Re: why only 2 requests for async request can raise from a end-point?
Hi,
The number of concurrent connections is limited by the browser:
http://stackoverflow.com/questions/561046/how-many-concurrent-ajax-xmlhttprequest-requests-are-allowed-in-popular-browse
Best Regards,
Ari Luoma
On Mon, Jun 29, 2015 at 12:08 PM, 许明 wrote:
Hi,
I am trying to bench async servlet, tomcat7 and tomcat8, now it's seems I
can only start 2 request from a end-point.
I make a simple tool, start 100 request same time, each request has own
session, and write a simple async servlet, which pasted in the bottom of
this mail.
It's the result:
06-29 16:28:52 622 INFO (Test.java:35)- test serve 1
06-29 16:28:52 622 INFO (Test.java:35)- test serve 2
06-29 16:29:02 633 DEBUG (Test.java:54)- timout and print
06-29 16:29:02 637 DEBUG (Test.java:54)- timout and print
06-29 16:29:02 642 INFO (Test.java:35)- test serve 3
06-29 16:29:02 677 INFO (Test.java:35)- test serve 4
06-29 16:29:12 647 DEBUG (Test.java:54)- timout and print
06-29 16:29:12 650 INFO (Test.java:35)- test serve 5
06-29 16:29:12 682 INFO (Test.java:35)- test serve 6
i have test this on tomcat7 and tomcat8 in windows and linux(ubuntu), and
test it in browser manually.
Best Regards
===
my Test servlet:
===
package com.botao.im;
import java.io.IOException;
import java.io.PrintWriter;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;
import javax.servlet.AsyncContext;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.log4j.Logger;
/**
* Servlet implementation class Test
*/
@WebServlet(asyncSupported = true, name = test, urlPatterns = { /test
})
public class Test extends HttpServlet {
private static final long serialVersionUID = 1L;
private static Logger logger = Logger.getLogger(Test.class);
private static ScheduledExecutorService es =
Executors.newSingleThreadScheduledExecutor();
private static int counter = 0;
protected void doGet(HttpServletRequest request, final
HttpServletResponse response) throws ServletException, IOException {
logger.info(test serve + (++counter ));
final AsyncContext context = request.startAsync();
context.start(new Runnable() {
@Override
public void run() {
context.setTimeout(100);
es.schedule(new Runnable(){
@Override
public void run() {
response.setContentType(text/plain);
PrintWriter out;
try {
out =
response.getWriter();
out.print(hello);
out.flush();
context.complete();
logger.debug(timout and print);
} catch
(IOException e) {
}
}
}, 10, TimeUnit.SECONDS);
}
});
}
}
Re: SSL configuration using PFX as keystore
On 26/06/2015 19:37, Mark Thomas wrote: On 22/06/2015 11:56, Mark Thomas wrote: On 22/06/2015 09:39, Mark Thomas wrote: snip/ Prompting for authentication in response to an untrusted certificate is bizarre to say the least. Microsoft generously provide MSDN subscriptions for Apache committers which is why I have the various OS's to hand to test this. The subscription also comes with tech support. I'll open an incident. It will be interesting to see if things have improved since I last tried raising bugs with Microsoft (I filed so many bugs with MS Office and it took so long for MS to fix them that I hit the limit of issues MS would let me have open in parallel). Support incident raised. I await the response with interest... Oh dear. Not a good first response from Microsoft. First they tried to say that the WebDAV server must be triggering the prompt for credentials which would be difficult to say the least given that the TLS connection is never established AND that the WebDAV endpoint was configured for anonymous access. Then they tried to suggest that I contact Apache for support. Lets just say that suggestion got shut down rather quickly. Finally they went back to trying to suggest that the server was asking for credentials. A rather circular discussion followed that demonstrated that the support person had little to no understanding of the OSI network model (they continued to try to claim that establishing a TCP connection meant that the WebDAV server could have sent the request for authentication credentials despite the fact that the TLS connection failed). The only small ray of hope is that they asked for a network trace of the connection process. That should enable someone more clueful at Microsoft to confirm it is the client error handling at fault. I'll keep the list informed of progress. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL configuration using PFX as keystore
Mark Thomas wrote: On 26/06/2015 19:37, Mark Thomas wrote: On 22/06/2015 11:56, Mark Thomas wrote: On 22/06/2015 09:39, Mark Thomas wrote: snip/ Prompting for authentication in response to an untrusted certificate is bizarre to say the least. Microsoft generously provide MSDN subscriptions for Apache committers which is why I have the various OS's to hand to test this. The subscription also comes with tech support. I'll open an incident. It will be interesting to see if things have improved since I last tried raising bugs with Microsoft (I filed so many bugs with MS Office and it took so long for MS to fix them that I hit the limit of issues MS would let me have open in parallel). Support incident raised. I await the response with interest... Oh dear. Not a good first response from Microsoft. First they tried to say that the WebDAV server must be triggering the prompt for credentials which would be difficult to say the least given that the TLS connection is never established AND that the WebDAV endpoint was configured for anonymous access. Then they tried to suggest that I contact Apache for support. Lets just say that suggestion got shut down rather quickly. Like, I /am/ Apache support ? :-) Finally they went back to trying to suggest that the server was asking for credentials. A rather circular discussion followed that demonstrated that the support person had little to no understanding of the OSI network model (they continued to try to claim that establishing a TCP connection meant that the WebDAV server could have sent the request for authentication credentials despite the fact that the TLS connection failed). The only small ray of hope is that they asked for a network trace of the connection process. That should enable someone more clueful at Microsoft to confirm it is the client error handling at fault. I'll keep the list informed of progress. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: [OT] Re: Filter behaviour
For SOAP, you *MUST* send back 500 or 400 with your SOAP fault back.
[1] http://www.w3.org/TR/soap12-part2/#tabresstatereccodes
-Original Message-
From: Leo Donahue [mailto:donahu...@gmail.com]
Sent: Saturday, June 27, 2015 11:45 PM
To: Tomcat Users List
Subject: [OT] Re: Filter behaviour
On Sat, Jun 27, 2015 at 8:37 AM, Konstantin Kolinko knst.koli...@gmail.com
wrote:
public void doFilter(ServletRequest request, ServletResponse
response,
FilterChain chain) throws IOException, ServletException
{
boolean iAmNotAuthorized = true;
if (iAmNotAuthorized)
{
// generate the HTTP Servlet Response for a 403 status code
HttpServletResponse httpResponse = (HttpServletResponse)
response;
//httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN);
httpResponse.setStatus(HttpServletResponse.SC_FORBIDDEN);
httpResponse.setHeader(WWW-Authenticate, Basic);
WWW-Authenticate header is usually used with 401 response.
It is unusual to use it with 403 one, though the spec does not forbid
it. (I am not sure how browsers react here, though)
http://tools.ietf.org/html/rfc7235#section-4.1
Best regards,
Konstantin Kolinko
http://tools.ietf.org/html/rfc7231#section-6.5.3
And we may send a 404 to hide the existence of a forbidden target. It's
misleading. That seems to open the door for any kind of response, or no
response.
I am on the fence about sending 401 or 403 responses from a web service.
They both indicate something is there, you just can't get to it.
The 401 alludes that something is wrong with your username/password.
The 403 is more vague. You may have the right username and password (and I'm
not going to bother to tell you), but your account may not have the correct
role associated with using this service, so rather than say anymore, I'll just
let you know you are forbidden. Users have no idea, other than there is
something good at the end of this request for me to be forbidden.
From the perspective of troubleshooting customer requests to your published web
service, developers can log the unsuccessful attempt (Authentication or
Authorization) and review the log files for answers to trouble shooting, but
sending back a status code doesn't seem to always make sense depending on what
types of application clients your customers are using.
For example:
Suppose you call a SOAP web service that takes an object as a parameter and
that service returns another type of object. When customers expect an object,
they may get a HTTP status code of 401 or 403 if they botched sending the
correct username/password in the authentication header. And maybe, their
password is merely expired. In situations like those, it seems more reasonable
to send back a Soap Fault of some kind as defined in the schema. The message
could be as simple as: Authorization failed.
It seems easier for clients to know that a soap web service may throw a
ClientAuthorizationException for example, rather than parse out a HTTP status
code response?
I don't know though.
Leo
Re: Tomcat - OOM Perm gen
Hi Chris, The number of users shouldn't impact your PermGen space. Perhaps only once you get to that stage are you hitting enough of your features to load classes into PermGen. (Or maybe you are using String.intern a lot...) I analysed some logs and I could see that users query features which makes DB calls, so those calls do have 1000's of rows in it.But some calls also fetch empty result set and some error out, partly because code for those calls are broken( Some of those dao classes have hard coded DB parameter which I am cleaning it out now). As far as I know I do not do any string cancat, those calls are all simple list fetch calls to views. I am trying to implement some caching using either ehcache or JCS but I think it has to wait for some time, till I gain some understanding on how these works.( I think I need to serialize lot of model classes for that probably will require some code changes again).i know I have lot of work to do ,maybe I one at a time change :) PermGen failures will effect the whole JVM. There is no way to protect App B from App A unless they are in different JVMs. I can understand this. so doing daily restart now to manage issue till I figure out some solution to it. What makes you say that? It seems that you have more information than you are giving us. Its not hardened code so I think it still has some issues with it. Also during development I can see similar errors on local dev box, If I do deploy and redeploy at least 8 to 10 times, I start seeing those perm gen errors,its just that it references a new class file every time,maybe I can share it with you all once I get it again. Also it's I have written this code and I am not that fantastic coder yet, but I will reach there short span :) Usually, PermGen doesn't have to be enormous. What's your memory cap with your hosting provider? I have private tomcat 7x but I remember hosting provider mentioning that 512mb is final,but I will check with them again later this week. Below is what I see in catalina logs when I do restart of tomcat, Picked up _JAVA_OPTIONS: -Xms20m -Xmx128m -XX:MinHeapFreeRatio=20 -XX:MaxHeapFreeRatio=40 -XX:NewSize=10m -XX:MaxNewSize=10m -XX:SurvivorRatio=6 -XX:TargetSurvivorRatio=80 -XX:+CMSClassUnloadingEnabled -XX:+CMSClassUnloadingEnabled I think was thinking CMSClassUnloadingEnabled should fix my perm gen issues, but I think its not the case. You either need more PermGen space, or you need to locate some kind of leak in your application and fix it. IIRC, there are some RMI-related leaks and Proxy-related leaks in PermGen depending upon your exact circumstances. It would be good to know what's in PermGen when it hits its limit. What are your current heap settings, including PermGen? What JVM? Try: $ jmap -heap pid and $ jmap -permstat pid I will try to get those dumps but I do not use any RMI or generate some kind of proxies . Mine is simple app with lot of forms in it. Though there are few calls which fetches lot of data from servers.Sometimes few autocomplete calls fetch 1000's of records.I am trying to remove those calls. Below is my jvm details Apache Tomcat/7.0.50 1.7.0_17-b02 Oracle Corporation Linux 2.6.32-531.29.2.lve1.3.11.1.el6.x86_64 amd64 Thanks Chris for reply. On Fri, Jun 26, 2015 at 11:56 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Kiran, On 6/25/15 6:32 PM, Kiran Badi wrote: I have 2 web apps sitting on single tomcat instance, App A( Classic JSP/Servlet/jstl/velocity App) and App B (Struts2 based app). Now I have added S2 to App A and trying to fix some bad code in it with it.But after making this change I keep getting out of OOM issues once user count reaches to 75 The number of users shouldn't impact your PermGen space. Perhaps only once you get to that stage are you hitting enough of your features to load classes into PermGen. (Or maybe you are using String.intern a lot...). + and App A seems to be bringing App B down with it. PermGen failures will effect the whole JVM. There is no way to protect App B from App A unless they are in different JVMs. Below is trace I get in catalina out log. I think I can increase memory Yes, you can. but it will not solve this What makes you say that? It seems that you have more information than you are giving us. and I have hard limit of memory with hosting provider. Usually, PermGen doesn't have to be enormous. What's your memory cap with your hosting provider? Is their anything in tomcat that I need to enable which can give me some mileage? There is nothing you can do in Tomcat to make your application load fewer classes. How do I fix this ? You either need more PermGen space, or you need to locate some kind of leak in your application and fix it. IIRC, there are some RMI-related leaks and Proxy-related leaks in PermGen depending upon your exact circumstances. It would be good to know
?????? why only 2 requests for async request can raise from a end-point?
Hi,
I wrote a test tool with c#, not with browser, and each request has it's own
session, that browser not support now.
And, PHP and IIS can change option to set the limitation of one end-point
requests, so i can't agree browser has this limit.
I have run tomcat in localhost, and 100 requests are allowed, it's only appear
when the server and client run on different machine.
Best Regards,
Hsuming
-- --
??: Ari Luoma;arilu...@gmail.com;
: 2015??6??29??(??) 5:18
??: Tomcat Users Listusers@tomcat.apache.org;
: Re: why only 2 requests for async request can raise from a end-point?
Hi,
The number of concurrent connections is limited by the browser:
http://stackoverflow.com/questions/561046/how-many-concurrent-ajax-xmlhttprequest-requests-are-allowed-in-popular-browse
Best Regards,
Ari Luoma
On Mon, Jun 29, 2015 at 12:08 PM, wrote:
Hi,
I am trying to bench async servlet, tomcat7 and tomcat8, now it's seems I
can only start 2 request from a end-point.
I make a simple tool, start 100 request same time, each request has own
session, and write a simple async servlet, which pasted in the bottom of
this mail.
It's the result:
06-29 16:28:52 622 INFO (Test.java:35)- test serve 1
06-29 16:28:52 622 INFO (Test.java:35)- test serve 2
06-29 16:29:02 633 DEBUG (Test.java:54)- timout and print
06-29 16:29:02 637 DEBUG (Test.java:54)- timout and print
06-29 16:29:02 642 INFO (Test.java:35)- test serve 3
06-29 16:29:02 677 INFO (Test.java:35)- test serve 4
06-29 16:29:12 647 DEBUG (Test.java:54)- timout and print
06-29 16:29:12 650 INFO (Test.java:35)- test serve 5
06-29 16:29:12 682 INFO (Test.java:35)- test serve 6
i have test this on tomcat7 and tomcat8 in windows and linux(ubuntu), and
test it in browser manually.
Best Regards
===
my Test servlet:
===
package com.botao.im;
import java.io.IOException;
import java.io.PrintWriter;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;
import javax.servlet.AsyncContext;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.log4j.Logger;
/**
* Servlet implementation class Test
*/
@WebServlet(asyncSupported = true, name = test, urlPatterns = { /test
})
public class Test extends HttpServlet {
private static final long serialVersionUID = 1L;
private static Logger logger = Logger.getLogger(Test.class);
private static ScheduledExecutorService es =
Executors.newSingleThreadScheduledExecutor();
private static int counter = 0;
protected void doGet(HttpServletRequest request, final
HttpServletResponse response) throws ServletException, IOException {
logger.info(test serve + (++counter ));
final AsyncContext context = request.startAsync();
context.start(new Runnable() {
@Override
public void run() {
context.setTimeout(100);
es.schedule(new Runnable(){
@Override
public void run() {
response.setContentType(text/plain);
PrintWriter out;
try {
out =
response.getWriter();
out.print(hello);
out.flush();
context.complete();
logger.debug(timout and print);
} catch
(IOException e) {
}
}
}, 10, TimeUnit.SECONDS);
}
});
}
}
Re: Distinct servlets for different domains in one web application
Christian wrote: André, On 28.06.2015 23:11, André Warnier wrote: Christian wrote: Mark, On 28.06.2015 19:58, Mark Eggers wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Christian, On 6/28/2015 9:01 AM, Christian wrote: Hello all, is it somehow possible to create a web application with multiple servlets that are registered to different domains for the same url paths using tomcat 8? I already crawled through the catalina code that is responsible for the servlet selection and didn't find anything that would allow this. But this doesn't mean that it isn't possible at all. As far as I know, java configuration for servlet registration doesn't allow passing domain names. But maybe there is an option within context.xml. I want to create a web application that has different domains for the application itself and its management site. Both parts should run at the context root, at different domains. The application needs a shared (spring-)context in which the application's beans are stored. Regards, Christian I'm not quite sure what your after. Sharing Spring beans across contexts and domains sounds like there's an underlying requirement I don't understand. ok, I'll try to explain, as aliases won't do what I need. It's an application that can be configured via an admin interface. The admin interface is one part of the webapp. The main application is accessible via www.example.com. The admin interface needs access to the beans within the main application (e. g. to create tenants that live in context scope), that's why I created just one webapp with two dispatcher servlets. One dispatcher servlet is responsible for the admin interface and one for the main application. Until now I make tomcat select them by using a context path for the admin interface. But this is redundant, because the admin interface needs to be accessed via admin.example.com/admin instead of just admin.example.com. I would like to map admin.example.com to the admin servlet and www.example.com to the main applications dispatcher servlet. At a later stage, www.example.com/admin might be used for other admin tasks that must be accessible by users registered on the main site. But /admin is already shadowed. Hopefully I could explain my problem a little better. Yes, that is much clearer. Honestly without having really figured out the details of your explanation, I would nevertheless point you in 2 directions for that kind of thing : a) use an Apache httpd front-end proxy, and use the httpd proxying and/or URL rewriting capabilities to do what you want thanks for your suggestion! The application anyway needs a reverse proxy / ssl gateway, because tomcat isn't capable of doing TLS with SNI. Your proposed solution seems appropriate, although I have to figure out how to cleanly generate the correct urls within the application. VirtualHost *:80 ServerName admin.mydomain.com .. ProxyPass / ajp://mytomcat.local/admin/ ProxyPassReverse / ajp://mytomcat.local/admin/ ProxyPassReverseCookieDomain /admin / /VirtualHost VirtualHost *:80 ServerName www.mydomain.com .. ProxyPass / ajp://mytomcat.local/ ProxyPassReverse / ajp://mytomcat.local/ /VirtualHost The ProxyPassReverse* take care of re-directs and cookies. But in your admin application pages, you should make sure that your are returning only relative URLs. E.g. if the admin application would normally return a page with img src=/admin/images/logo.jpg / it should instead return img src=images/logo.jpg / and the browser and the proxy should then do the right thing. Or else, you could add an output filter at the httpd level, and rewrite all the URLs on the fly. That is a bit resource-instensive, but I would imagine that your admin application is not one with very high traffic. Note also : in the schema above, there is nothing which prevents a user on www.mydomain.com to request a URL like /admin, which could lead to accidents.. You may want to add a RewriteCond/RewriteRule in that VirtualHost which prevents them doing that. Regards, Christian or b) use the built-in Rewrite Valve of Tomcat 8 (http://tomcat.apache.org/tomcat-8.0-doc/rewrite.html), or if you are at a lower Tomcat version, use the add-on URLRewrite Filter (www.tuckey.org) A Valve is a Tomcat-specific component, so that solution is generally non-portable to another servlet container. The others (httpd front-end or the URLRewriteFilter (a servlet filter)) are portable. Personally, in this case, and considering that you want to do different things depending on the hostname used to access Tomcat, I would go the httpd front-end route, with 2 VirtualHosts at the httpd level, proxying to a single Host at the Tomcat level (but in one case, after modifying the URL). That's because I think that trying to do this at the Tomcat level only may give you headaches in terms of self-referential URLs returned by your application.
Re: Distinct servlets for different domains in one web application
André, On 29.06.2015 12:15, André Warnier wrote: Christian wrote: André, On 28.06.2015 23:11, André Warnier wrote: Christian wrote: Mark, On 28.06.2015 19:58, Mark Eggers wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Christian, On 6/28/2015 9:01 AM, Christian wrote: Hello all, is it somehow possible to create a web application with multiple servlets that are registered to different domains for the same url paths using tomcat 8? I already crawled through the catalina code that is responsible for the servlet selection and didn't find anything that would allow this. But this doesn't mean that it isn't possible at all. As far as I know, java configuration for servlet registration doesn't allow passing domain names. But maybe there is an option within context.xml. I want to create a web application that has different domains for the application itself and its management site. Both parts should run at the context root, at different domains. The application needs a shared (spring-)context in which the application's beans are stored. Regards, Christian I'm not quite sure what your after. Sharing Spring beans across contexts and domains sounds like there's an underlying requirement I don't understand. ok, I'll try to explain, as aliases won't do what I need. It's an application that can be configured via an admin interface. The admin interface is one part of the webapp. The main application is accessible via www.example.com. The admin interface needs access to the beans within the main application (e. g. to create tenants that live in context scope), that's why I created just one webapp with two dispatcher servlets. One dispatcher servlet is responsible for the admin interface and one for the main application. Until now I make tomcat select them by using a context path for the admin interface. But this is redundant, because the admin interface needs to be accessed via admin.example.com/admin instead of just admin.example.com. I would like to map admin.example.com to the admin servlet and www.example.com to the main applications dispatcher servlet. At a later stage, www.example.com/admin might be used for other admin tasks that must be accessible by users registered on the main site. But /admin is already shadowed. Hopefully I could explain my problem a little better. Yes, that is much clearer. Honestly without having really figured out the details of your explanation, I would nevertheless point you in 2 directions for that kind of thing : a) use an Apache httpd front-end proxy, and use the httpd proxying and/or URL rewriting capabilities to do what you want thanks for your suggestion! The application anyway needs a reverse proxy / ssl gateway, because tomcat isn't capable of doing TLS with SNI. Your proposed solution seems appropriate, although I have to figure out how to cleanly generate the correct urls within the application. VirtualHost *:80 ServerName admin.mydomain.com .. ProxyPass / ajp://mytomcat.local/admin/ ProxyPassReverse / ajp://mytomcat.local/admin/ ProxyPassReverseCookieDomain /admin / /VirtualHost VirtualHost *:80 ServerName www.mydomain.com .. ProxyPass / ajp://mytomcat.local/ ProxyPassReverse / ajp://mytomcat.local/ /VirtualHost thank you for the configuration excerpt! The ProxyPassReverse* take care of re-directs and cookies. But in your admin application pages, you should make sure that your are returning only relative URLs. E.g. if the admin application would normally return a page with img src=/admin/images/logo.jpg / it should instead return img src=images/logo.jpg / and the browser and the proxy should then do the right thing. Or else, you could add an output filter at the httpd level, and rewrite all the URLs on the fly. That is a bit resource-instensive, but I would imagine that your admin application is not one with very high traffic. I believe relative urls are most elegant. My second choice would be a configuration within the application itself when generating the links (it's using spring and version 4.2 gets support for base uris). A content filter at httpd level seems a bit brittle to me. Note also : in the schema above, there is nothing which prevents a user on www.mydomain.com to request a URL like /admin, which could lead to accidents.. You may want to add a RewriteCond/RewriteRule in that VirtualHost which prevents them doing that. Thank you for the hint - I already prevent malicious access at the application level. The setup is a bit more complex than I described here, because it is a multi tenant and multi domain application. Tenants get recognized by the domain within a servlet filter, that's why they play a big role already. At a spring security layer authorization gets checked for every request. Regards, Christian Regards, Christian or b) use the built-in Rewrite Valve of Tomcat 8 (http://tomcat.apache.org/tomcat-8.0-doc/rewrite.html), or if you are at a lower Tomcat
RE: [OT] Re: Filter behaviour
Yeah, you're right. I don't see *MUST* in my reference either. They *must* /pun
intended/ have dropped the language for SOAP 1.2. A little vague, with this
table, though the table implicitly states that it *MUST* be 400 or 500 since
there is no other code that and it is a complete table.
I said *MUST* because SOAP 1.1 explicitly states it [1]:
In case of a SOAP error while processing the request, the SOAP HTTP server
MUST issue an HTTP 500 Internal Server Error response and include a SOAP
message in the response containing a SOAP Fault element (see section 4.4)
indicating the SOAP processing error.
George
[1] http://www.w3.org/TR/2000/NOTE-SOAP-2508/#_Toc478383529
-Original Message-
From: André Warnier [mailto:a...@ice-sa.com]
Sent: Monday, June 29, 2015 8:56 AM
To: Tomcat Users List
Subject: Re: [OT] Re: Filter behaviour
George Stanchev wrote:
For SOAP, you *MUST* send back 500 or 400 with your SOAP fault back.
[1] http://www.w3.org/TR/soap12-part2/#tabresstatereccodes
Not to start a fight on SOAP on this Tomcat forum, but in the wording of the
section referenced above, I definitely do not see that you *MUST* send a 5xx or
4xx Status Code back.
One should start reading a bit earlier, at 7.5.2.2 Receiving.
The gist seems to be : send a 2xx code back, along with a SOAP envelope
containing the SOAP fault, or if you cannot, then use one of the HTTP error
codes below.
But sending /only/ a HTTP error code is, in my view, confusing for the client,
because it would not be able to distinguish between a HTTP transport error, and
a service-level error.
-Original Message-
From: Leo Donahue [mailto:donahu...@gmail.com]
Sent: Saturday, June 27, 2015 11:45 PM
To: Tomcat Users List
Subject: [OT] Re: Filter behaviour
On Sat, Jun 27, 2015 at 8:37 AM, Konstantin Kolinko knst.koli...@gmail.com
wrote:
public void doFilter(ServletRequest request, ServletResponse
response,
FilterChain chain) throws IOException, ServletException
{
boolean iAmNotAuthorized = true;
if (iAmNotAuthorized)
{
// generate the HTTP Servlet Response for a 403 status code
HttpServletResponse httpResponse = (HttpServletResponse)
response;
//httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN);
httpResponse.setStatus(HttpServletResponse.SC_FORBIDDEN);
httpResponse.setHeader(WWW-Authenticate, Basic);
WWW-Authenticate header is usually used with 401 response.
It is unusual to use it with 403 one, though the spec does not forbid
it. (I am not sure how browsers react here, though)
http://tools.ietf.org/html/rfc7235#section-4.1
Best regards,
Konstantin Kolinko
http://tools.ietf.org/html/rfc7231#section-6.5.3
And we may send a 404 to hide the existence of a forbidden target. It's
misleading. That seems to open the door for any kind of response, or no
response.
I am on the fence about sending 401 or 403 responses from a web service.
They both indicate something is there, you just can't get to it.
The 401 alludes that something is wrong with your username/password.
The 403 is more vague. You may have the right username and password (and
I'm not going to bother to tell you), but your account may not have the
correct role associated with using this service, so rather than say anymore,
I'll just let you know you are forbidden. Users have no idea, other than
there is something good at the end of this request for me to be forbidden.
From the perspective of troubleshooting customer requests to your published
web service, developers can log the unsuccessful attempt (Authentication or
Authorization) and review the log files for answers to trouble shooting, but
sending back a status code doesn't seem to always make sense depending on
what types of application clients your customers are using.
For example:
Suppose you call a SOAP web service that takes an object as a parameter and
that service returns another type of object. When customers expect an
object, they may get a HTTP status code of 401 or 403 if they botched sending
the correct username/password in the authentication header. And maybe, their
password is merely expired. In situations like those, it seems more
reasonable to send back a Soap Fault of some kind as defined in the schema.
The message could be as simple as: Authorization failed.
It seems easier for clients to know that a soap web service may throw a
ClientAuthorizationException for example, rather than parse out a HTTP status
code response?
I don't know though.
Leo
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For
Re: [OT] Re: Filter behaviour
George Stanchev wrote:
For SOAP, you *MUST* send back 500 or 400 with your SOAP fault back.
[1] http://www.w3.org/TR/soap12-part2/#tabresstatereccodes
Not to start a fight on SOAP on this Tomcat forum, but in the wording of the section
referenced above, I definitely do not see that you *MUST* send a 5xx or 4xx Status Code back.
One should start reading a bit earlier, at 7.5.2.2 Receiving.
The gist seems to be : send a 2xx code back, along with a SOAP envelope containing the
SOAP fault, or if you cannot, then use one of the HTTP error codes below.
But sending /only/ a HTTP error code is, in my view, confusing for the client, because it
would not be able to distinguish between a HTTP transport error, and a service-level error.
-Original Message-
From: Leo Donahue [mailto:donahu...@gmail.com]
Sent: Saturday, June 27, 2015 11:45 PM
To: Tomcat Users List
Subject: [OT] Re: Filter behaviour
On Sat, Jun 27, 2015 at 8:37 AM, Konstantin Kolinko knst.koli...@gmail.com
wrote:
public void doFilter(ServletRequest request, ServletResponse
response,
FilterChain chain) throws IOException, ServletException
{
boolean iAmNotAuthorized = true;
if (iAmNotAuthorized)
{
// generate the HTTP Servlet Response for a 403 status code
HttpServletResponse httpResponse = (HttpServletResponse)
response;
//httpResponse.sendError(HttpServletResponse.SC_FORBIDDEN);
httpResponse.setStatus(HttpServletResponse.SC_FORBIDDEN);
httpResponse.setHeader(WWW-Authenticate, Basic);
WWW-Authenticate header is usually used with 401 response.
It is unusual to use it with 403 one, though the spec does not forbid
it. (I am not sure how browsers react here, though)
http://tools.ietf.org/html/rfc7235#section-4.1
Best regards,
Konstantin Kolinko
http://tools.ietf.org/html/rfc7231#section-6.5.3
And we may send a 404 to hide the existence of a forbidden target. It's
misleading. That seems to open the door for any kind of response, or no response.
I am on the fence about sending 401 or 403 responses from a web service.
They both indicate something is there, you just can't get to it.
The 401 alludes that something is wrong with your username/password.
The 403 is more vague. You may have the right username and password (and I'm not going
to bother to tell you), but your account may not have the correct role associated with
using this service, so rather than say anymore, I'll just let you know you are forbidden. Users
have no idea, other than there is something good at the end of this request for me to be forbidden.
From the perspective of troubleshooting customer requests to your published web
service, developers can log the unsuccessful attempt (Authentication or
Authorization) and review the log files for answers to trouble shooting, but
sending back a status code doesn't seem to always make sense depending on what
types of application clients your customers are using.
For example:
Suppose you call a SOAP web service that takes an object as a parameter and
that service returns another type of object. When customers expect an object,
they may get a HTTP status code of 401 or 403 if they botched sending the
correct username/password in the authentication header. And maybe, their
password is merely expired. In situations like those, it seems more reasonable
to send back a Soap Fault of some kind as defined in the schema. The message
could be as simple as: Authorization failed.
It seems easier for clients to know that a soap web service may throw a
ClientAuthorizationException for example, rather than parse out a HTTP status
code response?
I don't know though.
Leo
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
re: Question on warning message from catalina log file
Hello , I tried to deploy myproj war file to tomcat production server and I got this message from the catalina log file saying that WARNING: A myproj docBase inside the host appBase has been specified, and will be ignored.I don't know what it meant but one thing I know that myproj did not get deployed since my logfile did not get any change. I'd be very much appreciative if you could somehow shed some lights into this and tell me what I might be missed in order to have a proper deploy. Thanks so much,Tom
Re: Question on warning message from catalina log file
minh tran wrote: Hello , I tried to deploy myproj war file to tomcat production server and I got this message from the catalina log file saying that WARNING: A myproj docBase inside the host appBase has been specified, and will be ignored.I don't know what it meant but one thing I know that myproj did not get deployed since my logfile did not get any change. I'd be very much appreciative if you could somehow shed some lights into this and tell me what I might be missed in order to have a proper deploy. Thanks so much,Tom See : http://tomcat.apache.org/tomcat-8.0-doc/config/context.html#Common_Attributes -- docBase in the superb Tomcat on-line documentation. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
why only 2 requests for async request can raise from a end-point?
Hi,
I am trying to bench async servlet, tomcat7 and tomcat8, now it's seems I can
only start 2 request from a end-point.
I make a simple tool, start 100 request same time, each request has own
session, and write a simple async servlet, which pasted in the bottom of this
mail.
It's the result:
06-29 16:28:52 622 INFO (Test.java:35)- test serve 1
06-29 16:28:52 622 INFO (Test.java:35)- test serve 2
06-29 16:29:02 633 DEBUG (Test.java:54)- timout and print
06-29 16:29:02 637 DEBUG (Test.java:54)- timout and print
06-29 16:29:02 642 INFO (Test.java:35)- test serve 3
06-29 16:29:02 677 INFO (Test.java:35)- test serve 4
06-29 16:29:12 647 DEBUG (Test.java:54)- timout and print
06-29 16:29:12 650 INFO (Test.java:35)- test serve 5
06-29 16:29:12 682 INFO (Test.java:35)- test serve 6
i have test this on tomcat7 and tomcat8 in windows and linux(ubuntu), and test
it in browser manually.
Best Regards
===
my Test servlet:
===
package com.botao.im;
import java.io.IOException;
import java.io.PrintWriter;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;
import javax.servlet.AsyncContext;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.log4j.Logger;
/**
* Servlet implementation class Test
*/
@WebServlet(asyncSupported = true, name = test, urlPatterns = { /test })
public class Test extends HttpServlet {
private static final long serialVersionUID = 1L;
private static Logger logger = Logger.getLogger(Test.class);
private static ScheduledExecutorService es =
Executors.newSingleThreadScheduledExecutor();
private static int counter = 0;
protected void doGet(HttpServletRequest request, final
HttpServletResponse response) throws ServletException, IOException {
logger.info(test serve + (++counter ));
final AsyncContext context = request.startAsync();
context.start(new Runnable() {
@Override
public void run() {
context.setTimeout(100);
es.schedule(new Runnable(){
@Override
public void run() {
response.setContentType(text/plain);
PrintWriter out;
try {
out =
response.getWriter();
out.print(hello);
out.flush();
context.complete();
logger.debug(timout and print);
} catch (IOException e)
{
}
}
}, 10, TimeUnit.SECONDS);
}
});
}
}
Re: why is Tomcat 7 invoking WebSocket protocol?
On 29/06/2015 07:12, Ric Bernat wrote: We have a Jersey application running on Tomcat 7.0.62. In production, 99.9% of our web service calls run quickly (e.g., 100ms), but there are about half a dozen web service calls per hour that take an extraordinary amount of time to complete: 30-120 seconds (not ms). We do not use WebSockets in our application. However, our profiling tool clearly shows that Tomcat is invoking the WebSocket protocol on the slow-running web service calls. In the stack trace below, see this line: org.apache.tomcat.websocket.server.WsFilter.doFilter (WsFilter.java:46) That shows nothing of the sort. I suggest you take a look at the code in question before jumping to invalid conclusions. Mark How can we track down what is causing Tomcat to use the WebSocket protocol, given that our application code does not make any references to WebSocket annotations, etc.? Or is there a configuration option we can use to cause Tomcat to not use WebSockets? Thanks much. Stack trace org.glassfish.jersey.server.ApplicationHandler.handle (ApplicationHandler.java:13) org.glassfish.jersey.servlet.WebComponent.service (WebComponent.java:401) org.glassfish.jersey.servlet.ServletContainer.service (ServletContainer.java:386) org.glassfish.jersey.servlet.ServletContainer.service (ServletContainer.java:335) org.glassfish.jersey.servlet.ServletContainer.service (ServletContainer.java:222) ….catalina.core.ApplicationFilterChain.internalDoFilter (ApplicationFilterChain.java:303) …g.apache.catalina.core.ApplicationFilterChain.doFilter (ApplicationFilterChain.java:208) org.apache.tomcat.websocket.server.WsFilter.doFilter (WsFilter.java:46) ….catalina.core.ApplicationFilterChain.internalDoFilter (ApplicationFilterChain.java:241) …g.apache.catalina.core.ApplicationFilterChain.doFilter (ApplicationFilterChain.java:208) org.apache.catalina.core.StandardWrapperValve.invoke (StandardWrapperValve.java:220) org.apache.catalina.core.StandardContextValve.invoke (StandardContextValve.java:122) …apache.catalina.authenticator.AuthenticatorBase.invoke (AuthenticatorBase.java:505) org.apache.catalina.core.StandardHostValve.invoke (StandardHostValve.java:170) org.apache.catalina.valves.ErrorReportValve.invoke (ErrorReportValve.java:103) org.apache.catalina.valves.AccessLogValve.invoke (AccessLogValve.java:957) org.apache.catalina.core.StandardEngineValve.invoke (StandardEngineValve.java:116) org.apache.catalina.connector.CoyoteAdapter.service (CoyoteAdapter.java:423) …g.apache.coyote.http11.AbstractHttp11Processor.process (AbstractHttp11Processor.java:1079) …ote.AbstractProtocol$AbstractConnectionHandler.process (AbstractProtocol.java:620) …ache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun (NioEndpoint.java:1747) …apache.tomcat.util.net.NioEndpoint$SocketProcessor.run (NioEndpoint.java:1706) java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1145) java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:615) …he.tomcat.util.threads.TaskThread$WrappingRunnable.run (TaskThread.java:61) java.lang.Thread.run (Thread.java:745) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
why is Tomcat 7 invoking WebSocket protocol?
We have a Jersey application running on Tomcat 7.0.62. In production, 99.9% of our web service calls run quickly (e.g., 100ms), but there are about half a dozen web service calls per hour that take an extraordinary amount of time to complete: 30-120 seconds (not ms). We do not use WebSockets in our application. However, our profiling tool clearly shows that Tomcat is invoking the WebSocket protocol on the slow-running web service calls. In the stack trace below, see this line: org.apache.tomcat.websocket.server.WsFilter.doFilter (WsFilter.java:46) How can we track down what is causing Tomcat to use the WebSocket protocol, given that our application code does not make any references to WebSocket annotations, etc.? Or is there a configuration option we can use to cause Tomcat to not use WebSockets? Thanks much. Stack trace org.glassfish.jersey.server.ApplicationHandler.handle (ApplicationHandler.java:13) org.glassfish.jersey.servlet.WebComponent.service (WebComponent.java:401) org.glassfish.jersey.servlet.ServletContainer.service (ServletContainer.java:386) org.glassfish.jersey.servlet.ServletContainer.service (ServletContainer.java:335) org.glassfish.jersey.servlet.ServletContainer.service (ServletContainer.java:222) ….catalina.core.ApplicationFilterChain.internalDoFilter (ApplicationFilterChain.java:303) …g.apache.catalina.core.ApplicationFilterChain.doFilter (ApplicationFilterChain.java:208) org.apache.tomcat.websocket.server.WsFilter.doFilter (WsFilter.java:46) ….catalina.core.ApplicationFilterChain.internalDoFilter (ApplicationFilterChain.java:241) …g.apache.catalina.core.ApplicationFilterChain.doFilter (ApplicationFilterChain.java:208) org.apache.catalina.core.StandardWrapperValve.invoke (StandardWrapperValve.java:220) org.apache.catalina.core.StandardContextValve.invoke (StandardContextValve.java:122) …apache.catalina.authenticator.AuthenticatorBase.invoke (AuthenticatorBase.java:505) org.apache.catalina.core.StandardHostValve.invoke (StandardHostValve.java:170) org.apache.catalina.valves.ErrorReportValve.invoke (ErrorReportValve.java:103) org.apache.catalina.valves.AccessLogValve.invoke (AccessLogValve.java:957) org.apache.catalina.core.StandardEngineValve.invoke (StandardEngineValve.java:116) org.apache.catalina.connector.CoyoteAdapter.service (CoyoteAdapter.java:423) …g.apache.coyote.http11.AbstractHttp11Processor.process (AbstractHttp11Processor.java:1079) …ote.AbstractProtocol$AbstractConnectionHandler.process (AbstractProtocol.java:620) …ache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun (NioEndpoint.java:1747) …apache.tomcat.util.net.NioEndpoint$SocketProcessor.run (NioEndpoint.java:1706) java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1145) java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:615) …he.tomcat.util.threads.TaskThread$WrappingRunnable.run (TaskThread.java:61) java.lang.Thread.run (Thread.java:745) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
mod_jk load balancing method: Session vs Next
Hi, I'm reading the document about load balancing method of mod_jk workers.properties. However, I don't understand why Next is better than Session if numbers of sessions is small. How does the count reducing method affect an election of the best worker? Could anyone explain the theory? Regared, Yugo Nagata -- Yugo Nagata nag...@sraoss.co.jp - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
