Re: SSl Query-- please help
vicky007aggar...@yahoo.co.in wrote: All/Andre, You could probably do this using mod_proxy_http instead of mod_jk (and a HTTPS Connector in Tomcat). But you should then also accept the overhead. Queries : 1. Based on above comment does that mean i can use mod_proxy module in order to have ssl communication between apache tomcat.??? I think so, but you'd have to check that with the Apache documentation. 2. Load balancing wont work using mod _proxy , correct ?? Wrong. Look at the Apache documentation, mod_proxy_balancer 3. What overhead you're talking in setting up in setting up mod_proxy for ssl communication between apache tomcat Setting it up is not the overhead problem. The overhead is because : browser - HTTPS - Apache - HTTPS - Tomcat. meaning : - the browser encrypts (you don't care) - Apache decrypts (overhead, but unavoidable) - Apache encrypts (overhead, avoidable) - Tomcat decrypts (overhead, avoidable) and that is for every single request and response. It's ok if you do not expect a lot of traffic. But since you are talking load-balancing, you may expect a lot of traffic. Thanks, Vicky On Oct 22, 2012, at 1:30 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Vivek, On 10/20/12 2:22 AM, vivek aggarwal wrote: I need to setup the SSL over my tomcat ,which i am able to do it by generating Self signed certificate using Keytool Good. But when i am redirecting the request form apache using mod_jk module its not working. What part doesn't work? I am not sure how to make Apache Tomcat work in SSL when using Mod_jk module as i need load balancing mod_jk does not support SSL communication between httpd - Tomcat: you'll have to terminate SSL at the httpd level. If you want to encrypt the traffic between httpd and Tomcat, you'll need to use a VPN, ssh tunnel or stunnel (which is just an automated ssh tunnel). Can someone please share the steps for doing ssl setup when apache is used along with Tomcat Have you been able to get httpd working with SSL? Once you do that, everything else should be straightforward (not that getting httpd working with SSL is at all difficult). Just be aware that httpd doesn't use Java keystores, so you'll need to create your keys and certificates using 'openssl' from the command-line instead of working with 'keytool'. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlCEVHMACgkQ9CaO5/Lv0PAlIACeIxE9lgHiZaDpiPszUFBD5hiF lNIAn2MseZynznuQ94/6xitYHJZb05lb =PUqf -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
any servlets to implement sort of a google-play-like functionality for android and other types of mobile devices?
~ apache tomcat and other servlet engines would easily do java web start apps based on JNLP and there are servlet engines running -on- Android: ~ http://code.google.com/p/i-jetty/ ~ but I wanted to actually serve Android-based and other mobile devices as you would do with PC's running different types of browsers and operating systems ~ Are we there yet? ~ thanks lbrtchx - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: any servlets to implement sort of a google-play-like functionality for android and other types of mobile devices?
Albretch Mueller wrote: ~ apache tomcat and other servlet engines would easily do java web start apps based on JNLP and there are servlet engines running -on- Android: ~ http://code.google.com/p/i-jetty/ ~ but I wanted to actually serve Android-based and other mobile devices as you would do with PC's running different types of browsers and operating systems ~ Are we there yet? ~ Hi. Due to what I believe is largely temporary fad-like marketing pressure, I am quite interested in the general subject myself, but I do not understand your question. What is it precisely that you would want Tomcat to do (that it does not yet do currently) ? If some app on some device makes a TCP connection to a Tomcat server, and then talks HTTP with it, Tomcat will handle this fine. And if this app then requests a particular context (webapp) in Tomcat, and they understand eachother, everything should work also as expected. So what is the issue ? Or am I missing something ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: any servlets to implement sort of a google-play-like functionality for android and other types of mobile devices?
I think he is asking is it possible to run tomcat ON Android and IOS. With IOS, IMHO no, as the Apple TOS forbids running other languages or emulations. On 22/10/12 8:23 PM, André Warnier a...@ice-sa.com wrote: Albretch Mueller wrote: ~ apache tomcat and other servlet engines would easily do java web start apps based on JNLP and there are servlet engines running -on- Android: ~ http://code.google.com/p/i-jetty/ ~ but I wanted to actually serve Android-based and other mobile devices as you would do with PC's running different types of browsers and operating systems ~ Are we there yet? ~ Hi. Due to what I believe is largely temporary fad-like marketing pressure, I am quite interested in the general subject myself, but I do not understand your question. What is it precisely that you would want Tomcat to do (that it does not yet do currently) ? If some app on some device makes a TCP connection to a Tomcat server, and then talks HTTP with it, Tomcat will handle this fine. And if this app then requests a particular context (webapp) in Tomcat, and they understand eachother, everything should work also as expected. So what is the issue ? Or am I missing something ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Thread related MBean questions
Hi Pid, Which MBean are you reading that on? Name: java.lang:type=Threading modelerType: sun.management.ThreadImpl ThreadAllocatedMemoryEnabled: true ThreadAllocatedMemorySupported: true ThreadContentionMonitoringEnabled: false DaemonThreadCount: 84 ... Tomcat has lots of MBeans and more than one way to create a thread pool. The JVM has threads and can contain multiple thread pools. Yes, for sure. Thanks. Yes, as of Tomcat 6.0.x, without an Executor the Connectors will have a pool each, and this will not decrease in size when idle. Thanks for confirming. I will put an Executor pool in place. -Shanti
tomcat question
ALL, Is it possible to remove an installation of a compiler on a production web server(tomcat)? If there is a way to remove the compiler or is it required in order for the system to function properly. Could you please send me a precise summary of why and any steps that can be taken to mitigate any potential risk associated with the compiler remaining in place.This is for s security issue on my production system. Thanks for your time and support! Maxie Wiley III
RE: Thread related MBean questions
All, All, Is it possible to remove an installation of a compiler on a production web server(tomcat)? If there is a way to remove the compiler or is it required in order for the system to function properly. Could you please send me a precise summary of why and any steps that can be taken to mitigate any potential risk associated with the compiler remaining in place. This is for s security issue on my production system. My email is: maxie.wi...@serco-na.com Thanks for your time and support! Maxie Wiley III, Serco Inc -Original Message- From: Shanti Suresh [mailto:sha...@umich.edu] Sent: Monday, October 22, 2012 9:17 AM To: Tomcat Users List Subject: Re: Thread related MBean questions Hi Pid, Which MBean are you reading that on? Name: java.lang:type=Threading modelerType: sun.management.ThreadImpl ThreadAllocatedMemoryEnabled: true ThreadAllocatedMemorySupported: true ThreadContentionMonitoringEnabled: false DaemonThreadCount: 84 ... Tomcat has lots of MBeans and more than one way to create a thread pool. The JVM has threads and can contain multiple thread pools. Yes, for sure. Thanks. Yes, as of Tomcat 6.0.x, without an Executor the Connectors will have a pool each, and this will not decrease in size when idle. Thanks for confirming. I will put an Executor pool in place. -Shanti - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat question
Wiley, Maxie wrote: ALL, Is it possible to remove an installation of a compiler on a production web server(tomcat)? If there is a way to remove the compiler or is it required in order for the system to function properly. Could you please send me a precise summary of why and any steps that can be taken to mitigate any potential risk associated with the compiler remaining in place.This is for s security issue on my production system. Certainly. As soon as you tell us how much you are willing to pay for such a comprehensive analysis and report. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Thread related MBean questions
From: Wiley, Maxie [mailto:maxie.wi...@serco-na.com] Subject: RE: Thread related MBean questions All, Don't hijack threads. Start a completely new thread for a new topic. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat question
2012/10/22 André Warnier a...@ice-sa.com: Wiley, Maxie wrote: Is it possible to remove an installation of a compiler on a production web server(tomcat)? Jasper? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: tomcat question
Hello Andre, Is it possible to remove an installation of a compiler on a production web server(tomcat?). How can/where can I find out more information on this issue? Thanks -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Monday, October 22, 2012 9:22 AM To: Tomcat Users List Subject: Re: tomcat question Wiley, Maxie wrote: ALL, Is it possible to remove an installation of a compiler on a production web server(tomcat)? If there is a way to remove the compiler or is it required in order for the system to function properly. Could you please send me a precise summary of why and any steps that can be taken to mitigate any potential risk associated with the compiler remaining in place.This is for s security issue on my production system. Certainly. As soon as you tell us how much you are willing to pay for such a comprehensive analysis and report. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: tomcat question
Remove the tomcat compilter? -Original Message- From: Jose María Zaragoza [mailto:demablo...@gmail.com] Sent: Monday, October 22, 2012 9:25 AM To: Tomcat Users List Subject: Re: tomcat question 2012/10/22 André Warnier a...@ice-sa.com: Wiley, Maxie wrote: Is it possible to remove an installation of a compiler on a production web server(tomcat)? Jasper? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Thread related MBean questions
And while you're at it : 1) http://www.catb.org/esr/faqs/smart-questions.html 2) don't top-post 3) don't hijack threads Wiley, Maxie wrote: All, All, Is it possible to remove an installation of a compiler on a production web server(tomcat)? If there is a way to remove the compiler or is it required in order for the system to function properly. Could you please send me a precise summary of why and any steps that can be taken to mitigate any potential risk associated with the compiler remaining in place. This is for s security issue on my production system. My email is: maxie.wi...@serco-na.com Thanks for your time and support! Maxie Wiley III, Serco Inc -Original Message- From: Shanti Suresh [mailto:sha...@umich.edu] Sent: Monday, October 22, 2012 9:17 AM To: Tomcat Users List Subject: Re: Thread related MBean questions Hi Pid, Which MBean are you reading that on? Name: java.lang:type=Threading modelerType: sun.management.ThreadImpl ThreadAllocatedMemoryEnabled: true ThreadAllocatedMemorySupported: true ThreadContentionMonitoringEnabled: false DaemonThreadCount: 84 ... Tomcat has lots of MBeans and more than one way to create a thread pool. The JVM has threads and can contain multiple thread pools. Yes, for sure. Thanks. Yes, as of Tomcat 6.0.x, without an Executor the Connectors will have a pool each, and this will not decrease in size when idle. Thanks for confirming. I will put an Executor pool in place. -Shanti - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: tomcat question
-Original Message- From: Wiley, Maxie [mailto:maxie.wi...@serco-na.com] Sent: Monday, October 22, 2012 8:18 AM To: users-subscr...@tomcat.apache.org; users@tomcat.apache.org Subject: tomcat question ALL, Is it possible to remove an installation of a compiler on a production web server(tomcat)? If there is a way to remove the compiler or is it required in order for the system to function properly. Could you please send me a precise summary of why and any steps that can be taken to mitigate any potential risk associated with the compiler remaining in place.This is for s security issue on my production system. Thanks for your time and support! Maxie Wiley III Try it on a test system and see what happens. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat jdbc
I was thinking of using this: https://github.com/codahale/metrics Much easier to have this keep track of stats, and not having to rely on jconsole just to get in insight. On Fri, Oct 19, 2012 at 5:37 PM, Pid p...@pidster.com wrote: On 19/10/2012 16:18, Daniel Mikusa wrote: On Oct 18, 2012, at 2:51 PM, S Ahmed wrote: Hi, When using the jdbc connection pool library, would it be possible to somehow record the # of connections that are being used, when the # of connections in the pool are being saturated etc., or is that something that would have to be modified in the library itself? The connection pool publishes some statistics to JMX. An easy way to see them is connect with jconsole. If you need more advanced statistics, you could check / monitor them programmatically or use an existing monitoring tool. +1 Use VisualVM with the MBeans plugin or JConsole. p Dan i.e. assuming I have can keep track of these counters, is there a way to monitor these events in the library or would the jdbc library itself need to be modified to expose these events? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- [key:62590808]
Re: tomcat jdbc
On Oct 22, 2012, at 10:37 AM, S Ahmed wrote: I was thinking of using this: https://github.com/codahale/metrics Much easier to have this keep track of stats, and not having to rely on jconsole just to get in insight. It sounds like you want a formal monitoring and metric solution. There are several open source and commercial software packages that will do this for you. Most of them should support Tomcat and give you the facilities to monitor your connection pools. The popular open source tool in this category that comes to mind is Nagios. Dan On Fri, Oct 19, 2012 at 5:37 PM, Pid p...@pidster.com wrote: On 19/10/2012 16:18, Daniel Mikusa wrote: On Oct 18, 2012, at 2:51 PM, S Ahmed wrote: Hi, When using the jdbc connection pool library, would it be possible to somehow record the # of connections that are being used, when the # of connections in the pool are being saturated etc., or is that something that would have to be modified in the library itself? The connection pool publishes some statistics to JMX. An easy way to see them is connect with jconsole. If you need more advanced statistics, you could check / monitor them programmatically or use an existing monitoring tool. +1 Use VisualVM with the MBeans plugin or JConsole. p Dan i.e. assuming I have can keep track of these counters, is there a way to monitor these events in the library or would the jdbc library itself need to be modified to expose these events? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- [key:62590808] - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Two (different) issues with Tomcat 7.0.32 AJP-APR and AJP-NIO connectors
Hi all, I'm running Tomcat 7.0.32 with Java 1.7.0_09 (64-bit) on Windows Server 2008 R2 (64-bit), behind IIS 7.5 with ISAPI Redirector 1.2.37. For the AJP connection, I used the AJP-APR connector (with Tomcat Native 1.1.24). 1) This worked perfectly fine since the initial setup of the server 3 months ago (however with lower version numbers of Tomcat and Java), but 3 days ago, suddenly the JVM crashed, with following crash report: # # A fatal error has been detected by the Java Runtime Environment: # # EXCEPTION_ACCESS_VIOLATION (0xc005) at pc=0x7160e291, pid=4028, tid=4060 # # JRE version: 7.0_09-b05 # Java VM: Java HotSpot(TM) 64-Bit Server VM (23.5-b02 mixed mode windows-amd64 compressed oops) # Problematic frame: # V [jvm.dll+0xae291] # # Core dump written. Default location: D:\tomcat7\bin\hs_err_pid4028.mdmp # # If you would like to submit a bug report, please visit: # http://bugreport.sun.com/bugreport/crash.jsp # --- T H R E A D --- Current thread (0x00feb800): GCTaskThread [stack: 0x0481,0x0491] [id=4060] siginfo: ExceptionCode=0xc005, reading address 0x [...] Stack: [0x0481,0x0491], sp=0x0490fa70, free space=1022k Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code) V [jvm.dll+0xae291] At a first glance this seems like a JVM bug (as the current thread is GCTaskThread), but when I googled for it, most sources say that this is mostly caused by bugs in JNI code / a library that uses JNI [1]. So maybe this is a problem with the Tomcat Native library (which is the only native library that I'm using)? Unfortunately, as this is the first JVM crash since three months, this problems seems not to be very reproducible (or e.g. a change in the recent Java versions could have triggered this). Unfortunately, for me this means that I have to consider the APR connectors on 64-bit Windows as broken (at least for the time being), and therefore I switched to the NIO/BIO ones and removed the TC native library. If I will get a JVM crash again, then this would probably mean that it was not the fault of the TC native library. ;) 2.) After I switched to the AJP-NIO connector, I got the following stacktrace in catalina.log: Okt 20, 2012 2:58:51 PM org.apache.coyote.ajp.AjpNioProcessor process SEVERE: Error processing request java.nio.BufferOverflowException at java.nio.HeapByteBuffer.put(HeapByteBuffer.java:183) at org.apache.coyote.ajp.AjpNioProcessor.output(AjpNioProcessor.java:281) at org.apache.coyote.ajp.AbstractAjpProcessor$SocketOutputBuffer.doWrite(AbstractAjpProcessor.java:1122) at org.apache.coyote.Response.doWrite(Response.java:504) at org.apache.catalina.connector.OutputBuffer.realWriteBytes(OutputBuffer.java:383) at org.apache.tomcat.util.buf.ByteChunk.flushBuffer(ByteChunk.java:462) at org.apache.catalina.connector.OutputBuffer.doFlush(OutputBuffer.java:334) at org.apache.catalina.connector.OutputBuffer.close(OutputBuffer.java:283) at org.apache.catalina.connector.Response.finishResponse(Response.java:514) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:434) at org.apache.coyote.ajp.AjpNioProcessor.process(AjpNioProcessor.java:184) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:585) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1653) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603) at java.lang.Thread.run(Thread.java:722) Maybe this could be related to bug 53119 [2] (the stack traces look very similar)? (However I have not yet tried if this is reproducible with the given testcase - when I tested it back then with Tomcat 7.0.27's AJP-NIO connector, I could not reproduce the error). So, currently I have switched to the AJP-BIO connector. Thanks! Regards, Konstantin Preißer [1] https://forums.oracle.com/forums/thread.jspa?threadID=1540042 [2] https://issues.apache.org/bugzilla/show_bug.cgi?id=53119 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat jdbc
On 22/10/2012 15:37, S Ahmed wrote: I was thinking of using this: https://github.com/codahale/metrics Much easier to have this keep track of stats, and not having to rely on jconsole just to get in insight. Why is it easier to instrument Tomcat's code than to just use the JMX info that's already exposed? VisualVM JConsole are not monitoring tools, they just display the info that's already exposed. Strongly recommend you at least familiarise yourself with what's in the Tomcat MBeans before you proceed. p On Fri, Oct 19, 2012 at 5:37 PM, Pid p...@pidster.com wrote: On 19/10/2012 16:18, Daniel Mikusa wrote: On Oct 18, 2012, at 2:51 PM, S Ahmed wrote: Hi, When using the jdbc connection pool library, would it be possible to somehow record the # of connections that are being used, when the # of connections in the pool are being saturated etc., or is that something that would have to be modified in the library itself? The connection pool publishes some statistics to JMX. An easy way to see them is connect with jconsole. If you need more advanced statistics, you could check / monitor them programmatically or use an existing monitoring tool. +1 Use VisualVM with the MBeans plugin or JConsole. p Dan i.e. assuming I have can keep track of these counters, is there a way to monitor these events in the library or would the jdbc library itself need to be modified to expose these events? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- [key:62590808] -- [key:62590808] signature.asc Description: OpenPGP digital signature
Re: tomcat question
On 22/10/2012 14:18, Wiley, Maxie wrote: ALL, Is it possible to remove an installation of a compiler on a production web server(tomcat)? If there is a way to remove the compiler or is it required in order for the system to function properly. Could you please send me a precise summary of why and any steps that can be taken to mitigate any potential risk associated with the compiler remaining in place.This is for s security issue on my production system. Why does this enhance security? If someone has sufficient access to the machine to use the compiler shipped with Tomcat, you are already in a lot more trouble than they will be able to inflict just by having access to Tomcat's JDT compiler. p -- [key:62590808] signature.asc Description: OpenPGP digital signature
RE: tomcat question
Maxie, You're probably referring to a DoD or similar security requirement. In the Web Server STIG, Rule ID SV-2236r8 says, Installation of compilers on production web server is prohibited. The explanation provided is, The presence of a compiler on a production server facilitates the malicious user's task of creating custom versions of programs and installing Trojan Horses or viruses. For example, the attacker's code can be uploaded and compiled on the server under attack. There are exceptions to this rule, The same STIG says, This check does not prohibit the use of the .Net Framework or the Java compiler for Oracle, and An exception is the Java Development Kit installed in conjunction with a WebSphere service or Java Server Page (JSP). You need to push back and tell your Security Auditors that the Java and Jasper compilers are required for Tomcat. Provide any documentation they require. Steve -Original Message- From: users-return-237320-STEVEN.J.ADAMUS=saic@tomcat.apache.org [mailto:users-return-237320-STEVEN.J.ADAMUS=saic@tomcat.apache.org] On Behalf Of Wiley, Maxie Sent: Monday, October 22, 2012 6:18 AM To: users-subscr...@tomcat.apache.org; users@tomcat.apache.org Subject: tomcat question ALL, Is it possible to remove an installation of a compiler on a production web server(tomcat)? If there is a way to remove the compiler or is it required in order for the system to function properly. Could you please send me a precise summary of why and any steps that can be taken to mitigate any potential risk associated with the compiler remaining in place.This is for s security issue on my production system. Thanks for your time and support! Maxie Wiley III - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: tomcat question
Steve, Thank you...!! I have been but I needed another voicethank you .. thank you and Thanks You Enjoy the day! -Original Message- From: Adamus, Steven J. [mailto:steven.j.ada...@saic.com] Sent: Monday, October 22, 2012 2:47 PM To: Tomcat Users List; users-subscr...@tomcat.apache.org Subject: RE: tomcat question Maxie, You're probably referring to a DoD or similar security requirement. In the Web Server STIG, Rule ID SV-2236r8 says, Installation of compilers on production web server is prohibited. The explanation provided is, The presence of a compiler on a production server facilitates the malicious user's task of creating custom versions of programs and installing Trojan Horses or viruses. For example, the attacker's code can be uploaded and compiled on the server under attack. There are exceptions to this rule, The same STIG says, This check does not prohibit the use of the .Net Framework or the Java compiler for Oracle, and An exception is the Java Development Kit installed in conjunction with a WebSphere service or Java Server Page (JSP). You need to push back and tell your Security Auditors that the Java and Jasper compilers are required for Tomcat. Provide any documentation they require. Steve -Original Message- From: users-return-237320-STEVEN.J.ADAMUS=saic@tomcat.apache.org [mailto:users-return-237320-STEVEN.J.ADAMUS=saic@tomcat.apache.org] On Behalf Of Wiley, Maxie Sent: Monday, October 22, 2012 6:18 AM To: users-subscr...@tomcat.apache.org; users@tomcat.apache.org Subject: tomcat question ALL, Is it possible to remove an installation of a compiler on a production web server(tomcat)? If there is a way to remove the compiler or is it required in order for the system to function properly. Could you please send me a precise summary of why and any steps that can be taken to mitigate any potential risk associated with the compiler remaining in place.This is for s security issue on my production system. Thanks for your time and support! Maxie Wiley III - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 7 Java options format on Windows
My last email was hard to read because it dropped all the carriage returns . Here's another try: Is the format of these Java options correct for the Java tab of the Tomcat monitor on Windows?-XX:+HeapDumpOnOutOfMemoryError -XX:+UseConcMarkSweepGC -XX:+UseParNewGC -XX:+CMSClassUnloadingEnabled Config: - Windows 2008 R2 x64- Java 7 Update 9- Tomcat 7.0.27 From: pjdelsh...@hotmail.com To: users@tomcat.apache.org Subject: Tomcat 7 Java options format on Windows Date: Mon, 22 Oct 2012 15:22:56 -0400 Is the format of the following Java options correct for the Java tab of the Tomcat 7 monitor on Windows x64? -XX:+HeapDumpOnOutOfMemoryError-XX:+UseConcMarkSweepGC-XX:+UseParNewGC-XX:+CMSClassUnloadingEnabled Config- Windows 2008 R2 x64- Java 7 Update 9- Tomcat 7.0.27
Seeking documentation: copying service to new server
Hi: I have inherited a set of Tomcat 5.5.23 webapps on an aging linux server and can now upgrade to a brand new server. My plan would be to acquire a new server running a current linux version, upgrade to Tomcat 7.0.32, completely clone the apps, then cut over the new apps . I have been searching for docs to help clone, edit and redeploy the webapps on the new server with little luck. Is there someplace I can look to overview the process to follow? Thanks and best regards, Geoff Culliton geoff.culli...@bell.ca
Re: SSl Query-- please help
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 André, On 10/22/12 2:34 AM, André Warnier wrote: vicky007aggar...@yahoo.co.in wrote: All/Andre, You could probably do this using mod_proxy_http instead of mod_jk (and a HTTPS Connector in Tomcat). But you should then also accept the overhead. Queries : 1. Based on above comment does that mean i can use mod_proxy module in order to have ssl communication between apache tomcat.??? I think so, but you'd have to check that with the Apache documentation. Yes, you can: just use an https:// URL instead of http:// in your ProxyPass/ProxyPassReverse directives. 2. Load balancing wont work using mod _proxy , correct ?? Wrong. Look at the Apache documentation, mod_proxy_balancer +1 3. What overhead you're talking in setting up in setting up mod_proxy for ssl communication between apache tomcat Setting it up is not the overhead problem. The overhead is because : browser - HTTPS - Apache - HTTPS - Tomcat. meaning : - the browser encrypts (you don't care) - Apache decrypts (overhead, but unavoidable) - Apache encrypts (overhead, avoidable) - Tomcat decrypts (overhead, avoidable) +1 But, if you need to have a secure channel between httpd and Tomcat, then the encryption overhead is *not* avoidable. By using stunnel or a VPN, you can avoid needless TCP setup/teardown and repeated key exchanges, but the encryption obviously always needs to take place (and takes time). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlCFr/wACgkQ9CaO5/Lv0PBOCACfY8fxwoAdlVjqEMuPRnHK2C9n pWkAoLf+8gL5xK0roxI0TPfl9NanhLAF =PA4C -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Steve, On 10/22/12 2:47 PM, Adamus, Steven J. wrote: You need to push back and tell your Security Auditors that the Java and Jasper compilers are required for Tomcat. Provide any documentation they require. Thank you for ending the madness. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlCFsdcACgkQ9CaO5/Lv0PClnQCfTCaUv8PqfjiauS8QDBMwtgR1 30cAoK7Bs7YSsfHrlmrNAFsp2itAJ9vG =WWPs -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 Java options format on Windows
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 PJ, On 10/22/12 3:22 PM, PJ Delsh wrote: Is the format of the following Java options correct for the Java tab of the Tomcat 7 monitor on Windows x64? -XX:+HeapDumpOnOutOfMemoryError-XX:+UseConcMarkSweepGC-XX:+UseParNewGC-XX:+CMSClassUnloadingEnabled Config- Windows 2008 R2 x64- Java 7 Update 9- Tomcat 7.0.27 AFAIK, Java command-line options are the same on all platforms except that file paths (not URLs!) on win32 systems generally use backslashes instead of regular slashes. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlCFsi8ACgkQ9CaO5/Lv0PBZWgCeLbvQjsnr2vm7O+q9wTDOMTWc mJYAn2fmBUYAVYIVEFMBzoRQiyCLlIDU =qiAp -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 7 Java options format on Windows
From: Christopher Schultz [mailto:ch...@christopherschultz.net] Subject: Re: Tomcat 7 Java options format on Windows AFAIK, Java command-line options are the same on all platforms except that file paths (not URLs!) on win32 systems generally use backslashes instead of regular slashes. But, just to keep it interesting, Windows boxes _can_ use forward slashes in Java command-line parameters. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Seeking documentation: copying service to new server
On 10/22/2012 1:16 PM, geoff.culli...@bell.ca wrote: Hi: I have inherited a set of Tomcat 5.5.23 webapps on an aging linux server and can now upgrade to a brand new server. My plan would be to acquire a new server running a current linux version, upgrade to Tomcat 7.0.32, completely clone the apps, then cut over the new apps . I have been searching for docs to help clone, edit and redeploy the webapps on the new server with little luck. Is there someplace I can look to overview the process to follow? Thanks and best regards, Geoff Culliton geoff.culli...@bell.ca In short, probably not since you are moving up two versions (good btw). Start with: http://tomcat.apache.org/migration-6.html http://tomcat.apache.org/migration-7.html Things that may trip you up are (in no special order). 1. Directory structure change (5.5.x - 6.0.x) This governs where you put JDBC libraries and extra endorsed libraries among other things. 2. Logging changes (5.5.x - 6.0.x - 7.0.x) Particularly if you rely on standard out logging (move your applications to a logging framework) you may be in for some surprises. 3. Manager role changes (5.5.x - 6.0.x - 7.0.x) The manager URLs, roles, and accounts have changed in 7.0.x. The second link above details the changes. 4. Jar scanning This occurs due to compliance with the Servlet 3.0 specification. You may improve start up time and memory (although 7.0.32 does a great job) by including jars to skip in catalina.properties. Read this for more information: http://tomcat.apache.org/tomcat-7.0-doc/config/systemprops.html Also, look at the current $CATAINA_BASE/conf/catalina.properties file shipped with Tomcat. If you have standards-compliant web applications then there should not be too many challenges. Watch out for things like: 1. quoting (quotes within quotes) Use text 'other text' instead of text other text 2. wildcard imports on JSP pages This is mentioned on the second migration page. Wildcard imports could reference classes that are newly a part of the Servlet 3.0 specification. Use specific imports in order to solve any name collision problem. 3. invoker servlet It's been discouraged for a long time, and disabled by default in 5.5.x and 6.0.x. It's completely gone in 7.0.x. It's time to explicitly map the servlets in web.xml or move to the Servlet 3.0 specification and use annotations. My generic thoughts on this are: 1. Install a new version of Linux 2. Install the latest version of the JRE from Oracle Manage this manually (I use links and environment variables). I've never had good luck with using the alternates framework, although your mileage may vary. 3. Create an unprivileged account for running Tomcat 4. Install a copy of the latest Tomcat downloaded from Apache Manage this manually, including writing your own init scripts. While you can wade through the repackaging structure that most Linux distributions impose, I've always found it easier to manage all of this myself. Use the default Tomcat settings for testing. Tweak them once you get everything running. 5. Drop in a representative WAR file and test Run JMeter or Selenium tests and see what breaks. Take notes, fix the issues, and then make appropriate changes to other applications. Again, if you have standards-compliant web applications there should not be many (if any) issues. . . . . just my two cents /mde/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Seeking documentation: copying service to new server
On 10/22/2012 4:16 PM, geoff.culli...@bell.ca wrote: Hi: I have inherited a set of Tomcat 5.5.23 webapps on an aging linux server and can now upgrade to a brand new server. My plan would be to acquire a new server running a current linux version, upgrade to Tomcat 7.0.32, completely clone the apps, then cut over the new apps . I have been searching for docs to help clone, edit and redeploy the webapps on the new server with little luck. Is there someplace I can look to overview the process to follow? Thanks and best regards, Geoff Culliton geoff.culli...@bell.ca IME, there is a pretty good chance your application will run largely unchanged as long as you don't use any tomcat-specific functionality in it. Your tomcat installation, OTOH will pretty much need to be configured from scratch. Don't try to re-use the old directory structure or configuration files; that's just asking for frustration... Dave - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 Java options format on Windows
On 10/22/2012 4:57 PM, Caldarale, Charles R wrote: From: Christopher Schultz [mailto:ch...@christopherschultz.net] Subject: Re: Tomcat 7 Java options format on Windows AFAIK, Java command-line options are the same on all platforms except that file paths (not URLs!) on win32 systems generally use backslashes instead of regular slashes. But, just to keep it interesting, Windows boxes _can_ use forward slashes in Java command-line parameters. - Chuck In fact, windows can use forward slashes in most locations, including explorer and most windows-native applications. You just can't typically mix forward- and back- slashes in the same line. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: any servlets to implement sort of a google-play-like functionality for android and other types of mobile devices?
OK, I may not have been clear enough and I have been gone fishing for quite a long time. ~ To me Java Web Start was/is an excellent technology and the way I see things are happening with Android is that developers (must?) keep their applications on google play (and a few other alternatives), but to me there is something odd and basically wrong with that ~ It is not just about an http request, but the way google goes about the whole Java Web Start thing (I would call it that to make my (possibly wrong/outdated) point) ~ What are the options you have if you want to develop your own android mobile apps and want to handle them from your site using tomcat as you would (or along with), say, regular http requests and Java Web Start applications from browsers? ~ lbrtchx - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
