Re: jdbc driver location in TC 7
On 1:59 PM, Pid * wrote: On 25 Mar 2012, at 03:10, Terence M. Bandoiantere...@tmbsw.com wrote: On 1:59 PM, Pid * wrote: On 23 Mar 2012, at 21:59, David Kerberdcker...@verizon.net wrote: On 3/23/2012 6:51 PM, Terence M. Bandoian wrote: On 1:59 PM, David kerber wrote: On 3/23/2012 11:19 AM, Caldarale, Charles R wrote: From: David kerber [mailto:dcker...@verizon.net] Subject: jdbc driver location in TC 7 Where is the recommended location for jdbc driver jars in TC7, when I'm using separate CATALINA_HOME and CATALINA_BASE locations? If you look in conf/catalina.properties, you'll see the order in which the common loader searches directories. If it makes a difference, I am not using tomcat's connection pooling; it's handled in my app. That's a critical difference. I generally would prefer to put it in my webapp's lib directory That is the correct location, since Tomcat is not involved. Great; thanks for confirming. D Hi, David- I prefer the web app's lib directory as well but when I place the JDBC driver there, a memory leak detection error is logged when I stop Tomcat. Not a big deal but I'd prefer not to have to explain. When I move the JDBC driver to the Tomcat lib directory, the error is no longer logged. (Tomcat 6) Even better would be to fix your probable connection leak. I had some too, when I went to a version that had the leak detection, but was able to fix them all. D Yup. Just deregister the DB driver on app stop using a ServletContexListener. p Thanks. I'll give that a try. Wouldn't I see a connection leak no matter where I placed the driver? Only if you're not returning / cleaning up connection objects properly. De-registering the driver may do the trick. This addresses the driver leak warning by Tomcat. p Exactly. -Terence Bandoian - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Windows Connector Binaries have wrong Module Magic Number for httpd-2.4
On 03/26/2012 12:32 AM, Tom Donovan wrote: The Windows connector 1.2.35 binaries for httpd-2.4 at: http://www.apache.org/dist/tomcat/tomcat-connectors/jk/binaries/windows/ appear to have been built with the wrong httpd Module Magic Number: 20120109. The startup error message is: Module mod_jk.c is not compatible with this version of Apache (found 20120109, need 20120211) Note that httpd-2.4.0 never shipped, so 2.4.1 is the first 2.4.x release. httpd-2.4.1 has MMN: 20120211:0 Updated httpd-2.4.x binaries to match 2.4.1 MMN. Give couple of hours till the mirrors sync. ... and BTW, there were no official 1.2.35 ANN, so they actually do not exist :) ... but I'm going to write [ANN] in couple of hours. Regards -- ^TM - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
AccessControlException when starting embedded Tomcat from Java Webstart
Hello, for our Kunagi Java web application we have a signed kunagi.jar file which contains our classes together with classes from embedded Tomcat 6. This runs perfectly when calling java -jar kunagi.jar. But when starting it with Java WebStart, I get an exception while embedded Tomcat is starting: java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.deploy) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:393) at java.security.AccessController.checkPermission(AccessController.java:553) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1529) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:291) at java.lang.ClassLoader.loadClass(ClassLoader.java:266) at net.sourceforge.jnlp.runtime.JNLPClassLoader.loadClass(JNLPClassLoader.java:1018) at java.lang.Class.getDeclaredMethods0(Native Method) at java.lang.Class.privateGetDeclaredMethods(Class.java:2444) at java.lang.Class.getMethod0(Class.java:2687) at java.lang.Class.getMethod(Class.java:1620) at org.apache.catalina.startup.SetPublicIdRule.begin(WebRuleSet.java:639) at org.apache.tomcat.util.digester.Digester.startElement(Digester.java:1276) ... 33 more Of course kunagi.jar is signed, otherwise it wouldn't even start. It seams Java WebStart enables Java Security globally, which somehow embedded Tomcat inherits and fails to initialize. Is there a way to disable security checks for Tomcat inside of Java WebStart? Or how can I configure embedded Tomcat to permit access to org.apache.catalina...? I have already posted this problem on StackOverflow, where someone said, this could be a Tomcat bug: stackoverflow.com/questions... Best regards, Witek --- http://koczewski.de - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AccessControlException when starting embedded Tomcat from Java Webstart
On 26/03/2012 10:32, Witoslaw Koczewski wrote: Hello, for our Kunagi Java web application we have a signed kunagi.jar file which contains our classes together with classes from embedded Tomcat 6. This runs perfectly when calling java -jar kunagi.jar. But when starting it with Java WebStart, I get an exception while embedded Tomcat is starting: java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.deploy) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:393) at java.security.AccessController.checkPermission(AccessController.java:553) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1529) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:291) at java.lang.ClassLoader.loadClass(ClassLoader.java:266) at net.sourceforge.jnlp.runtime.JNLPClassLoader.loadClass(JNLPClassLoader.java:1018) at java.lang.Class.getDeclaredMethods0(Native Method) at java.lang.Class.privateGetDeclaredMethods(Class.java:2444) at java.lang.Class.getMethod0(Class.java:2687) at java.lang.Class.getMethod(Class.java:1620) at org.apache.catalina.startup.SetPublicIdRule.begin(WebRuleSet.java:639) at org.apache.tomcat.util.digester.Digester.startElement(Digester.java:1276) ... 33 more Of course kunagi.jar is signed, otherwise it wouldn't even start. It seams Java WebStart enables Java Security globally, which somehow embedded Tomcat inherits and fails to initialize. Is there a way to disable security checks for Tomcat inside of Java WebStart? Or how can I configure embedded Tomcat to permit access to org.apache.catalina...? There's a file called catalina.policy in tomcat/conf, which has some rules in it. You'll need compare those rules to the ones implemented in the client's policy file to work out what you need to add. I have already posted this problem on StackOverflow, where someone said, this could be a Tomcat bug: stackoverflow.com/questions... Really. URL please? p Best regards, Witek --- http://koczewski.de - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- [key:62590808] signature.asc Description: OpenPGP digital signature
Re: AccessControlException when starting embedded Tomcat from Java Webstart
There's a file called catalina.policy in tomcat/conf, which has some rules in it. You'll need compare those rules to the ones implemented in the client's policy file to work out what you need to add. Since I am using embedded Tomcat, there is no catalina.policy :-( Can't I just disable the checks in Tomcat? I have already posted this problem on StackOverflow, where someone said, this could be a Tomcat bug: stackoverflow.com/questions... Really. URL please? http://stackoverflow.com/questions/9831063/accesscontrolexception-when-starting-embedded-tomcat-from-java-webstart Best regards, Witek --- http://koczewski.de - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: jdbc driver location in TC 7
On 1:59 PM, Pid * wrote: On 25 Mar 2012, at 03:10, Terence M. Bandoiantere...@tmbsw.com wrote: On 1:59 PM, Pid * wrote: On 23 Mar 2012, at 21:59, David Kerberdcker...@verizon.net wrote: On 3/23/2012 6:51 PM, Terence M. Bandoian wrote: On 1:59 PM, David kerber wrote: On 3/23/2012 11:19 AM, Caldarale, Charles R wrote: From: David kerber [mailto:dcker...@verizon.net] Subject: jdbc driver location in TC 7 Where is the recommended location for jdbc driver jars in TC7, when I'm using separate CATALINA_HOME and CATALINA_BASE locations? If you look in conf/catalina.properties, you'll see the order in which the common loader searches directories. If it makes a difference, I am not using tomcat's connection pooling; it's handled in my app. That's a critical difference. I generally would prefer to put it in my webapp's lib directory That is the correct location, since Tomcat is not involved. Great; thanks for confirming. D Hi, David- I prefer the web app's lib directory as well but when I place the JDBC driver there, a memory leak detection error is logged when I stop Tomcat. Not a big deal but I'd prefer not to have to explain. When I move the JDBC driver to the Tomcat lib directory, the error is no longer logged. (Tomcat 6) Even better would be to fix your probable connection leak. I had some too, when I went to a version that had the leak detection, but was able to fix them all. D Yup. Just deregister the DB driver on app stop using a ServletContexListener. p Thanks. I'll give that a try. Wouldn't I see a connection leak no matter where I placed the driver? Only if you're not returning / cleaning up connection objects properly. De-registering the driver may do the trick. This addresses the driver leak warning by Tomcat. p Thanks again. Explicitly de-registering the driver eliminated the Tomcat error message with the driver located in WEB-INF/lib. From what I've read, JDBC 4.0 drivers automatically register themselves with DriverManager but I haven't seen anything about automatic de-registration. Apparently, Tomcat (6.0.29) takes care of that if the driver is located in the Tomcat lib directory but not if it is located in web application's lib directory. Or maybe de-registration isn't a concern when Tomcat is shutting down. -Terence Bandoian - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
org.apache.catalina.tribes.ChannelException: Operation has timed out(3000 ms.).; Faulty members:tcp://{-64, -88, 3, 16}:4000;
Hi List, Below is my server.xml configuration for session replication. Cluster className=org.apache.catalina.ha.tcp.SimpleTcpCluster channelSendOptions=6/ Manager className=org.apache.catalina.ha.session.BackupManager expireSessionsOnShutdown=false notifyListenersOnReplication=true mapSendOptions=6/ Channel className=org.apache.catalina.tribes.group.GroupChannel Membership className=org.apache.catalina.tribes.membership.McastService address=192.168.3.14 port=45564 frequency=500 dropTime=3/ Receiver className=org.apache.catalina.tribes.transport.nio.NioReceiver address=auto port=5000 selectorTimeout=5000 timeout=6 maxThreads=6/ Sender className=org.apache.catalina.tribes.transport.ReplicationTransmitter Transport className=org.apache.catalina.tribes.transport.nio.PooledParallelSender timeout=6 keepAliveCount=0/ /Sender Interceptor className=org.apache.catalina.tribes.group.interceptors.TcpFailureDetector/ Interceptor className=org.apache.catalina.tribes.group.interceptors.MessageDispatch15Interceptor/ Interceptor className=org.apache.catalina.tribes.group.interceptors.ThroughputInterceptor/ /Channel Valve className=org.apache.catalina.ha.tcp.ReplicationValve filter=.*\.gif|.*\.js|.*\.jpeg|.*\.jpg|.*\.png|.*\.htm|.*\.html|.*\.css|.*\.txt/ ClusterListener className=org.apache.catalina.ha.session.ClusterSessionListener/ We are continuously getting following logging in our catalina.out. Can any one explain me why it is saying Operation has timed out(3000 ms.) How do i resolve it. I have searched the archive mail change the setting according to it. However, no luck. Server is getting high load after adding session replication for backup manager. Your valuable response will be highly appreciated. SEVERE: Unable to send message through cluster sender. org.apache.catalina.tribes.ChannelException: Operation has timed out(3000 ms.).; Faulty members:tcp://{-64, -88, 3, 16}:4000; at org.apache.catalina.tribes.transport.nio.ParallelNioSender.sendMessage(ParallelNioSender.java:97) at org.apache.catalina.tribes.transport.nio.PooledParallelSender.sendMessage(PooledParallelSender.java:53) at org.apache.catalina.tribes.transport.ReplicationTransmitter.sendMessage(ReplicationTransmitter.java:80) at org.apache.catalina.tribes.group.ChannelCoordinator.sendMessage(ChannelCoordinator.java:78) at org.apache.catalina.tribes.group.ChannelInterceptorBase.sendMessage(ChannelInterceptorBase.java:75) at org.apache.catalina.tribes.group.interceptors.TcpFailureDetector.sendMessage(TcpFailureDetector.java:87) at org.apache.catalina.tribes.group.ChannelInterceptorBase.sendMessage(ChannelInterceptorBase.java:75) at org.apache.catalina.tribes.group.interceptors.MessageDispatchInterceptor.sendMessage(MessageDispatchInterceptor.java:73) at org.apache.catalina.tribes.group.ChannelInterceptorBase.sendMessage(ChannelInterceptorBase.java:75) at org.apache.catalina.tribes.group.GroupChannel.send(GroupChannel.java:216) at org.apache.catalina.tribes.group.GroupChannel.send(GroupChannel.java:175) at org.apache.catalina.ha.tcp.SimpleTcpCluster.send(SimpleTcpCluster.java:816) at org.apache.catalina.ha.tcp.SimpleTcpCluster.sendClusterDomain(SimpleTcpCluster.java:794) at org.apache.catalina.ha.tcp.ReplicationValve.send(ReplicationValve.java:551) at org.apache.catalina.ha.tcp.ReplicationValve.sendMessage(ReplicationValve.java:535) at org.apache.catalina.ha.tcp.ReplicationValve.sendSessionReplicationMessage(ReplicationValve.java:517) at org.apache.catalina.ha.tcp.ReplicationValve.sendReplicationMessage(ReplicationValve.java:428) at org.apache.catalina.ha.tcp.ReplicationValve.invoke(ReplicationValve.java:362) at org.apache.catalina.ha.session.JvmRouteBinderValve.invoke(JvmRouteBinderValve.java:209) at org.apache.catalina.ha.tcp.ReplicationValve.invoke(ReplicationValve.java:347) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286) at org.apache.coyote.ajp.AjpAprProcessor.process(AjpAprProcessor.java:419) at org.apache.coyote.ajp.AjpAprProtocol$AjpConnectionHandler.process(AjpAprProtocol.java:378) at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1509) at java.lang.Thread.run(Thread.java:619) Mar 26, 2012 3:30:56 PM org.apache.catalina.ha.tcp.SimpleTcpCluster memberAdded INFO: Replication member added:org.apache.catalina.tribes.membership.MemberImpl[tcp://{-64, -88, 3, 10}:4000,{-64, -88, 3, 10},4000, alive=11339404,id={45 15
Re: AccessControlException when starting embedded Tomcat from Java Webstart
On 26/03/2012 11:12, Witoslaw Koczewski wrote: There's a file called catalina.policy in tomcat/conf, which has some rules in it. You'll need compare those rules to the ones implemented in the client's policy file to work out what you need to add. Since I am using embedded Tomcat, there is no catalina.policy :-( Can't I just disable the checks in Tomcat? Yes, by applying the policy rules in the client JVM (as detailed in catalina.policy). I have already posted this problem on StackOverflow, where someone said, this could be a Tomcat bug: stackoverflow.com/questions... Really. URL please? http://stackoverflow.com/questions/9831063/accesscontrolexception-when-starting-embedded-tomcat-from-java-webstart Bah. p Best regards, Witek --- http://koczewski.de - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- [key:62590808] signature.asc Description: OpenPGP digital signature
Re: jdbc driver location in TC 7
On 26/03/2012 12:30, Terence M. Bandoian wrote: On 1:59 PM, Pid * wrote: On 25 Mar 2012, at 03:10, Terence M. Bandoiantere...@tmbsw.com wrote: On 1:59 PM, Pid * wrote: On 23 Mar 2012, at 21:59, David Kerberdcker...@verizon.net wrote: On 3/23/2012 6:51 PM, Terence M. Bandoian wrote: On 1:59 PM, David kerber wrote: On 3/23/2012 11:19 AM, Caldarale, Charles R wrote: From: David kerber [mailto:dcker...@verizon.net] Subject: jdbc driver location in TC 7 Where is the recommended location for jdbc driver jars in TC7, when I'm using separate CATALINA_HOME and CATALINA_BASE locations? If you look in conf/catalina.properties, you'll see the order in which the common loader searches directories. If it makes a difference, I am not using tomcat's connection pooling; it's handled in my app. That's a critical difference. I generally would prefer to put it in my webapp's lib directory That is the correct location, since Tomcat is not involved. Great; thanks for confirming. D Hi, David- I prefer the web app's lib directory as well but when I place the JDBC driver there, a memory leak detection error is logged when I stop Tomcat. Not a big deal but I'd prefer not to have to explain. When I move the JDBC driver to the Tomcat lib directory, the error is no longer logged. (Tomcat 6) Even better would be to fix your probable connection leak. I had some too, when I went to a version that had the leak detection, but was able to fix them all. D Yup. Just deregister the DB driver on app stop using a ServletContexListener. p Thanks. I'll give that a try. Wouldn't I see a connection leak no matter where I placed the driver? Only if you're not returning / cleaning up connection objects properly. De-registering the driver may do the trick. This addresses the driver leak warning by Tomcat. p Thanks again. Explicitly de-registering the driver eliminated the Tomcat error message with the driver located in WEB-INF/lib. From what I've read, JDBC 4.0 drivers automatically register themselves with DriverManager but I haven't seen anything about automatic de-registration. Apparently, Tomcat (6.0.29) takes care of that if the driver is located in the Tomcat lib directory but not if it is located in web application's lib directory. Or maybe de-registration isn't a concern when Tomcat is shutting down. The other way round, I think. Read the warning message. p -Terence Bandoian - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- [key:62590808] signature.asc Description: OpenPGP digital signature
Re: chunked encoding
On 25/03/2012 22:55, Alex Samad - Yieldbroker wrote: -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Monday, 26 March 2012 8:47 AM To: Tomcat Users List Subject: Re: chunked encoding On 25/03/2012 08:54, Alex Samad - Yieldbroker wrote: [snip] 1. http://en.wikipedia.org/wiki/Chunked_transfer_encoding 2. RFC 2616 (the specification of HTTP/1.1 protocol) Thanks, I had also hoped to get a bit of debate on the !experimental! nature of it in the connector What makes you think it's experimental? The documentation enable_chunked_encoding A string value representing a boolean. If it is set to true, chunked encoding is supported by the server. A true value can be represented by the string 1 or any string starting with the letters T or t. A false value will be assumed for 0 or any string starting with F or f. The default value is false. This option is considered experimental and its support must be compile time enabled. Use isapi_redirect.dll with chunked support enabled. This directive has been added in version 1.2.27 Right, got it... I thought you meant chunking in general (because I wasn't paying proper attention to the thread). p -- [key:62590808] signature.asc Description: OpenPGP digital signature
Re: AccessControlException when starting embedded Tomcat from Java Webstart
On 26/03/2012 11:12, Witoslaw Koczewski wrote: There's a file called catalina.policy in tomcat/conf, which has some rules in it. You'll need compare those rules to the ones implemented in the client's policy file to work out what you need to add. Since I am using embedded Tomcat, there is no catalina.policy :-( Can't I just disable the checks in Tomcat? Yes, by applying the policy rules in the client JVM (as detailed in catalina.policy). I have configured WebStart with securityall-permissions/, why do I need to define security rules for Tomcat? Shouldn't there be a switch in Tomcat to turn off this checks? It works perfectly when starting from executable JAR file - why not work the same way when starting from WebStart? Best regards, Witek --- http://koczewski.de - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: configuring SSL for Tomcat with .pfx
- Original Message - Hi Daniel Thanks so much for replying. So you mentioned that I ought to import the existing PKCS12 (remedy.optinet.net_cert.pfx) keystore into a Java Keystore (remedy.optinet.net_cert.jks) using the following command: keytool -importkeystore -srckeystore remedy.optinet.net_cert.pfx -srcstoretype pkcs12 -srcstorepass password -destkeystore remedy.optinet.net_cert.jks -deststoretype jks -deststorepass password ...and then to import the root and intermediate certificates into the Java Keystore (remedy.optinet.net_cert.jks). Would I use the following commands or are these incorrect? Two things, you just don't need the -storetype option (you're using JKS which is the default and you should probably specify an alias option. keytool -import -keystore remedy.optinet.net_cert.jks -storepass password -alias root -file “c:\Thawte Primary Root CA.cer” keytool -import -keystore remedy.optinet.net_cert.jks -storepass password -alias intermediate -file “c:\Thawte SSL CA.cer” Dan keytool -import -keystore remedy.optinet.net_cert.jks -storepass password -storetype PKCS12 -file “c:\Thawte Primary Root CA.cer” keytool -import -keystore remedy.optinet.net_cert.jks -storepass password -storetype PKCS12 -file “c:\Thawte SSL CA.cer” Thanks Regards Melanie -Original Message- From: Daniel Mikusa [mailto:dmik...@vmware.com] Sent: 23 March 2012 07:21 PM To: Tomcat Users List Subject: Re: configuring SSL for Tomcat with .pfx - Original Message - Hi everyone, I have been tasked with configuring SSL for Tomcat. I am new to Tomcat configuration so I have been through the docs and consulted many different articles in an attempt to figure out how all of this works. I have been given the following (attached): * Thawte Primary Root CA.cer * Thawte SSL CA.cer * remedy.optinet.net_cert.pfx My plan was to import the root cert then the intermediate cert then the .pfx by doing the following: * keytool -import -keystore tomcat.keystore2 -storepass password -storetype PKCS12 -file c:\Thawte Primary Root CA.cer * keytool -import -keystore tomcat.keystore2 -storepass password -storetype PKCS12 -file c:\Thawte SSL CA.cer * keytool -importkeystore -deststorepass password -destkeystore c:\tomcat.keystore2 -srckeystore c:\remedy.optinet.net_cert.pfx -srcstoretype PKCS12 -srcstorepass password What if you try this... 1.) Import your existing PKCS12 keystore into a Java Keystore. keytool -importkeystore -srckeystore remedy.optinet.net_cert.pfx -srcstoretype pkcs12 -srcstorepass password -destkeystore remedy.optinet.net_cert.jks -deststoretype jks -deststorepass password 2.) Then import your root and intermediate certificates into the remedy.optinet.net_cert.jks. Alternatively, you might try a GUI utility like Keystore Explorer. http://www.lazgosoftware.com/kse/index.html Dan But got the following error when I started with the root cert: D:\Program Files (x86)\Java\jdk1.6.0_19\binkeytool -import -keystore tomcat.keystore2 -storepass password -file c:\Thawte Primary Root CA.cer keytool error: java.lang.Exception: Input not an X.509 certificate Then I imported the certificates into certmgr and exported them to X.509 and tried again got the following: D:\Program Files (x86)\Java\jdk1.6.0_19\binkeytool -import -keystore tomcat.key store2 -storepass password -storetype PKCS12 -file Thawte Primary Root CA_x.cer Owner: CN=thawte Primary Root CA, OU=(c) 2006 thawte, Inc. - For authorized use only, OU=Certification Services Division, O=thawte, Inc., C=US Issuer: CN=thawte Primary Root CA, OU=(c) 2006 thawte, Inc. - For authorized us e only, OU=Certification Services Division, O=thawte, Inc., C=US Serial number: 344ed55720d5edec49f42fce37db2b6d Valid from: Fri Nov 17 02:00:00 CAT 2006 until: Thu Jul 17 01:59:59 CAT 2036 Certificate fingerprints: MD5: 8C:CA:DC:0B:22:CE:F5:BE:72:AC:41:1A:11:A8:D8:12 SHA1: 91:C6:D6:EE:3E:8A:C8:63:84:E5:48:C2:99:29:5C:75:6C:81:7B:81 Signature algorithm name: SHA1withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ Key_CertSign Crl_Sign ] #2: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen:2147483647 ] #3: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ : 7B 5B 45 CF AF CE CB 7A FD 31 92 1A 6A B6 F3 46 .[Ez.1..j..F 0010: EB 57 48 50.WHP ] ] Trust this certificate? [no]: yes
Re: configuring SSL for Tomcat with .pfx
- Original Message - Hey Daniel I seem to be making progress. Here’s what I’ve done so far: Imported the existing PKCS12 (remedy.optinet.net_cert.pfx) keystore into a Java Keystore (remedy.optinet.net_cert.jks): D:\Program Files (x86)\Java\jdk1.6.0_19\binkeytool -importkeystore -srckeystore C:\remedy.optinet.net_cert.pfx -srcstoretype pkcs12 -srcstorepass password -destkeystore C:\remedy.optinet.net_cert.jks -deststoretype jks -deststorepass password Entry for alias 20c65d93292c975f9dfb4204c6d2788e_dfeea05a-6260-4cd4-b6f3-cf50b6bcad85 successfully imported. Import command completed: 1 entries successfully imported, 0 entries failed or cancelled Then I attempted importing the root certificate (Thawte Primary Root CA.cer) but got an error: D:\Program Files (x86)\Java\jdk1.6.0_19\binkeytool -import -keystore C:\remedy.optinet.net_cert.jks -storepass password -file C:/Thawte Primary Root CA.cer keytool error: java.lang.Exception: Input not an X.509 certificate Then I used the one I had exported from certmngr previously and it worked: D:\Program Files (x86)\Java\jdk1.6.0_19\binkeytool -import -keystore C:\remedy.optinet.net_cert.jks -storepass password -file C:\Thawte Primary Root CA_x.cer Owner: CN=thawte Primary Root CA, OU=(c) 2006 thawte, Inc. - For authorized use only, OU=Certification Services Division, O=thawte, Inc., C=US Issuer: CN=thawte Primary Root CA, OU=(c) 2006 thawte, Inc. - For authorized use only, OU=Certification Services Division, O=thawte, Inc., C=US Serial number: 344ed55720d5edec49f42fce37db2b6d Valid from: Fri Nov 17 02:00:00 CAT 2006 until: Thu Jul 17 01:59:59 CAT 2036 Certificate fingerprints: MD5: 8C:CA:DC:0B:22:CE:F5:BE:72:AC:41:1A:11:A8:D8:12 SHA1: 91:C6:D6:EE:3E:8A:C8:63:84:E5:48:C2:99:29:5C:75:6C:81:7B:81 Signature algorithm name: SHA1withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ Key_CertSign Crl_Sign ] #2: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen:2147483647 ] #3: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ : 7B 5B 45 CF AF CE CB 7A FD 31 92 1A 6A B6 F3 46 .[Ez.1..j..F 0010: EB 57 48 50 .WHP ] ] Trust this certificate? [no]: yes Certificate was added to keystore Then I attempted to import the intermediate certificate but got an error: D:\Program Files (x86)\Java\jdk1.6.0_19\binkeytool -import -keystore C:\remedy.optinet.net_cert.jks -storepass password -file C:\Thawte SSL CA_x.cer keytool error: java.lang.Exception: Certificate not imported, alias mykey already exists When you import, you should specify the -alias option so that you can control the alias given to the key that is imported. I don't think it really matters what you use for the alias so long as it is unique. That being said, something that accurately describes the key being imported is helpful. I think I've seen root and intermediate used before for importing CA root and intermediate certificates. Then I decided to add an “-alias” of “remedy.optinet.net”. I really don’t know if what I did here is correct but it seems to have worked: D:\Program Files (x86)\Java\jdk1.6.0_19\binkeytool -import -alias remedy.optinet.net -keystore C:\remedy.optinet.net_cert.jks -storepass password -file C:\Thawte SSL CA_x.cer Certificate was added to keystore So then I amended the server.xml file as follows: Connector executor=tomcatThreadPool port=80 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=443 / !-- Define a SSL HTTP/1.1 Connector on port 8443 This connector uses the JSSE configuration, when using APR, the connector should be using the OpenSSL style configuration described in the APR documentation -- Connector port=443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=C:\remedy.optinet.net_cert.jks keystorePass=password keystoreType=jks protocol=HTTP/1.1 SSLEnabled=true URIEncoding=UTF-8/ Now, if you have a look at the screenshots below it seems as though all I have to do is get one of the Infrastructure guys to add “remedy.optinet.net” to DNS as an alias for the load balancer and this ought to work. Screenshots and other attachments do not make it through to the list. They get filtered out. Dan Let me know what you think. Kind Regards Melanie From: Melanie Snayer Sent: 24 March 2012 10:36 PM To: Tomcat Users List Subject: RE: configuring SSL for Tomcat with .pfx Hi Daniel Thanks so much for replying. So you mentioned that I ought to import the
Re: jdbc driver location in TC 7
Am Montag, den 26.03.2012, 05:30 -0600 schrieb Terence M. Bandoian: Apparently, Tomcat (6.0.29) takes care of that if the driver is located in the Tomcat lib directory but not if it is located in web application's lib directory. Tomcat does not take care afaik - the classloader is not the webapps classloader, so there is no leak to report. smime.p7s Description: S/MIME cryptographic signature
Re: AccessControlException when starting embedded Tomcat from Java Webstart
On 26/03/2012 12:43, Witoslaw Koczewski wrote: On 26/03/2012 11:12, Witoslaw Koczewski wrote: There's a file called catalina.policy in tomcat/conf, which has some rules in it. You'll need compare those rules to the ones implemented in the client's policy file to work out what you need to add. Since I am using embedded Tomcat, there is no catalina.policy :-( Can't I just disable the checks in Tomcat? Yes, by applying the policy rules in the client JVM (as detailed in catalina.policy). I have configured WebStart with securityall-permissions/, why do I need to define security rules for Tomcat? Does that directly equate to applying an all-permission policy in a .policy file? Shouldn't there be a switch in Tomcat to turn off this checks? Why? If you don't want the Security Manager, don't turn it on. It works perfectly when starting from executable JAR file - why not work the same way when starting from WebStart? Because WebStart turns on the Security Manager. Tomcat isn't doing anything extra special, it only checks permissions if the Security Manager is enabled. The following has details: http://tomcat.apache.org/tomcat-7.0-doc/security-manager-howto.html p Best regards, Witek --- http://koczewski.de - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- [key:62590808] signature.asc Description: OpenPGP digital signature
Re: AccessControlException when starting embedded Tomcat from Java Webstart
Shouldn't there be a switch in Tomcat to turn off this checks? Why? If you don't want the Security Manager, don't turn it on. I don't, WebStart does. Usualy when I turn on a feature in software A, I don't expect it to affect software B. Logging for example can be configured separately. Does Tomcat use the same Security Manager as WebStart or does it just share the same switch? Is there perhaps a central place in the Tomcat source code where the switch is evaluated, so I can rename it or hard-code it to false? Best regards, Witek, --- http://koczewski.de - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: AccessControlException when starting embedded Tomcat from Java Webstart
From: Witoslaw Koczewski [mailto:w...@koczewski.de] Subject: Re: AccessControlException when starting embedded Tomcat from Java Webstart Usualy when I turn on a feature in software A, I don't expect it to affect software B. You're not turning on a feature in an independent module; WebStart is changing the mode the JVM runs in. Does Tomcat use the same Security Manager as WebStart or does it just share the same switch? The SecurityManager is an attribute of the JVM, not of any particular set of classes loaded in that JVM. If the SecurityManager is enabled, all classes running inside that JVM have to live with it. Is there perhaps a central place in the Tomcat source code where the switch is evaluated, so I can rename it or hard-code it to false? You're missing the point; Tomcat isn't the one enforcing this, the JVM is. Since you have chosen to operate in an environment that includes a SecurityManager, you must find the controlling policy file for that SecurityManager and make sure it includes all the permissions Tomcat needs (the ones in catalina.policy). - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AccessControlException when starting embedded Tomcat from Java Webstart
On 26/03/2012 15:46, Witoslaw Koczewski wrote: Shouldn't there be a switch in Tomcat to turn off this checks? Why? If you don't want the Security Manager, don't turn it on. I don't, WebStart does. Usualy when I turn on a feature in software A, I don't expect it to affect software B. You are (or WebStart is) turning the feature on *in the JVM*, not in some arbitrary class running inside the JVM. Logging for example can be configured separately. It is not comparable. Does Tomcat use the same Security Manager as WebStart or does it just share the same switch? It's not Tomcat, it's the JVM. Is there perhaps a central place in the Tomcat source code where the switch is evaluated, so I can rename it or hard-code it to false? No. The access controls are distributed in the code. p Best regards, Witek, --- http://koczewski.de - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- [key:62590808] signature.asc Description: OpenPGP digital signature - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 6.0.24 java emailing configuration problem
Hi, I finally figured out what went wrong. There is a third party .jar file under application/WEB-INF/lib. That jar file also contains javax.mail class. Thanks for your help. Wayne -Original Message- From: Pid * [mailto:p...@pidster.com] Sent: Sunday, March 25, 2012 3:47 AM To: Tomcat Users List Subject: Re: Tomcat 6.0.24 java emailing configuration problem On 25 Mar 2012, at 04:03, Huanyuan Sheng hy_sh...@hotmail.com wrote: When I run the application the server gives the following error: javax.mail.Session cannot be cast to javax.mail.Session. No email is sent. This is usually indicative of a classpath error - meaning that you have the class specified in two places on the classpath and Tomcat is selecting one of each, rather than the same one. The fact that you have symlinked jars all over the place is probably not helping. Download install a fresh version from tomcat.apache.org and start over. Make sure only one version of mail.jar exists in tomcat/lib and not anywhere else. p - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Access Log Valve invalid requests
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 André, On 3/23/12 12:58 PM, André Warnier wrote: Find him and shoot him. Or just firewall him out. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk9wkz4ACgkQ9CaO5/Lv0PDFNwCcD5lKJ6NLnGDeU+6PiewMX5AU ro8An2OfzQaMmfpbb88GlnLIvWV4Wj4d =ufa/ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AccessControlException when starting embedded Tomcat from Java Webstart
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Pid, On 3/26/12 11:07 AM, Pid wrote: On 26/03/2012 15:46, Witoslaw Koczewski wrote: Is there perhaps a central place in the Tomcat source code where the switch is evaluated, so I can rename it or hard-code it to false? No. The access controls are distributed in the code. Nor would it help. Tomcat isn't just doing those checks because it's playing nice: those checks (really attempts, not checks) are required in order to work under a SecurityManager. If those privileges actions weren't being used, those actions wouldn't work, anyway. Seriously, there's nothing Tomcat can do about this: you have to tweak the policy under which WebStart launches the JVM. I have no idea how to do that. You may not even be able to do that, otherwise a WebStart application could simply assert its rights to do anything it wanted, like delete all the files off your hard disk, or email a copy of your /etc/passwd file to the developer. WebStart runs under a SecurityManager to protect the user from things it doesn't want to allow. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk9wmHoACgkQ9CaO5/Lv0PA0JACcDcB0tpqBnJrOoKWx2aCy6GkU /HkAniTuTBP7Ly7x6RSTuyVl37kcAszQ =xtcD -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AccessControlException when starting embedded Tomcat from Java Webstart
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Witoslaw, On 3/26/12 12:25 PM, Christopher Schultz wrote: I have no idea how to do [customize the policy]. Looks like you can't: http://lopica.sourceforge.net/faq.html#policy You could try separately signing the Tomcat JAR files yourself and see what happens. You haven't described your class loading strategy. For example, have you tried expanding *all* the JAR files that ship with Tomcat and then re-assembling them into your single kunagi.jar? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk9wmXMACgkQ9CaO5/Lv0PA6vQCfQ5xLZrCF2lQEcN0I9y5H17q7 WZcAnjq4RSfUiZ73sns+vIVQ9HPYRweW =CeCU -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: how to enable debug logging for Tomcat jdbc pool (Tomcat 6.0.32)
On Friday I tried to recreate this issue using iptables (to block all outgoing traffic to 3306) but was still unable to recreate it. After unblocking 3306 the pool would eventually recover and create new connections. So I still do not understand why it was necessary to restart Tomcat to resolve the original problem. Since I cannot recreate the problem the best I can do is adjust some settings to help evaluate it if (when) it happens again in the future. 1. Turn on the 'abanonded' settings per your suggestions so I can see if the app is actually leaking connections. 2. Turn up pool logging to FINE. When a connection attempt times out or fails it logs at this level. 3. Possibly enable connect and TCP read timeouts on the mysql jdbc driver. Per the docs they are 'infinite' by default, but I think lower timeouts would help to detect network/firewall problems more quickly. And I'm writing a script to perform stack traces, heap dumps, lsof for open files, etc., to run on the jvm process before restarting in the event this happens again. Who knows, maybe the problem was 1 open sockets or something. Thank you for your time looking into this. I appreciate it. Regards, Colin Thank you Filip for all your help. On Thu, Mar 22, 2012 at 9:39 PM, Filip Hanik Mailing Lists devli...@hanik.com wrote: Pretty much you're guaranteed to have a network problem at that point. You see Java caches DNS translations forever, and yanking VPN like that may change around IPs but the JVM is not aware of that. Wireshark would tell you that. Now relying in VPN is never a good thing, but maybe it's required. You could try 1. Use IP instead of host name in your jdbc URL 2. Configure the JRE to not cache dns lookups, (network.properties) The error you see tells you that: 1. The pool doesn't have any idle established connections idle=0 2. The pool doesn't have any connections used by other threads busy=0 3. There is currently 1 thread trying to activate a connection size=1. The size is an atomic counter to protect against overuse in a lock free way. Filip Hi Filip, Today I have been trying to recreate the issue by disconnecting from the vpn, as: 1. Start app. Pool creates some connections via the vpn. 2. Test app a bit to execute sql queries. 3. Shut down the vpn 4. Force some more queries. Predictably, connections fail and exceptions show up in the logs. 5. Restore vpn connection 6. Check if pool creates new connections, which it does not. I also upgraded to the latest pool available in maven central: tomcat-jdbc-7.0.26.jar I understand this could still be a connection leak in my application. But the new pool version logs an error I don't understand: ... stack trace ... Caused by: java.sql.SQLException: [scheduler-low-1] Timeout: Pool empty. Unable to fetch a connection in 10 seconds, none available[size:1; busy:0; idle:0; lastwait:1]. ... more trace ... The relevant part of my current pool DataSource configuration: removeAbandonedTimeout=10 removeAbandoned=true logAbandoned=true defaultAutoCommit=false maxActive=1 maxIdle=1 minIdle=1 maxWait=1 testOnBorrow=true validationQuery=SELECT 1 I also have yet to see any abandoned log messages. Should the pool always have at least 1 busy or idle connection? If not would it create another? Thanks, Colin On Thu, Mar 22, 2012 at 11:11 AM, Filip Hanik Mailing Lists devli...@hanik.com wrote: Ultimately tho I'd still like to see some debug logging from the pool itself. Is there a simple way to turn it on? not to the problem you are looking at. if a connection got taken out of the pool, and it passed validation, then everything is ok. at this point the SQLException you get has all the data, and the problem is probably at the network level the fact that you see that for 2 hours and problem goes away with restart, that can only be the app holding on to the flawed connection, cause there would have been several validations during the 2 hour period :) I think there is a loop somewhere that when it fails it just retries and retries, logAbandoned will show that though. Filip - Original Message - From: Colin Ingarfield colin...@gmail.com To: Tomcat Users List users@tomcat.apache.org Sent: Thursday, March 22, 2012 8:06:14 AM Subject: Re: how to enable debug logging for Tomcat jdbc pool (Tomcat 6.0.32) Ah, Wireshark. My friend calls it the universal debugger. :) I will set the validation interval to 1 and keep an eye on the network to see what's going on. I may also install MySql locally so I can kill it easily to try and simulation connection timeouts. I won't really feel this is resolved until I can recreate the original issue. Thanks, Colin On Wed, Mar 21, 2012 at 11:20 AM, Filip Hanik Mailing Lists devli...@hanik.com wrote: it will take a while to see the abandoned log. I'm
Re: partial response from non-browser clients
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Serdyn, On 3/23/12 11:26 AM, Serdyn du Toit wrote: The client code was first in Jersey (jersey.java.net), then written in plain Java, and then using Apache HttpComponents (hc.apache.org). All versions of client code hanged. Could you try using this little utility I wrote? http://www.christopherschultz.net/projects/java/URLFetch.java Let me know if that works. If it fails, please send me a thread dump of the hung process and a wireshark dump of the HTTP conversation. Thanks, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk9woLwACgkQ9CaO5/Lv0PDA8QCeNTcwtbt3pIODkAWcfNKL69jl 5hMAn1nBooVh7gepdGVsuioqP39OqPMt =uq8o -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: partial response from non-browser clients
Hi, I bet this issue has to do with the client not sending the proper Accepts header info and the rest resource does not see it as appropriate. Apparently jQuery is not doing the 'right thing'. I recently had this issue. My working example of a jQuery function for a conditional get looks like: conditionalGet: function(contentType, path, options, success) { var accepts = {} , headers = {}; switch(contentType) { case html: accepts.html = text/html; headers[Accept] = text/html; charset=utf-8; headers[Content-Type] = text/html; charset=utf-8; break; case xml: accepts.xml = application/xml; accepts.text = text/xml; headers[Accept] = application/xml; charset=utf-8; headers[Content-Type] = application/xml; charset=utf-8; break; case json: accepts.json = application/json; accepts.text = text/plain; headers[Accept] = application/xhtml+xml; charset=utf-8; headers[Content-Type] = application/xhtml+xml; charset=utf-8; break; } var ajaxOptions = { accepts: accepts , headers: headers , cache: true , dataType: 'xml' , error: function(jqXHR, textStatus, errorThrown) { console.error('jqXHR: ', jqXHR); console.error('textStatus: ', textStatus); console.error('errorThrown: ', errorThrown); } , ifModified: true , statusCode: { 404: function() { alert('The requested file was not found at: \n\n' + path); } ,304: function() { //console.log('Getting from cache...'); success(_cache[path]); } } , success: function(data, textStatus, jqXHR) { if (data !== undefined) { _cache[path] = data; success(data); } } , url: path }; $.extend(true, ajaxOptions, options); $.ajax(ajaxOptions); } On Mon, Mar 26, 2012 at 10:00 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Serdyn, On 3/23/12 11:26 AM, Serdyn du Toit wrote: The client code was first in Jersey (jersey.java.net), then written in plain Java, and then using Apache HttpComponents (hc.apache.org). All versions of client code hanged. Could you try using this little utility I wrote? http://www.christopherschultz.net/projects/java/URLFetch.java Let me know if that works. If it fails, please send me a thread dump of the hung process and a wireshark dump of the HTTP conversation. Thanks, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk9woLwACgkQ9CaO5/Lv0PDA8QCeNTcwtbt3pIODkAWcfNKL69jl 5hMAn1nBooVh7gepdGVsuioqP39OqPMt =uq8o -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: chunked encoding
On 25.03.2012 23:55, Alex Samad - Yieldbroker wrote: -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Monday, 26 March 2012 8:47 AM To: Tomcat Users List Subject: Re: chunked encoding On 25/03/2012 08:54, Alex Samad - Yieldbroker wrote: [snip] 1. http://en.wikipedia.org/wiki/Chunked_transfer_encoding 2. RFC 2616 (the specification of HTTP/1.1 protocol) Thanks, I had also hoped to get a bit of debate on the !experimental! nature of it in the connector What makes you think it's experimental? The documentation enable_chunked_encoding A string value representing a boolean. If it is set to true, chunked encoding is supported by the server. A true value can be represented by the string 1 or any string starting with the letters T or t. A false value will be assumed for 0 or any string starting with F or f. The default value is false. This option is considered experimental and its support must be compile time enabled. Use isapi_redirect.dll with chunked support enabled. This directive has been added in version 1.2.27 The feature was contributed by Tim and does no longer need a specially compiled binary since the change r910424 done by Mladen (released in version 1.2.30). Some minor bugs concerning chunking have been fixed since then. I'd say we no longer consider this experimental, the docs just haven't been updated correctly. Will do right now (but this will usualy not become publically visible before the next release). Thanks for the question / hint. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AccessControlException when starting embedded Tomcat from Java Webstart
For example, have you tried expanding *all* the JAR files that ship with Tomcat and then re-assembling them into your single kunagi.jar? This is exactly what I do. And my JNLP requires all-permissions. My application can open ports, read and delete all files - but not start the embedded Tomcat I have signed :-( Best regards, Witek - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk9wmXMACgkQ9CaO5/Lv0PA6vQCfQ5xLZrCF2lQEcN0I9y5H17q7 WZcAnjq4RSfUiZ73sns+vIVQ9HPYRweW =CeCU -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --- http://koczewski.de - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: org.apache.catalina.tribes.ChannelException: Operation has timed out(3000 ms.).; Faulty members:tcp://{-64, -88, 3, 16}:4000;
My replies are buried in the middle. I'll surround them with = Question === /mde/ - Original Message - From: Dhaval Jaiswal dhaval.jais...@via.com To: Tomcat Users List users@tomcat.apache.org Cc: Sent: Monday, March 26, 2012 3:33 AM Subject: org.apache.catalina.tribes.ChannelException: Operation has timed out(3000 ms.).; Faulty members:tcp://{-64, -88, 3, 16}:4000; Hi List, Below is my server.xml configuration for session replication. Cluster className=org.apache.catalina.ha.tcp.SimpleTcpCluster channelSendOptions=6/ Manager className=org.apache.catalina.ha.session.BackupManager expireSessionsOnShutdown=false notifyListenersOnReplication=true mapSendOptions=6/ Channel className=org.apache.catalina.tribes.group.GroupChannel Membership className=org.apache.catalina.tribes.membership.McastService address=192.168.3.14 port=45564 frequency=500 dropTime=3/ Receiver className=org.apache.catalina.tribes.transport.nio.NioReceiver address=auto port=5000 selectorTimeout=5000 timeout=6 maxThreads=6/ Sender className=org.apache.catalina.tribes.transport.ReplicationTransmitter Transport className=org.apache.catalina.tribes.transport.nio.PooledParallelSender timeout=6 keepAliveCount=0/ /Sender Interceptor className=org.apache.catalina.tribes.group.interceptors.TcpFailureDetector/ Interceptor className=org.apache.catalina.tribes.group.interceptors.MessageDispatch15Interceptor/ Interceptor className=org.apache.catalina.tribes.group.interceptors.ThroughputInterceptor/ /Channel Valve className=org.apache.catalina.ha.tcp.ReplicationValve filter=.*\.gif|.*\.js|.*\.jpeg|.*\.jpg|.*\.png|.*\.htm|.*\.html|.*\.css|.*\.txt/ = Question === Don't you need another Valve at this point? All of my (admittedly small, default) configurations have the following Valve in the Cluster configuration: Valve className=org.apache.catalina.ha.session.JvmRouteBinderValve/ Each engine then gets a unique jvmRoute=someName which matches the AJP worker name that the particular Tomcat talks to. The worker name is in workers.properties (/etc/httpd/conf.d/workers.properties on my Fedora 15 and CentOS 5.8 systems). I don't know for certain since I've not worked with the backup manager. = Question === ClusterListener className=org.apache.catalina.ha.session.ClusterSessionListener/ = Question === Don't you need another ClusterListener at this point? All of my (admittedly small, default) configurations have the following ClusterListener at the end: ClusterListener className=org.apache.catalina.ha.session.JvmRouteSessionIDBinderListener/ I will also assume that you missed copying the closing /Cluster tag from your server.xml. = Question === We are continuously getting following logging in our catalina.out. Can any one explain me why it is saying Operation has timed out(3000 ms.) How do i resolve it. I have searched the archive mail change the setting according to it. However, no luck. Server is getting high load after adding session replication for backup manager. Your valuable response will be highly appreciated. SEVERE: Unable to send message through cluster sender. org.apache.catalina.tribes.ChannelException: Operation has timed out(3000 ms.).; Faulty members:tcp://{-64, -88, 3, 16}:4000; at org.apache.catalina.tribes.transport.nio.ParallelNioSender.sendMessage(ParallelNioSender.java:97) at org.apache.catalina.tribes.transport.nio.PooledParallelSender.sendMessage(PooledParallelSender.java:53) at org.apache.catalina.tribes.transport.ReplicationTransmitter.sendMessage(ReplicationTransmitter.java:80) at org.apache.catalina.tribes.group.ChannelCoordinator.sendMessage(ChannelCoordinator.java:78) at org.apache.catalina.tribes.group.ChannelInterceptorBase.sendMessage(ChannelInterceptorBase.java:75) at org.apache.catalina.tribes.group.interceptors.TcpFailureDetector.sendMessage(TcpFailureDetector.java:87) at org.apache.catalina.tribes.group.ChannelInterceptorBase.sendMessage(ChannelInterceptorBase.java:75) at org.apache.catalina.tribes.group.interceptors.MessageDispatchInterceptor.sendMessage(MessageDispatchInterceptor.java:73) at org.apache.catalina.tribes.group.ChannelInterceptorBase.sendMessage(ChannelInterceptorBase.java:75) at org.apache.catalina.tribes.group.GroupChannel.send(GroupChannel.java:216) at org.apache.catalina.tribes.group.GroupChannel.send(GroupChannel.java:175) at
Re: tomcat jdbc pool
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 S Ahmed, On 3/25/12 6:57 PM, S Ahmed wrote: Why would you want to use a future? Say in a web application, I can't really think of a reason why I would use the future (asych) connection retrieval pattern. The # of connections is always fixed, I guess in a very high traffic environment where the # of connections is the pool are used up, calling via a future will block he request until a connection frees up right? Could you also do this: Send a sql query to the pool that you want to execute in the beginning of the page, but you don't really care about the return value until the end so you can let it go and then at the bottom you call .get(), is that possible? Uh, what? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk9w29UACgkQ9CaO5/Lv0PBBqQCgvpUJ8hmnWID+nJU8iIcVYB1h B1sAn0l+DvVpvAWcgemMD+oPfljdU1Dx =1eV+ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
What is the right way to share resources across contexts?
Apologies if this has been covered before. I did a search of google and the mailing list archives, and while I found a few threads that danced around this topic [1], none of them seemed fully applicable. Following up on Mark Thomas's advice in my duplicate bug-filing at [2], what is the right way to share static assets across contexts and between servers running tomcat? Additional information: We're running 7.0.16 on RHEL 6.1, using java 1.6.0_20. In violation of the servlet specification, we symlinked external client assets directly into the exploded WAR, and then got burned by ExpandWar.java's recursive delete method described in [3]. We're now refactoring this legacy code but would love some advice on the best, most canonical way to approach the problem. [1] http://mail-archives.apache.org/mod_mbox/tomcat-users/201003.mbox/%3c99c8b2929b39c24493377ac7a121e21f96cb680...@usea-exch8.na.uis.unisys.com%3E [2] https://issues.apache.org/bugzilla/show_bug.cgi?id=52988#c1 [3] https://issues.apache.org/bugzilla/show_bug.cgi?id=52988#c0 -- Christopher Tiwald - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: What is the right way to share resources across contexts?
From: Christopher Tiwald [mailto:ctiw...@salsalabs.com] Subject: What is the right way to share resources across contexts? what is the right way to share static assets across contexts and between servers running tomcat? One easy way is to place the static resources under one or more unique Contexts, with the location of the assets outside of Tomcat's directory space. Create a conf/Catalina/[host]/[staticName].xml file containing a Context element with a docBase attribute pointing to the location of the resources. Tomcat's standard DefaultServlet will deliver them to clients automatically. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org