service /Server It helped but the Tomcat started two web contexts and it caused some other problem. Is it possible to create a multiple address for one web app and both address represent same webapp? -- View this message in context: http://old.nabble.com/Tomcat%3A-two-context-path-for-one-webapp-tp26304708p26304708.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat: bandwidth limiter / transfer rate limit ?
There is no reason it would hurt performance (and why are you mentioning sleeping threads?). In any case, you need to count the number of bytes transferred, and the filter would do just that. Then you probably need to persists this information along with the logged in user somewhere. These tasks need to be done somewhere. If you plan on doing it in tomcat, filters looks like the best spot. 2009/11/11 Cae Fernandes rag...@gmail.com I wonder if Comet would be of any help. I don't have any experience with that. A filter/servlet solution would be easy to implement, but I'm afraid it could hurt performance to be sleeping threads .. On Wed, Nov 11, 2009 at 8:11 AM, pieroxy pier...@gmail.com wrote: Using a filter, it should be fairly easy to write something like that. 2009/11/11 Christopher Schultz ch...@christopherschultz.net -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cae, On 11/10/2009 6:36 PM, Cae Fernandes wrote: I wanna do a per-user basis transfer rate limit. My business core sort of depends on this. It could be like a rapidshare type of business. If you can't do this with a piece of network hardware, I think you might have to write it yourself. I have no experience or familiarity whatsoever with Tomcat's Comet interfaces, but use of that type of connector might improve your throughput if you are intentionally stalling your response (or request) streams. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkr6DycACgkQ9CaO5/Lv0PD2igCdHL0ZYhVAqbshfdKFIMY5+jjV Ck8AnAleVwRi7783zmWd3HPWI833Mn0j =eUnf -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- -- pieroxy -- -- pieroxy
Re: Tomcat: two context path for one webapp
By any chance, do you have an Apache httpd server in front of this tomcat instance? The first solution that comes to my mind is using mod_rewrite with some rewrite rules on the httpd server so that the web browser client sees http://localhost:8080/YYY but it is really http://localhost:8080/XXX DJ On Wed, 2009-11-11 at 08:57 -0800, AlbundySzabolcs wrote: Hi, I have been trying to solve a problem, but I have not found any good solution yet. The problem is: I have a web app and this web app is deployed to the $TOMCAT_HOME/webapps/XXX directory. I can reach that on the http://localhost:8080/XXX address BUT, I would like to reach the web app on the http://localhost:8080/YYY address too. I added the following to the server.xml: Server Service Engine Host ... Context path=/YYY docBase=XXX/Context /Host /Engine /Service /Server It helped but the Tomcat started two web contexts and it caused some other problem. Is it possible to create a multiple address for one web app and both address represent same webapp? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat: bandwidth limiter / transfer rate limit ?
Well, It's not about counting the bytes, but making the connection slower. Like, if I would output only a certain amount of bytes per second, i'd have to output them and make the thread sleep for a certain amount of miliseconds.That's why I mentiojned sleeping threads. On Wed, Nov 11, 2009 at 3:04 PM, pieroxy pier...@gmail.com wrote: There is no reason it would hurt performance (and why are you mentioning sleeping threads?). In any case, you need to count the number of bytes transferred, and the filter would do just that. Then you probably need to persists this information along with the logged in user somewhere. These tasks need to be done somewhere. If you plan on doing it in tomcat, filters looks like the best spot. 2009/11/11 Cae Fernandes rag...@gmail.com I wonder if Comet would be of any help. I don't have any experience with that. A filter/servlet solution would be easy to implement, but I'm afraid it could hurt performance to be sleeping threads .. On Wed, Nov 11, 2009 at 8:11 AM, pieroxy pier...@gmail.com wrote: Using a filter, it should be fairly easy to write something like that. 2009/11/11 Christopher Schultz ch...@christopherschultz.net -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cae, On 11/10/2009 6:36 PM, Cae Fernandes wrote: I wanna do a per-user basis transfer rate limit. My business core sort of depends on this. It could be like a rapidshare type of business. If you can't do this with a piece of network hardware, I think you might have to write it yourself. I have no experience or familiarity whatsoever with Tomcat's Comet interfaces, but use of that type of connector might improve your throughput if you are intentionally stalling your response (or request) streams. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkr6DycACgkQ9CaO5/Lv0PD2igCdHL0ZYhVAqbshfdKFIMY5+jjV Ck8AnAleVwRi7783zmWd3HPWI833Mn0j =eUnf -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- -- pieroxy -- -- pieroxy
RE: tomcat: bandwidth limiter / transfer rate limit ?
-Original Message- From: Cae Fernandes [mailto:rag...@gmail.com] Sent: Wednesday, November 11, 2009 10:38 AM To: Tomcat Users List Subject: Re: tomcat: bandwidth limiter / transfer rate limit ? Well, It's not about counting the bytes, but making the connection slower. Like, if I would output only a certain amount of bytes per second, i'd have to output them and make the thread sleep for a certain amount of miliseconds.That's why I mentiojned sleeping threads. Are you using compression? Using GZIP compression on your pages can reduce your request size for HTML by about a factor of 6. George Sexton MH Software, Inc. http://www.mhsoftware.com/ Voice: 303 438 9585 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat: bandwidth limiter / transfer rate limit ?
Cae Fernandes wrote: Well, It's not about counting the bytes, but making the connection slower. Like, if I would output only a certain amount of bytes per second, i'd have to output them and make the thread sleep for a certain amount of miliseconds.That's why I mentiojned sleeping threads. Yes, but isn't *any* solution, in the end, going to have the same effect ? I mean, suppose that you have a direct connection between Tomcat and the client, and that the client is behind a very slow (physical) connection. At some point, the webapp is going to want to output something to the client, but all buffers will be full waiting for the client to receive them, and whatever is sending them will have to wait. Whether that wait is a sleep decided at the level of the application, or at the level of the OS, is rather immaterial. The webapp/thread will wait anyway. The only way to avoid that would be to have, between Tomcat and the client, some appliance (software or hardware) which would buffer the Tomcat output and send it to the client at the rate it will accept, or at the rate that you decide. An Apache front-end might be able to do that, if it has some add-on module for the purpose. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
32-bit service on 64-bit windows?
Can I install a 32-bit jvm and create a tc 5.5.28 service on win 2008 64-bit server? Or do I need a 64-bit jvm to do that? Or do I need TC 6.0.x? If I need tc6, which jvm is needed? Or will either work? My app doesn't stretch the memory limits of the 32-bit, let alone needing 64-bit memory space. Thanks! D - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: 32-bit service on 64-bit windows?
From: David kerber [mailto:dcker...@verizon.net] Subject: 32-bit service on 64-bit windows? Can I install a 32-bit jvm and create a tc 5.5.28 service on win 2008 64-bit server? Yes. The mode of the service wrapper must match the mode of the JVM to be used, not the mode of the OS. Note that the 5.5.28 .exe installer incorrectly checks the mode of the OS rather than the JVM, so it will install the wrong service wrapper for your situation. The easiest way around this is to use the .zip download, which includes the 32-bit service wrapper. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat: two context path for one webapp
From: AlbundySzabolcs [mailto:albundyalbu...@freemail.hu] Subject: Tomcat: two context path for one webapp I have a web app and this web app is deployed to the $TOMCAT_HOME/webapps/XXX directory. I can reach that on the http://localhost:8080/XXX address BUT, I would like to reach the web app on the http://localhost:8080/YYY address too. The easiest way is to just use a URL rewrite filter to forward or redirect all requests for the secondary name to the real one: http://tuckey.org/urlrewrite/ You don't need to go through the unnecessary hassle and performance degradation of adding httpd to the mix. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Token Security
Hi, I've been asked to put some security in place for a website, at the moment there are two requirements with a possible extension; 1) The referer must be XXX (configurable) 2) There must be a token passed either GET or POST in the URL which matches some internally generated code. The possible extension would be the token passed in would be sent to (another) webserver for validation. I've been looking at this, and I *think* that I need to add a JAAS realm, but I can't work out how to not have a login page. The security must deny access unless the above is matched. I've seen reference to where auth-method can be NONE which I assume is right (since none of the others are) but am at a loss as to how to get this to work. Thanks for any advice or pointers to documentation. Regards, John. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: 32-bit service on 64-bit windows?
David kerber wrote: Can I install a 32-bit jvm and create a tc 5.5.28 service on win 2008 64-bit server? Or do I need a 64-bit jvm to do that? Or do I need TC 6.0.x? If I need tc6, which jvm is needed? Or will either work? My app doesn't stretch the memory limits of the 32-bit, let alone needing 64-bit memory space. I belive that this has been discussed, extensively, under various guises on this forum. So you may want to search the archives. But, since it is not, to my knowledge, clearly expressed on the Tomcat website, let me try a summary : - 32-bit .exe programs seem not to run under 64-bit Windows, and vice-versa 64-bit .exe programs not to run under 32-bit Windows. - the Java JVM is at least in part a .exe program, so it will have to be a version matching the plaform bit-ness - the JVM is not included in Tomcat downloads, so that's a bit you'll have to find out elsewhere, and install by yourself. - Tomcat itself on the other hand is a Java application, which should run unchanged under a 32-bit or 64-bit JVM, so there is only one Tomcat - but, under Windows and to run it (the JVM which will run Tomcat) as a Windows Service, one additional piece is needed, the (in)famous tomcatX.exe, which is a .exe wrapper around the JVM, making it behave like a Windows Service is supposed to. (This tomcatX.exe (where X is the tomcat major version), is in fact always the same program, just renamed for version's sake.) Being an .exe program, it also thus needs to have the appropriate bit-ness for the platform at hand. - when you install Tomcat 6 on a Windows system, from the downloadable exe or windows service installer version, I believe that we are told that it does the right thing, installing the appropriate 32-bit or 64-bit tomcatX.exe, as appropriate to the platform. (We are however told this by word of mouth on this list, because the fact is not mentioned on the Tomcat download page). - when you download and install the .zip version however - planning to configure it yourself as a service later using supplied .bat files - then for some reason not both the 32-bit and 64-bit versions of the wrapper are included, and only the 32-bit version is. Which leaves the hapless would-be 64-bit installer (person) in a bind, because it is not clear where on the Tomcat website one finds the 64-bit version. Not on the download page, that's certain. (although that information has been provided many times in this list's archives, and might even be buried in a FAQ). It is also rather distressing, and puzzling, that when one downloads and installs the .exe version, one does not receive all the same files which are included in the .zip version. This fact alone has caused these list archives to be much more voluminous than they would otherwise be. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: 32-bit service on 64-bit windows?
Caldarale, Charles R wrote: From: David kerber [mailto:dcker...@verizon.net] Subject: 32-bit service on 64-bit windows? Can I install a 32-bit jvm and create a tc 5.5.28 service on win 2008 64-bit server? Yes. The mode of the service wrapper must match the mode of the JVM to be used, not the mode of the OS. Note that the 5.5.28 .exe installer incorrectly checks the mode of the OS rather than the JVM, so it will install the wrong service wrapper for your situation. The easiest way around this is to use the .zip download, which includes the 32-bit service wrapper. Well, you don't say. No sooner do I post a piece of wisdom to this list, that I am instantly being contradicted by one of the sommities on it. So, is it true, can one run 32-bit programs on 64-bit Windows ? I was under the impression that this did not work, having had a number of error messages that last time I had a chance to try. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: 32-bit service on 64-bit windows?
André Warnier wrote: Caldarale, Charles R wrote: From: David kerber [mailto:dcker...@verizon.net] Subject: 32-bit service on 64-bit windows? Can I install a 32-bit jvm and create a tc 5.5.28 service on win 2008 64-bit server? Yes. The mode of the service wrapper must match the mode of the JVM to be used, not the mode of the OS. Note that the 5.5.28 .exe installer incorrectly checks the mode of the OS rather than the JVM, so it will install the wrong service wrapper for your situation. The easiest way around this is to use the .zip download, which includes the 32-bit service wrapper. Well, you don't say. No sooner do I post a piece of wisdom to this list, that I am instantly being contradicted by one of the sommities on it. So, is it true, can one run 32-bit programs on 64-bit Windows ? I was under the impression that this did not work, having had a number of error messages that last time I had a chance to try. It depends on the .exe, but in my experience, most user applications will work. Ones that try to run as a service may be an exception; this is the first time I've tried to install a service on x64. D - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: 32-bit service on 64-bit windows?
David kerber wrote: André Warnier wrote: Caldarale, Charles R wrote: From: David kerber [mailto:dcker...@verizon.net] Subject: 32-bit service on 64-bit windows? Can I install a 32-bit jvm and create a tc 5.5.28 service on win 2008 64-bit server? Yes. The mode of the service wrapper must match the mode of the JVM to be used, not the mode of the OS. Note that the 5.5.28 .exe installer incorrectly checks the mode of the OS rather than the JVM, so it will install the wrong service wrapper for your situation. The easiest way around this is to use the .zip download, which includes the 32-bit service wrapper. Well, you don't say. No sooner do I post a piece of wisdom to this list, that I am instantly being contradicted by one of the sommities on it. So, is it true, can one run 32-bit programs on 64-bit Windows ? I was under the impression that this did not work, having had a number of error messages that last time I had a chance to try. It depends on the .exe, but in my experience, most user applications will work. Ones that try to run as a service may be an exception; this is the first time I've tried to install a service on x64. It looks loike in addition I have an attention problem, because I missed Chuck's first phrase above. Apart from that, I know that I have a Tomcat 5.5 running as a Windows service somewhere under a 64-bit Windows XP. But I thought I remembered needing for that a 64-bit JVM, and I also needed a 64-bit tomcatX.exe, but which bitness I associated with the platform, not with the JVM. But now I am a bit confused again, because it seems that the bitness of the tomcatX.exe has not to do with the platform, but everything to do with the chosen JVM, which could be a 32-bit version even on a 64-bit platform. So is this tomcatX.exe then always a 32-bit application ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Error - Unable to open the service 'Tomcat6' on Windows 2003
Hi, I have installed the Tomcat 6.0.20 on windows 2003 server. Which runs as local system account. Tomcat services run fine. Different user group login to that windows server for different purpose via Remote Desktop. If a user who is not administrator on the box login via Remote Desktop - The user always gets the message that *Application System Error* *Access Denied* *Unable to open the service 'Tomcat6'* ** Which is annoying for the users. Once the user ignore the message user can launch the tomcat home page and also webapp on that tomcat server. Is there any way to avoid the message when login via remote desktop for non administrator user?
RE: 32-bit service on 64-bit windows?
From: André Warnier [mailto:a...@ice-sa.com] Subject: Re: 32-bit service on 64-bit windows? So, is it true, can one run 32-bit programs on 64-bit Windows ? Yes, you've always been able to run 32-bit programs on x86-64 versions of Windows. (The older and deservedly maligned IA64 versions of Windows were not so compatible.) But I thought I remembered needing for that a 64-bit JVM, and I also needed a 64-bit tomcatX.exe, but which bitness I associated with the platform, not with the JVM. Nope, 32-bit JVMs work fine on 64-bit Windows. it seems that the bitness of the tomcatX.exe has not to do with the platform, but everything to do with the chosen JVM, which could be a 32-bit version even on a 64-bit platform. Which is what I said in the first response. So is this tomcatX.exe then always a 32-bit application ? No, there are 32- and 64-bit versions of tomcatX.exe available; you must choose the one that matches the mode of the JVM you intend to use. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: 32-bit service on 64-bit windows?
On 11/11/09 20:27, André Warnier wrote: David kerber wrote: - 32-bit .exe programs seem not to run under 64-bit Windows, and vice-versa 64-bit .exe programs not to run under 32-bit Windows. Not true. Like Charles said, tomcat6.exe must match the JVM Even more tomcat6w.exe is always 32 bit Regards -- ^TM - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] ConnectionPool question
Chris, I AM going to use Elli's suggestion. It's going to take some time, but I don't have to worry, once it's done, it'll be done correctly. Not only did I get yelled at for having the audacity to write up procedures for the developers on my team (assuming I ever get a another team), but I told my company that the procedures I wrote up needed to be used on ALL dev teams. I thought 99% of it was common sense, but I guess not. On Tue, Nov 10, 2009 at 3:40 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Josh, On 11/10/2009 9:18 AM, Josh Gooding wrote: the reason there are multiple recycleConnection methods is because if a RS is passed to the front presentation layer, I have to have a way to close it, I have to be able to get the statement and connection somehow, and I don't want that in my code. I was assuming that you were going to use Elli's suggestion to use a ThreadLocal to capture any allocated Connection objects, and just close everything at the end of the request processing. If you're going to do that, you can be lazy about it and just always close everything. From everything that everyone here has said, to semi fix this right: 1 - Each method that calls the DB for a RS needs to get it's own connection and close the resources itself (keeping it in the same scope) This is, of course, recommended technique. 2 - The CP wrapper that is here, CAN be used, but could end up causing more problems in the long run. Well, yes and no. Yes in the sense that you shouldn't encourage the kind of coding behavior that's been exhibited in the past: by writing such a wrapper and clean-up code, you (might) encourage laziness and make the problem worse rather than better. No in the sense that I don't believe this solution is actually going to exacerbate the actual problem itself. Good luck, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkr5z7AACgkQ9CaO5/Lv0PCM5ACfdA3MPnJ/YEeUwIeuNjh9akH7 2X4AoKyfvWVdOv59FJtxMrw4nyLxsrk9 =WWP3 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: [OT] ConnectionPool question
From: Josh Gooding [mailto:josh.good...@gmail.com] Subject: Re: [OT] ConnectionPool question Not only did I get yelled at for having the audacity to write up procedures for the developers on my team But we've always done it that way... A long habit of not thinking a thing wrong, gives it a superficial appearance of being right. - Thomas Paine, 1776 - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] ConnectionPool question
Yup, No wonder my shop is in so much trouble. No procedures, no brainstorming, no project management, no best practices, just a shoot from the hip, Git-R-Done attitude. I liked that so much it's now hanging in my cube :) - Josh On Wed, Nov 11, 2009 at 3:33 PM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Josh Gooding [mailto:josh.good...@gmail.com] Subject: Re: [OT] ConnectionPool question Not only did I get yelled at for having the audacity to write up procedures for the developers on my team But we've always done it that way... A long habit of not thinking a thing wrong, gives it a superficial appearance of being right. - Thomas Paine, 1776 - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: [OT] ConnectionPool question
That's good stuff, Chuck - and sadly, so prevalent among many places as the thought process. -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Wednesday, November 11, 2009 2:34 PM To: Tomcat Users List Subject: RE: [OT] ConnectionPool question From: Josh Gooding [mailto:josh.good...@gmail.com] Subject: Re: [OT] ConnectionPool question Not only did I get yelled at for having the audacity to write up procedures for the developers on my team But we've always done it that way... A long habit of not thinking a thing wrong, gives it a superficial appearance of being right. - Thomas Paine, 1776 - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat: bandwidth limiter / transfer rate limit ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Pieroxy, On 11/11/2009 12:04 PM, pieroxy wrote: There is no reason it would hurt performance (and why are you mentioning sleeping threads?). Well, if bytes are available for sending faster than the bandwidth-limiter is willing to go, then.. you ... have ... to wait. How else to wait other than sleeping your thread? Do-nothing loop? In any case, you need to count the number of bytes transferred, and the filter would do just that. Then you probably need to persists this information along with the logged in user somewhere. Logging is not sufficient. The OP wants to /limit the bandwidth/ of the connection, not just do accounting on it. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkr7MAkACgkQ9CaO5/Lv0PDE2ACeJHsAiJ1V/KHnImljbD5+7mLe KzgAn0pUadZI4h6SautEJslV0BUJvUGf =z5Hk -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat: bandwidth limiter / transfer rate limit ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 André, On 11/11/2009 1:43 PM, André Warnier wrote: Cae Fernandes wrote: Well, It's not about counting the bytes, but making the connection slower. Like, if I would output only a certain amount of bytes per second, i'd have to output them and make the thread sleep for a certain amount of miliseconds.That's why I mentiojned sleeping threads. Yes, but isn't *any* solution, in the end, going to have the same effect ? Er, yes. I mean, suppose that you have a direct connection between Tomcat and the client, and that the client is behind a very slow (physical) connection. At some point, the webapp is going to want to output something to the client, but all buffers will be full waiting for the client to receive them, and whatever is sending them will have to wait. Whether that wait is a sleep decided at the level of the application, or at the level of the OS, is rather immaterial. The webapp/thread will wait anyway. Correct. But it's a reasonable assumption that the client will be able to consume more bandwidth than you're trying to target as the limit. Otherwise, that's not exactly called limiting now is it? :) The only way to avoid that would be to have, between Tomcat and the client, some appliance (software or hardware) which would buffer the Tomcat output and send it to the client at the rate it will accept, or at the rate that you decide. An Apache front-end might be able to do that, if it has some add-on module for the purpose. There are some, mentioned in Cae's original post: mod_curb and mod_cband. He's prefer a Tomcat-only solution, so we're focusing on that for now. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkr7MKsACgkQ9CaO5/Lv0PDkLgCfahlw8abd8A09097pk3Q/ZUmi ABEAnRZEsQlOaVesmbLGLAvUd67MHmS4 =G31y -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: remote debug
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 To whom it may concern, On 11/11/2009 9:52 AM, maven apache wrote: So I start to config remot debug in tomcat . How do you start Tomcat? Using bin\startup.bat? After modify the catalina.bat Okay, you are using bin\startup.bat, then? You ought to be able to use environment variables to affect this and not actually change catalina.bat, but it's okay to do that, too. Please post the changes you made to catalina.bat. Also, please confirm that you start Tomcat by using bin\startup.bat. If you use Eclipse to start Tomcat, it might be ignoring that configuration. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkr7MZIACgkQ9CaO5/Lv0PDSzQCeIhaqMMi6pj2xmGzWk7jkAt/c 4VEAn1yUnfwMJJZBRWvyyHT4t8dGkmsr =J582 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Token Security
John Morrison wrote: Hi, I've been asked to put some security in place for a website, at the moment there are two requirements with a possible extension; 1) The referer must be XXX (configurable) 2) There must be a token passed either GET or POST in the URL which matches some internally generated code. The possible extension would be the token passed in would be sent to (another) webserver for validation. I've been looking at this, and I *think* that I need to add a JAAS realm, but I can't work out how to not have a login page. The security must deny access unless the above is matched. I'd just use a filter. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: A question about mod_jk 1.2.28 configuration
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thomas, On 11/11/2009 9:45 AM, thomas2004 wrote: 20-40 minutes is an unreasonable amount of time to wait for an HTTP request to complete. I recommend changing your architecture so that HTTP requests don't have to take so long. Surely is a good idea. But the situation is we just host the application for our customer who will do not want to change their program. They said it works by mod_jk 1.2.26, why not by 1.2.28? I am not able to give them a satisfied answer. Well, Rainer Jung (one of the main authors of mod_jk) apparently can't come up with a good answer, and I have nothing to add. I suspect this has little to do with the version of mod_jk, but who knows? If mod_jk 1.2.26 works and 1.2.28 does not, it seems reasonable to stick with 1.2.26 for the time being. If you're willing to work with Rainer on debugging this, perhaps he can figure out what's wrong and fix it. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkr7MkIACgkQ9CaO5/Lv0PBrIQCggjgAr4lGuxQQm2h+7b7CH1BJ KYwAnRuA+QNvZbOSR25GzLXm+Mcs2uaP =lpNa -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat 5.5.25 - Multiple Connectors and performance lost
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Simão, On 11/11/2009 6:42 AM, Simão Fontes wrote: The 2 applications being used serve different purposes, one presents a terms search in a index, the other application is meant to show archived pages, similar to what happens in internet archive (internetarchive.org). For the second application to work is needs to contact the first so that it can locate the required files to show the user. Ok. But my main problem is the increase in response time, does having a lot of connectors cause thread synchronization issues? There shouldn't be any synchronization issues, here, unless your applications have introduced them. Each request processing thread operates independently and only encounters synchronization when entering/exiting the connection pool or accessing session data. If you make a loopback call (one request triggers a request back to the same Tomcat instance), the two threads shouldn't interfere with each other at all (again, unless your webapp does some locking). Does any one have a reason for such an increase in time, from 1 sec to 16 ? I can't imagine why this might be happening. Is this easily reproduced? With a 16-second delay? If so, issue a request to the primary service, wait 'till it stalls (which should be pretty much immediately) and then take a thread dump of your JVM. In fact, take several and save them to separate files. Then, look to see what (if any) differences there are and what your threads are doing during that delay. This will give you some insight into why your threads are waiting. Another option for you, instead of setting up two Service declarations, would be to set up a Connector that binds to 127.0.0.1 and is used exclusively by one app to access the others. That way, you could ensure that there are enough threads to service as many requests as come into the primary webapp even if all of them require a call to the secondary one. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkr7M8kACgkQ9CaO5/Lv0PAF8gCgqGnzgxJcKwD5x6HC8nzUXno/ iUMAn0kQK4ZJOjPrOQG0stohhHEc779O =0qll -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Token Security
On Wed, November 11, 2009 9:51 pm, Mark Thomas wrote: John Morrison wrote: Hi, I've been asked to put some security in place for a website, at the moment there are two requirements with a possible extension; 1) The referer must be XXX (configurable) 2) There must be a token passed either GET or POST in the URL which matches some internally generated code. The possible extension would be the token passed in would be sent to (another) webserver for validation. I've been looking at this, and I *think* that I need to add a JAAS realm, but I can't work out how to not have a login page. The security must deny access unless the above is matched. I'd just use a filter. Mark Hi Mark, I've not come across filters before - I'll look into them in more depth at work tomorrow, however could you expound upon how you would envisage it working? Does the filter cover all the resources, because once the user token has been verified I wasn't going to pass it around anymore...? Thanks for the reply, John. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Secure login only, not rest of app
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Robert, On 11/11/2009 4:23 AM, Robert Denison wrote: Thanks everyone for your help, I'll take a look at this and then let everyone know how I get on. Christopher, thanks for your patient reply, sorry I missed your earlier post, I guess my googling skills aren't what I think they are! No problem. I posted my first(ish) reply before reading your most recent post, then immediately posted this one. Rather than repeating everything, I just referenced it. Good luck with your efforts. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkr7NDAACgkQ9CaO5/Lv0PD/OwCgmShwqOuwUVOaQ49u2B6wMzsS wDQAoKZkaLYr5lrwO6Hj8rWaV/npX0vN =r5eW -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: A question about mod_jk 1.2.28 configuration
On 11.11.2009 22:53, Christopher Schultz wrote: Thomas, On 11/11/2009 9:45 AM, thomas2004 wrote: 20-40 minutes is an unreasonable amount of time to wait for an HTTP request to complete. I recommend changing your architecture so that HTTP requests don't have to take so long. Surely is a good idea. But the situation is we just host the application for our customer who will do not want to change their program. They said it works by mod_jk 1.2.26, why not by 1.2.28? I am not able to give them a satisfied answer. Well, Rainer Jung (one of the main authors of mod_jk) apparently can't come up with a good answer, and I have nothing to add. I suspect this has little to do with the version of mod_jk, but who knows? If mod_jk 1.2.26 works and 1.2.28 does not, it seems reasonable to stick with 1.2.26 for the time being. If you're willing to work with Rainer on debugging this, perhaps he can figure out what's wrong and fix it. Basically we already know, what the issue is and why it changed between 1.2.26 and 1.2.28. I'm hoping for Mladen to chime in, because he committed the change. Thomas can open an issue in Bugzilla, which helps us not forgetting it. Topic: Socker read returns EAGAIN during long wait. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Token Security
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 John, On 11/11/2009 2:11 PM, John Morrison wrote: 1) The referer must be XXX (configurable) 2) There must be a token passed either GET or POST in the URL which matches some internally generated code. I agree with Mark: a relatively simple Filter could be implemented that prohibits access unless the above requirements are met. These requirements don't really authenticate the user in any way, do they? Do you have to populate a Principal object in the request and then use that to do authorization? Or, do you just need to prevent unauthorized people from getting in? I've been looking at this, and I *think* that I need to add a JAAS realm, but I can't work out how to not have a login page. The security must deny access unless the above is matched. I've seen reference to where auth-method can be NONE which I assume is right (since none of the others are) but am at a loss as to how to get this to work. You could always make your login page just look like a Forbidden page. There's nothing that says a login page has to contain a login form :) - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkr7Na0ACgkQ9CaO5/Lv0PBXEwCeLFod/89YKZsX0vFjr4eGYC1X +Z8AoI+Y+mK+4h/NORJ2LFmf1H/Rsf0Y =J/bL -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Token Security
Hi Christopher, On Wed, November 11, 2009 10:07 pm, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 John, On 11/11/2009 2:11 PM, John Morrison wrote: 1) The referer must be XXX (configurable) 2) There must be a token passed either GET or POST in the URL which matches some internally generated code. I agree with Mark: a relatively simple Filter could be implemented that prohibits access unless the above requirements are met. These requirements don't really authenticate the user in any way, do they? Do you have to populate a Principal object in the request and then use that to do authorization? Or, do you just need to prevent unauthorized people from getting in? Correct, at the moment there is no requirement to actually authenticate the user. However, I've been told to ensure that, if the client wishes (and pays) that the solution could be expanded to do so. Is this something like you are thinking; If the user has a session; let them access what they want else if the requested url has a param/value of [insert hash algor] set the user up with a session and let them access what they want else return Access Forbidden Is this possible in a filter? (My knowledge of them is currently 0; I'll read up on them in depth tomorrow) I've been looking at this, and I *think* that I need to add a JAAS realm, but I can't work out how to not have a login page. The security must deny access unless the above is matched. I've seen reference to where auth-method can be NONE which I assume is right (since none of the others are) but am at a loss as to how to get this to work. You could always make your login page just look like a Forbidden page. There's nothing that says a login page has to contain a login form :) *grin* point, however doesn't the login page get displayed before the LoginModule is called? It's been a long time since I was active in the Apache world and I'm afraid my Java skills are well out of date. Please be patient. Regards, John. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
AprHttp11 Connector - unable to locate certificates
I am unable to get APR connector working. I have build Apr, configured the
conenctor, generated certificates, updated the environment (LD_LIBRARY_PATH)
and it cannot find the certificates when an authentication is required.
I have supplied all the relevant details below. I would appreciate
any insights into why its unable to find the certificates.
Environment:
# openssl version
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
#
#
# java version 1.6.0_01
Java(TM) SE Runtime Environment (build 1.6.0_01-b06)
Java HotSpot(TM) Server VM (build 1.6.0_01-b06, mixed mode)
#
#
# uname -srvompi
Linux 2.6.18-128.el5 #1 SMP Wed Dec 17 11:42:39 EST 2008 i686 i686 i386
GNU/Linux
# Tomcat version: 6.0.14
#APR version (built from source on RHEL5): 1.3.8
Configuration:
* APR is build and installed in /usr/local/apr:
# ls -l /usr/local/apr/lib
total 3212
-rwxr-xr-x 1 root root8130 Nov 2 09:48 apr.exp
-rwxr-xr-x 1 root root 806678 Nov 2 09:48 libapr-1.a
-rwxr-xr-x 1 root root 838 Nov 2 09:48 libapr-1.la
lrwxrwxrwx 1 root root 17 Nov 10 12:07 libapr-1.so -
libapr-1.so.0.3.8
lrwxrwxrwx 1 root root 17 Nov 10 12:07 libapr-1.so.0 -
libapr-1.so.0.3.8
-rwxr-xr-x 1 root root 549998 Nov 2 09:48 libapr-1.so.0.3.8
-rwxr-xr-x 1 root root 1113618 Nov 2 10:52 libtcnative-1.a
-rwxr-xr-x 1 root root 921 Nov 2 10:52 libtcnative-1.la
lrwxrwxrwx 1 root root 23 Nov 10 12:07 libtcnative-1.so -
libtcnative-1.so.0.1.16
lrwxrwxrwx 1 root root 23 Nov 10 12:07 libtcnative-1.so.0 -
libtcnative-1.so.0.1.16
-rwxr-xr-x 1 root root 777409 Nov 2 10:52 libtcnative-1.so.0.1.16
drwxr-xr-x 2 root root4096 Nov 2 10:52 pkgconfig
* Standalone Tomcat with an HTTP and an APR connector.
* Relevant excerpts from ${catalina.home}/conf/server.xml:
!--APR library loader. Documentation at /docs/apr.html --
Listener className=org.apache.catalina.core.AprLifecycleListener
SSLEngine=on /
//...
Connector port=8080 protocol=HTTP/1.1
connectionTimeout=2
redirectPort=8443 /
Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true
maxThreads=150 scheme=https secure=true
clientAuth=false sslProtocol=TLS
SSLCertificateFile=${catalina.home}/conf/server.cert
SSLCertificateKeyFile=${catalina.home}/conf/server.key
/
//...
* LD_LIBRARY_PATH is set in ${catalina.home}/bin/setenv.sh as follows:
export LD_LIBRARY_PATH=/usr/local/apr/lib:${LD_LIBRARY_PATH}
Key/Certificate Generation:
# export CATALINA_HOME=/usr/local/apache-tomcat
# export CATALINA_CONF=${CATALINA_HOME}/conf
# rm -fr ${CATALINA_CONF}/server.cert
# rm -fr ${CATALINA_CONF}/server.key
# openssl genrsa -out $CATALINA_CONF/server.key 2048
openssl req -new -x509 -days 1095 -key $CATALINA_CONF/server.key -out
$CATALINA_CONF/server.cert $CATALINA_CONF/cert.input
where $CATALINA_CONF/cert.input contains:
US
CA
MyCity
MyCompany Inc
My Dept.
myhost.mycompany.com
nob...@mycompany.com
Logs:
APR connector is initialized (seemingly) correctly:
Nov 10, 2009 1:54:21 PM org.apache.catalina.core.AprLifecycleListener
init
INFO: Loaded Apache Tomcat Native library 1.1.16.
Nov 10, 2009 1:54:21 PM org.apache.catalina.core.AprLifecycleListener
init
INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters
[false], random [true].
Nov 10, 2009 1:54:22 PM org.apache.coyote.http11.Http11AprProtocol
init
INFO: Initializing Coyote HTTP/1.1 on http-8080
Nov 10, 2009 1:54:22 PM org.apache.coyote.http11.Http11AprProtocol
init
INFO: Initializing Coyote HTTP/1.1 on http-8443
Nov 10, 2009 1:54:22 PM org.apache.coyote.ajp.AjpAprProtocol init
INFO: Initializing Coyote AJP/1.3 on ajp-8009
Nov 10, 2009 1:54:22 PM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 1440 ms
Nov 10, 2009 1:54:22 PM org.apache.catalina.core.StandardService
start
INFO: Starting service Catalina
Nov 10, 2009 1:54:22 PM org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/6.0.14
//...
... but it fails to find the certificate when an authentication is
required:
2009-11-10 16:18:59,622 INFO [http-8443-1]
cas.CentralAuthenticationServiceImpl:229 - Granted service ticket
[ST-1-QnrXKg6DAe4RTxUsSexs-cas] for service
[http://myhost.mycompany.com:8080/myapp] for user [johndoe]
2009-11-10 16:18:59,720 ERROR [http-8443-1]
validation.Cas20ProxyTicketValidator:49 -
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to
Re: remote debug
2009/11/12 Christopher Schultz ch...@christopherschultz.net -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 To whom it may concern, On 11/11/2009 9:52 AM, maven apache wrote: So I start to config remot debug in tomcat . How do you start Tomcat? Using bin\startup.bat? After modify the catalina.bat Okay, you are using bin\startup.bat, then? You ought to be able to use environment variables to affect this and not actually change catalina.bat, but it's okay to do that, too. Please post the changes you made to catalina.bat. Thanks for your attention. Actually I did not modify the catalina.bat directly , I create a new bat named debug.bat in the same directory, the content of the debug.bat is : --- cd %CATALINE_HOME%/bin set JPDA_ADDRESS=1044 set JPDA_TRANSPORT=dt_socket set CATALINA_OPTS=-server -Xdebug -Xnoagent -Djava.compiler=NONE -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=1044 startup --- Then I start the tomcat with the debug.bat. Also, please confirm that you start Tomcat by using bin\startup.bat. If you use Eclipse to start Tomcat, it might be ignoring that configuration. I think so , I start the tomcat manually. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkr7MZIACgkQ9CaO5/Lv0PDSzQCeIhaqMMi6pj2xmGzWk7jkAt/c 4VEAn1yUnfwMJJZBRWvyyHT4t8dGkmsr =J582 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How to set up tomcat and truststore
Luciana Moreira Sa de Souza Signed by - PrivaSphere AG s...@privasphere.com wrote in message news:4afaead4.30...@privasphere.com... Hi Jorge, thx for your quick reply. Maybe I did not explain my problem well enough, so let me elaborate it a bit more. In our platform clients can upload their self-signed certificates to allow them to login to our platform. If we add all client certificates to the static truststore file as per |truststoreFile| of http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html#Edit%20the%20Tomcat%20Configuration%20File we end up having a scalability problem during handshake. This happens since the server must inform which client certificates issuers are accepted by the server, so having 50'000 self-signed DNs concatenated as a string doesn't really vouch for a quick TLS handshake. This is the reason why we do a second level authentication in our own realm implementation or the application layer against our own dynamic truststore. But for this to be possible, an initial handshake must occur where the client provides his certificate to the platform. So, we split authentication into two steps: i) establish a secure tunnel without the harmful renegotiation to someone ii) once that is done, ensure the someone is who we like without the need for TLS-renegotiation On the application layer we can get the client certificate chain through: X509Certificate certs[] = (X509Certificate[]) request.getAttribute(org.apache.catalina.Globals.CERTIFICATES_ATTR); And then we validate it against our own truststore. The main problem is reaching this stage with any client certificate. So my question is: 1) is the above mentioned |truststoreFile| attribute mandatory or not? It is mandatory if you want to use the default JSSE connector. It's not needed if you use the APR connector, and set SSLVerifyClient=optionalNoCA (see http://tomcat.apache.org/tomcat-5.5-doc/apr.html for more details). However, this prompts for a cert the first time that the client connects, and there is currently no option to ask for a cert later if they don't supply one on the initial connection. 2) is there a way to tell the JSSESupport class not to send the issuer-DN list, but a wildcard for any issuer? (perhaps this could just be a * in the |truststoreFile| attribute, anyway it would be great to know whether this is a mandatory attribute or an optional one Not to my knowledge. The JSSESupport class entirely relies on the underlying JSSE in the JVM. It doesn't touch the SSL layer by itself. It might be possible to implement a custom TrustManagerFactory that does this, but I haven't looked into it. == pls document in the above cited howto.html) Best regards, Luciana Moreira -- This message has been signed by the PrivaSphere Mail Signature Service. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] WebappClassLoader and undeploy
Tomcat 5.5 version + log message when executed:
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the License); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an AS IS BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.catalina.core;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
import java.net.URLConnection;
import javax.imageio.ImageIO;
import org.apache.catalina.Lifecycle;
import org.apache.catalina.LifecycleEvent;
import org.apache.catalina.LifecycleListener;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.tomcat.util.res.StringManager;
/**
* Provide a workaround for known places where the Java Runtime environment can
* cause a memory leak or lock files.
* p
* Memory leaks occur when JRE code uses
* the context class loader to load a singleton as this will cause a memory leak
* if a web application class loader happens to be the context class loader at
* the time. The work-around is to initialise these singletons when Tomcat's
* common class loader is the context class loader.
* p
* Locked usually files occur when a resource inside a JAR is accessed without
* first disabling Jar URL connection caching. The workaround is to disable this
* caching by default.
*/
public class JreMemoryLeakPreventionListener implements LifecycleListener {
protected static final Log log =
LogFactory.getLog(JreMemoryLeakPreventionListener.class);
protected static final StringManager sm =
StringManager.getManager(Constants.Package);
/**
* Protect against the memory leak caused when the first call to
* codesun.awt.AppContext.getAppContext()/code is triggered by a web
* application. Defaults to codetrue/code.
*/
protected boolean appContextProtection = true;
public boolean isAppContextProtection() { return appContextProtection; }
public void setAppContextProtection(boolean appContextProtection) {
this.appContextProtection = appContextProtection;
}
/**
* Protect against resources being read for JAR files and, as a side-effect,
* the JAR file becoming locked. Note this disables caching for all
* {...@link URLConnection}s, regardless of type. Defaults to
* codetrue/code.
*/
protected boolean urlCacheProtection = true;
public boolean isUrlCacheProtection() { return urlCacheProtection; }
public void setUrlCacheProtection(boolean urlCacheProtection) {
this.urlCacheProtection = urlCacheProtection;
}
public void lifecycleEvent(LifecycleEvent event) {
// Initialise these classes when Tomcat starts
if (Lifecycle.INIT_EVENT.equals(event.getType())) {
log.info(Running JreMemoryLeakPreventionListener
(appContextProtection=
+ appContextProtection + ,
urlCacheProtection= +
urlCacheProtection + ')');
/*
* Several components end up calling:
* sun.awt.AppContext.getAppContext()
*
* Those libraries / components known to trigger memory leaks due to
* eventual calls to getAppContext() are:
* - Google Web Toolkit via its use of javax.imageio
* - Tomcat via its use of java.beans.Introspector.flushCaches() in
* 1.6.0_15 onwards
* - others TBD
*/
// Trigger a call to sun.awt.AppContext.getAppContext(). This will
// pin the common class loader in memory but that shouldn't be an
// issue.
if (appContextProtection) {
ImageIO.getCacheDirectory();
}
/*
* Several components end up opening JarURLConnections without first
* disabling caching. This effectively locks the file. Whilst more
* noticeable and harder to ignore on Windows, it affects all
* operating systems.
*
* Those libraries/components known to trigger this issue include:
* - log4j versions 1.2.15 and earlier
* - javax.xml.bind.JAXBContext.newInstance()
*/
// Set the default URL caching policy to not to cache
if (urlCacheProtection) {
try {
//
Tomcat 6 encoding issue
We are facing an encoding issue in apache-tomcat-6.0.20. This is working in tomcat 5.5.23. We are trying to make a get request to external site. The page contains some utf-8 characters. When we access the page from the application we are getting the following error. Can you please help us to resolve this issue. Any help is appreciated. WARNING: Handler caused Not an ISO 8859-1 character: 83 java.io.CharConversionException: Not an ISO 8859-1 character: 83 at javax.servlet.ServletOutputStream.print(ServletOutputStream.java:89) at at java.io.OutputStream.write(OutputStream.java:99) -- View this message in context: http://old.nabble.com/Tomcat-6-encoding-issue-tp26313150p26313150.html Sent from the Tomcat - User mailing list archive at Nabble.com.
Re: [OT] WebappClassLoader and undeploy
Actually Mark can you take a quick look at the class I sent and see if it makes sense. I swapped juli with commons logging (which is in bin) but now I am not sure this is necessary, this library may already be loaded regardless of this filter. E - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 6 encoding issue
Which library are you using to get the external page? java.net? HttpClient? What do you do with the page that you download? It looks from the exception that you are writing it to the servlet IO, is that the case? Are both of your tomcats running on the same JVM version? E On Wed, Nov 11, 2009 at 8:10 PM, pramodpm pramod_me...@satyam.com wrote: We are facing an encoding issue in apache-tomcat-6.0.20. This is working in tomcat 5.5.23. We are trying to make a get request to external site. The page contains some utf-8 characters. When we access the page from the application we are getting the following error. Can you please help us to resolve this issue. Any help is appreciated. WARNING: Handler caused Not an ISO 8859-1 character: 83 java.io.CharConversionException: Not an ISO 8859-1 character: 83 at javax.servlet.ServletOutputStream.print(ServletOutputStream.java:89) at at java.io.OutputStream.write(OutputStream.java:99) -- View this message in context: http://old.nabble.com/Tomcat-6-encoding-issue-tp26313150p26313150.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
